Upload
gangseok-lee
View
650
Download
3
Embed Size (px)
DESCRIPTION
2012 CodeEngn Conference 06 데프콘은 매년 라스베이거스에서 열리는 세계적으로 가장 권위 있는 보안 컨퍼런스 중 하나로 CTF 대회를 진행하고 있다. 데프콘 컨퍼런스에서 발표를 한다거나, CTF 본선 대회에 진출하는 것이 “해커들의 꿈” 이라는 말이 오고 갈 정도로 권위 있는 대회라고 할 수 있다. 때문에, 전 세계의 실력 있는 보안 그룹들이 이 CTF 대회의 본선 티켓을 두고 매년 경쟁을 하고 있으며, 올해에도 어김없이 데프콘 CTF를 위한 예선전이 진행되었고 세계적으로 유명한 해킹 그룹들이 참가하였다. 2012년 데프콘 CTF 예선에 출제된 여러 흥미로운 문제들을 풀이해보고, 필자의 본선 경험을 토대로 데프콘 CTF 대회의 전체적인 흐름과 운영 방식 그리고 전략 등에 대하여 설명한다. http://codeengn.com/conference/06
Citation preview
박 병진 (Posquit0) | B10S / POSTECH CSE | 2012.07
Defcon 20th :The way to go to Las Vegas
http://hackcreative.org
www.CodeEngn.comCodeEngn ReverseEngineering Conference
1-1 Who
1-2 What
1 WTF is Defcon?
2 For Las Vegas
2-1 Criteria
2-2 How About This Year?
2-3 No Money?
3 Interesting Problems
3-1 So Easiness
3-2 So Bombness
3-3 So Funniness
3-4 So Mathness
3-5 So Puzzlingness
4 In Las Vegas
4-1 Waiting For You
4-2 Capture The Flag
4-3 Advanced Tips
4-4 Conclusions
목차
WTF is Defcon? :Who
Jeff Moss (The Dark Tangent)
WTF is Defcon?
Who
The founder of the Black Hat and Defcon computer hacker conferences
Show me the money, bro ...
WTF is Defcon? :What
Defcon
WTF is Defcon?
What
One of the world’s largest annual computer hacker conventions
The dream of many hackers
Every year in Las Vegas, Nevada
I love girl, casino and Las Vegas !!
Defcon CTF (Capture The Flag)
WTF is Defcon?
What
The best known contest among several Defcon Contests.
CTP(Capture The Packet), Open CTF, and etc...
The most prestigious network attack and defense competition in the world
To be best of best !!
For Las Vegas :Criteria
If you want to participate in CTF
For Las Vegas
Criteria
+ =
Last Winners
For Las Vegas
Criteria
1 The returning winners from last Defcon CTF
It is the hardest way, but I want to do this way... And you?
History of Capture the Flag
Winners
• DDTEK: 2009 - Present
• KENSHOTO: 2005 – 2008
• GHETTO HACKERS: 2002 - 2004
Organizers
DC Winner OS N (Teams)
16 Sk3wl0fr00t FreeBSD 8 Teams
17 Vedagodz FreeBSD 10 Teams
18 ACME Pharm FreeBSD + Debian 10 Teams
19 The European Nopsled Team FreeBSD 12 Teams
20 WOWHACKER-PLUS or KAIST GoN!?? ????? 20 Teams
The Other Winners
For Las Vegas
Criteria
8 Winning teams from other CTF events (in DC 20)
May be, it is also good way :D
Other CTF Contests (be qualified in DC 20)
• UCSB iCTF 2011
• CodeGate 2012
• NCCDC
• Hack In The Box 2012 Amsterdam
• Positive Hack Days 2012
• Nuit Du Hack 2012 CTF
• Defcon 19 Open CTF
• RuCTF 2011
Qualification
For Las Vegas
Criteria
10 teams pre-qualify online
It is normal and best way.
For 48 hours. No limit the number of team members.
Making union with another team may possibly be good choice :-)
Qualification (in DC 20)
For Las Vegas
Criteria
Fields
• Grab bag – Web, Network, Programming and etc.
• /urandom – Trivial, Crypto, Algorithm and etc.
• binary l33tness – Reverse Engineering
• Pwnables – Remote Exploits
• Forensics – Digital Forensics
Solved
Not Solved
Not Solved (Any teams)
Solving
Not Opened
Total Score
• 1500 * 5 = 7500 pts
For Las Vegas :How About This Year?
Last Winners
For Las Vegas
How AboutThis Year? Defcon 19th CTF Winner - European Nopsled Team
Oh, handsome guys :D
The Other Winners
For Las Vegas
How AboutThis Year?
Years Contests Winner
2011 UCSB iCTF We_0wn_You
2012 CodeGate KAIST GoN
2012 NCCDC Team Hillarious
2012 Hack In The Box Amsterdam SiBears
2012 Positive Hack Days More Smoked Leet Chicken
2012 Nuit Du Hack HackerDom
2011 Defcon 19 Open CTF Team Vand
2011 RuCTF 0ldEur0pe
Qualification
For Las Vegas
How AboutThis Year?
9%
9%
9%
9%8%
8%
8%
8%
8%
8% 8%
8% Hates Irony
PPP
侍
sutegoma2
Shellphish
TwoSixNine
European Nopsled Team
More Smoked Leet
Chicken
4%5%
6%
14%
20%19%
32%
More than 4000 pts 3000 ~ 3900 pts
2000 ~ 2900 pts 1000 ~ 1900 pts
500 ~ 900 pts 200 ~ 400 pts
100 pts
Total 303 Teams
Qualification
For Las Vegas
How AboutThis Year?
Rank Team Score
1 Hates Irony 4900 Qualified!
2 PPP 4800 Qualified!
3 侍 4400 Qualified!
4 sutegoma2 4400 Qualified!
5 Shellphish 4400 Qualified!
6 TwoSixNine 4400 Qualified!
7 European Nopsled Team 4200 DC 19 Winner!
8 More Smoked Leet Chicken 4100 Positive Hack Days Winner!
9 Our name sucks 4100 Qualified!
10 ACME Pharm 4100 Qualified!
11 WOWHACKER-PLUS 4100 Qualified!
12 Routards 3900 Qualified!
Only one team is Korean – WOWHACKER-PLUS
Come back as Defcon 20th CTF Winner :D
For Las Vegas :No Money?
Defcon CTF Prizes
For Las Vegas
No Money?
No prizes, only honor !
It’s so cool contest :D
Defcon CTF Support
Only support two hotel room for 4 days, not airfares :-(
Not good...
Airfares, Hotel bills and etc ...
For Las Vegas
No Money?
If you are qualified, don’t worry about money :D
May be, it is also good way :D
Sponsors
There are many Security Vendors
They will be your sponsor!
Interesting Problems :So Easiness
Grab Bag 100
Introduction
• Hack the planet_
• It’s so trivial :D
How to solve?
What is last character?
Interesting Problems
So Easiness
Auth Key
Interesting Problems
So Easiness
Interesting Problems :So Bombness
Binary l33tness 200
Introduction
• Running on 140.197.217.155:18703
• ELF 32-bit LSB executable for FreeBSD 9.0, stripped
• Username : grease
• Hash Collision challenge
Interesting Problems
So Bombness
How to solve – I. Binary Patch
Interesting Problems
So Bombness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
Before the patch
How to solve – I. Binary Patch
Interesting Problems
So Bombness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
After
How to solve – II. Code Analyze (1)
Interesting Problems
So Bombness
Recv Passcode 4 Times
How to solve – II. Code Analyze (2)
Interesting Problems
So Bombness
Get Input Size & Two Input
How to solve – II. Code Analyze (3)
Interesting Problems
So Bombness
If has collision, success :D
How to solve – III. Approach (1)
Interesting Problems
So Bombness
Is it a known Hash Algorithm?
Then, it’s so easy :D
How to solve – III. Approach (2)
Interesting Problems
So Bombness
Enter to Hash Function
Unknown table :D
How to solve – III. Approach (3)
Interesting Problems
So Bombness
Google is GOD :D
Found !!
The Tangle Hash Function !!
How to solve – III. Approach (4)
Interesting Problems
So Bombness
<Untangled> DTU Mathematics, Technical University of Denmark
Tangle Hash Collision
Collision!!
How to solve – IV. Attack (1)
Interesting Problems
So Bombness
I used Python :D
Lovely Python !!
4 Passcode forentering Main-routine
How to solve – IV. Attack (2)
Interesting Problems
So Bombness
I used Python :D
Lovely Python !!
Length: 40Tangle Hash Collision :D
How to solve – V. Result
Interesting Problems
So Bombness
Go! Go! Go!
My Precious :D
Auth Key
Interesting Problems
So Bombness
The key is 437f085141d357c5d28850d5119aacb5
Interesting Problems :So Funniness
/Urandom 100
Introduction
• How many developers;) did it take to secure Windows 8?
Interesting Problems
So Funniness
How to solve
Interesting Problems
So Funniness
Brute force attack!
I know, you did it, haha.
How to solve
Interesting Problems
So Funniness
Brute force attack!
I know, you did it, haha
Steve Ballmer in Techno Developers!
Omg, is it True !?
How to solve
Interesting Problems
So Funniness
Brute force attack!
I know, you did it, haha
Steve Ballmer in Techno Developers!
Omg, is it True !?
Auth Key
Interesting Problems :So Mathness
Binary l33tness 400
Introduction
• No takebacks! Running on 140.197.217.239:11553
• ELF 64-bit LSB executable for FreeBSD 9.0, stripped
• Username : takeback
• Personally, the most interesting challenge
Interesting Problems
So Mathness
How to solve – I. Binary Patch
Interesting Problems
So Mathness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
Before the patch
How to solve – I. Binary Patch
Interesting Problems
So Mathness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
After
How to solve – II. Code Analyze (1)
Interesting Problems
So Mathness
Recv Passcode 4 Times
I referenced SapHeads’s pseudo code :D
How to solve – II. Code Analyze (2)
Interesting Problems
So Mathness
Get Count for Big Loop
How to solve – II. Code Analyze (3)
Interesting Problems
So Mathness
Important Big Loop
How to solve – II. Code Analyze (4)
Interesting Problems
So Mathness
Small Loop
How to solve – II. Code Analyze (5)
Interesting Problems
So Mathness
If you success
How to solve – III. Approach (1)
Interesting Problems
So Mathness
How to satisfy the following conditions?
r14 is 64-bit register :D
How to solve – III. Approach (1)
Interesting Problems
So Mathness
r14 register must be 0xFFFFFFFFFFFFFFFF
All of the bits must be switched on.
How to solve – III. Approach (2)
Interesting Problems
So Mathness
How to set bits of the r14 register to 1?
One looping makes one of the bits to be 1
How to solve – III. Approach (3)
Interesting Problems
So Mathness
Count for Big Loop must be at least 64 :D
Pick 64 !!
How to solve – III. Approach (4)
Interesting Problems
So Mathness
We have two restrictions :-(
How can traversal all of the bits?
1st restriction:Offset
How to solve – III. Approach (4)
Interesting Problems
So Mathness
We have two restrictions :-(
How can traversal all of the bits?
2nd restriction:modulo 8
How to solve – III. Approach (5)
Interesting Problems
So Mathness
Shift is signed int type !!
Very G00D :D
How to solve – III. Approach (6)
Interesting Problems
So Mathness
What happen if shift is negative ?
Bye~ modulo 8 :D
Negative % 8 = Negative
How to solve – III. Approach (6)
Interesting Problems
So Mathness
What happen if shift is negative ?
Bye~ modulo 8 :D
We can freely pick some offsets:-15, -6, +10, +17
How to solve – III. Approach (7)
Interesting Problems
So Mathness
How to select a sequence of numbers?
Think mathematically :D
GCD(-15, 64)= GCD(+17, 64)= 1= generators of additive modulo 64
{X + [n*(-15) or n*(+17)]} mod 64can generate[0 .. 63]
How to solve – IV. Attack (1)
Interesting Problems
So Mathness
I used Python :D
Lovely Python !!
4 Passcode forentering Main-routine
How to solve – IV. Attack (2)
Interesting Problems
So Mathness
I used Python :D
Lovely Python !!
My Choice: -15
How to solve – V. Result
Interesting Problems
So Mathness
Go! Go! Go!
My Precious :D
Auth Key
Interesting Problems
So Mathness
The key is 59e22b484b703801c019d4da0f7a3316
Interesting Problems :So Puzzlingness
Grab Bag 300
Introduction
• This is semi-real. :-(
• 140.197.217.85:10435
• Password: 5fd78efc6620f6
Interesting Problems
So Puzzlingness
How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
How to solve – II. Approach
Interesting Problems
So Puzzlingness
Only 3 steps :D
Try it !!
Parsing
Number Table
Get
PIN Numbers
Calculate
Positions
How to solve – III. Attack (Demo)
Interesting Problems
So Puzzlingness
Auth Key
Interesting Problems
So Puzzlingness
The key is $9238740982570237012935.32
In Las Vegas :Waiting For You
Las Vegas
In Las Vegas
Waiting For You
Welcome to Las Vegas!
A beautiful city :D
Casino
In Las Vegas
Waiting For You
Have you ever been to Casino?
Do not become addicted :(
Girls
In Las Vegas
Waiting For You
Anywhere you can see sexy girls
If you have girl friend, avoid it :D
In Las Vegas :Capture The Flag
Defcon CTF (Capture The Flag)
In Las Vegas
Capture The Flag
This year, the 20 top qualifying teams are pitted against each other in an all out digital war
Last year, only 12 teams
Attack and defend custom services provided to each teams
It’s important
The Winning team will receive coveted Defcon Black Badges.
Hmm... Give me badge! lol
CTF Blueprint
In Las Vegas
Capture The Flag
Gateway
Team 2Server
Team 1Server
Team 3Server
AuthServer
Team 3
Team 2
Team 1
Defcon CTF Director & USB
In Las Vegas
Capture The Flag
Director provide USB for CTF
• root password
• Home Folder (vulnerable daemons)
• key, cert File for authentication
• readme
Defcon CTF Disposition
In Las Vegas
Capture The Flag
• Contest Room
• Lounge or Anywhere
Contest Room
Lounge or Anywhere
Defcon CTF Disposition
In Las Vegas
Capture The Flag
Contest Room
8 People
Lounge or Anywhere
• Contest Room – 8 Members
• Lounge or Anywhere – No limits :D
Defcon CTF Attack
In Las Vegas
Capture The Flag
Read Key
Steal information
Overwrite Key
Corrupt information
Keys are periodically updated by the contest organizers
Continue to attack
Defcon CTF Attack – Read Key
In Las Vegas
Capture The Flag
Read Other team’s ‘~/key’ file and auth it
Steal information
Team 1
Attacker
Team 2
Vulnerable Daemon
Auth
Server
Period : 600sPeriod : 600s
Defcon CTF Attack – Overwrite Key
In Las Vegas
Capture The Flag
Overwrite Other team’s ‘~/key’ file
Corrupt information
Team 1
Attacker
Team 2
Vulnerable DaemonPeriod : 600sPeriod : 600s
Au
thTeam
1 K
ey
?A
uth
Team
1 K
ey
?
Auth
Server
I don’t know correctly :-(I don’t know correctly :-(
Defcon CTF Attack – Auth
In Las Vegas
Capture The Flag
How to auth?
• Using SSL (Secure Socket Layer)
• Files in USB for SSL
• server.cert
• team_X_key
• team_X_key.cert
Defcon CTF Attack – Auth
In Las Vegas
Capture The Flag
Defcon CTF Attack – Auth
In Las Vegas
Capture The Flag
Defcon CTF Defend
In Las Vegas
Capture The Flag
Patch daemon’s vulnerability
Don’t touch daemon’s service
Fix ‘/bin/’ permission
Prevent remote shell
Defcon CTF Defend – Binary Patch
In Las Vegas
Capture The Flag
Use Hex Editors, or etc.
010 Editors, WinHex, IDA, Radare2, etc.
Radare2 is Disassembler, Hex Editor, Dubugger, etc.
Posted on Phrack :D
Defcon CTF Defend – Binary Patch with Radare2 (1)
In Las Vegas
Capture The Flag
Open binary file with ‘-w’ option
‘-w’ : write mode
Defcon CTF Defend – Binary Patch with Radare2 (2)
In Las Vegas
Capture The Flag
Set address for edit
s : set address
Defcon CTF Defend – Binary Patch with Radare2 (3)
In Las Vegas
Capture The Flag
Analyze Function & Print Disassembled Function
af : Analyze function
pdf: Print disassembled function
Defcon CTF Defend – Binary Patch with Radare2 (4)
In Las Vegas
Capture The Flag
Enter to Visual Mode -> Look like VIM Editor
V : Visual Mode
h, j, k, l : Scroll key
Defcon CTF Defend – Binary Patch with Radare2 (5)
In Las Vegas
Capture The Flag
Change Disassemble Mode : input ‘p’ for changing View-mode
p : Change view mode
Defcon CTF Defend – Binary Patch with Radare2 (6)
In Las Vegas
Capture The Flag
Search a position for patch using cursor : input ‘c’ for enabling cusror
c : Enable cursor
Defcon CTF Defend – Binary Patch with Radare2 (7)
In Las Vegas
Capture The Flag
Edit Code : input ‘w’ for hex or ‘a’ for assembled opcode
w : Change code with hex value
a : Change code with assembled opcode
Defcon CTF Defend – Binary Patch with Radare2 (8)
In Las Vegas
Capture The Flag
Patched :D
Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
• Each daemon has 100 points
• For a given attacker, V – victim, S – service,
The attacker’s partial score for the service =
their percentage (0-100) of all keys stolen from V via service S
• Overwrite is also same
Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Team 3
Attacker
Team 4
Attacker
Team 5
Attacker
Team Auth Score
Team1 10 times 10 pts
Team3 40 times 40 pts
Team4 20 times 20 pts
Team5 30 times 30 pts
Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Team 3
Attacker
Team 4
Attacker
Team 5
Attacker
Team Auth Score
Team1 2 times 100 pts
Team3 0 times 0 pts
Team4 0 times 0 pts
Team5 0 times 0 pts
Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Team 3
Attacker
Team 4
Attacker
Team 5
Attacker
Team Auth Score
Team1 3 times 75 pts
Team3 1 times 25 pts
Team4 0 times 0 pts
Team5 0 times 0 pts
Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Atta
ckA
ttack
Team Auth Score
Team1 1 times for each 1900 pts
AttackAttack
Total 19 Teams
Breakthrough !!
Team 20
Vulnerable Daemon
Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Atta
ckA
ttack
Team Auth Score
Team1 1 times for each 3800 pts
AttackAttack
Total 19 Teams
Breakthrough !!
Team 20
Vulnerable Daemon
Read & Overwrite
Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Atta
ckA
ttack
Team Auth Score
Team1 1 times for each 3800 pts
AttackAttack
Total 19 Teams
Breakthrough !!
Team 20
Vulnerable Daemon
Read & Overwrite
Defcon CTF Scoring
In Las Vegas
Capture The Flag
+ =
Total Score
• Sum(Steals Score + Defaces Score) * SLA
• SLA - Service Level Availability
• SLA = Average number of daemons running (cumulative)
= Sum(number of daemons running) / Sum(number of daemons)
Defcon CTF Scoring
In Las Vegas
Capture The Flag
VIP (Very Important Points)
• Breakthrough
• SLA (Service Level Availability) –No Shutdown !
In Las Vegas :Advanced Tips
Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server(running
daemons)
Team Server(running
daemons)
Laptop formasquerading
Laptop formasquerading
GatewayGateway
Laptop forServer
Laptop forServer
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server(running
daemons)
Team Server(running
daemons)
Laptop formasquerading
Laptop formasquerading
GatewayGateway
Laptop forServer
Laptop forServer
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
Route for AttackConnected toother teams
Connected toother teams
Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server(running
daemons)
Team Server(running
daemons)
Laptop formasquerading
Laptop formasquerading
GatewayGateway
Laptop forServer
Laptop forServer
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
Route for DefendConnected toother teams
Connected toother teams
Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server(running
daemons)
Team Server(running
daemons)
Laptop formasquerading
Laptop formasquerading
GatewayGateway
Laptop forServer
Laptop forServer
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
Connected toother teams
Connected toother teams
Masquerading (Packet capture)Routing (Use both Internet & Intranet)Masquerading (Packet capture)Routing (Use both Internet & Intranet)
VM Server (FreeBSD)Web Server (Share Information)IRC Server (Chat with members)VPN Server (For other members)
VM Server (FreeBSD)Web Server (Share Information)IRC Server (Chat with members)VPN Server (For other members)
Wireless InternetWireless Internet
Masquerading (Packet Capture)
In Las Vegas
Advanced Tips
Capture the incoming attack packet of the other team
Repeat the other team’s payload against enemy
Capture the outgoing packet that includes key
Modify key in the packet or Drop the packet
Team Server(running
daemons)
Team Server(running
daemons)
Laptop formasquerading
Laptop formasquerading
GatewayGateway
Capturing Packet
Disposition for Efficiency
In Las Vegas
Advanced Tips
Server Manager (1), Network Manager (2), Global Hogu Finder (1),
Exploit Manager (1), Reverser & Exploiter (∞)
Global Hogu Finder is very very important :D
Contest Room
Lounge or Anywhere
Position N
Server Manager 1
Network Manager 2
Global Hogu Finder 1
Reverser & Exploiter 3
Exploit Manager 1
Total 8
Position N
Reverser & Exploiter ∞
Total ∞
Positions – Server Manager
In Las Vegas
Advanced Tips
Team Server is only managed by Server Manager
Important position :D
Test daemon’s services
For high SLA (Service Level Availability)
Manage Daemon’s version
Change daemon, set version
Ex. tomato -> tomato.1
Positions – Network Manager
In Las Vegas
Advanced Tips
Capture & Filter incoming packets Team, Share to other members
Very Important :D
Drop or Modify outgoing packet that contains key
Depend !
Manage Web Server, IRC Server, VPN Server, Masquerading Server
Once in a while, Check Server Log
Positions – Global Hogu Finder
In Las Vegas
Advanced Tips
Social Hacking the other team’s member ?
If you can :D
Analyze the other team’s server environments
Hacking other team’s server or labtop
Brute Forcing or Guessing Password for the other team’s daemon server
Get root, then you can read all of the keys.
Positions – Exploit Manager
In Las Vegas
Advanced Tips
Manage exploit codes from other members
Is it works correctly?
Modify exploit codes on the other team’s situations
Different from all the team's defense
Authenticate to Auth-Server
Get Points :D
Positions – Reverser & Exploiter
In Las Vegas
Advanced Tips
Find Vulnerabilities in Daemons
Mostly, BOF or FSB vulnerabilities :D
Patch Vulnerability & Give to Server Manager
As soon as possible
Analyze the other team’s packet and Get their payload
Lovely :D
Programming Exploit Code & Give to Exploit Manager
Pwn! Pwn! Pwn! HolyPwner !
Shellcode
In Las Vegas
Advanced Tips
Reverse Shellcode
Fork process
Open Socket & Connect to listening server
dup2 about stdin, stdout and stderr
execve ‘/bin/sh’
Read Key Shellcode
Open the key file
Read the key
Write the key to socket
Write Key Shellcode
Open the key file
Write auth key to key file
Read & Write Key Shellcode
Open the key file
Read the key
Write auth key to key file
Write the key to socket
Shellcode – Read Key Shellcode
In Las Vegas
Advanced Tips
Read Key Shellcode Example
Should be made shellcode to suit the situation
Shellcode
In Las Vegas
Advanced Tips
If enemy do masquerading
OMG ...?
EnemyEnemyLaptop for
masqueradingLaptop for
masquerading
GatewayGateway
Drop or Modify Packet
My TeamMy Team
Shellcode
In Las Vegas
Advanced Tips
How to avoid Masquerading?
• Shellcode Encryption
• Packing
• Obfuscating
• …
• Key Encryption
• XOR (Very easy and convenient)
• ROT
• …
Shellcode – Read XOR Key Shell Code
In Las Vegas
Advanced Tips
XOR Key Encryption Shellcode Example
Also, should be XOR operation on the server side
Shellcode
In Las Vegas
Advanced Tips
How to avoid Repeating my payload?
• Read Key using UDP Shellcode
• Staged loading Shellcode
• …
Shellcode – Staged Loading Shellcode
In Las Vegas
Advanced Tips
Why use Multi-Stage Loading Shellcode?
• Small buffer for Shellcode
• Avoid Masquerading
• Avoid repeating payload
• Excute Binary File using binary loader
• …
Shellcode – Staged Loading Shellcode (1)
In Las Vegas
Advanced Tips
Stage 1 – minimum shellcode for connection
• must be small
• free of NULLs
• new connection and read additional data
• jumps to the data and execute it
Vulnerable
Daemon
Payload LoaderPayload Loader
Attacker
Shellcode – Staged Loading Shellcode (1)
In Las Vegas
Advanced Tips
Stage 2 – Payload to execute
• Other Shellcodes
• Read Key Shellcode
• Reverse Connection Shellcode
• ...
Vulnerable
Daemon
Payload LoaderPayload Loader
AttackerNew Connection
&Read Payload
New Connection&
Read Payload
PayloadPayload
Shellcode – Staged Loading Shellcode (2)
In Las Vegas
Advanced Tips
Stage 1 – minimum shellcode for connection
• must be small
• free of NULLs
• new connection and read additional data
• jumps to the data and execute it
Vulnerable
DaemonAttacker
Payload LoaderPayload Loader
Shellcode – Staged Loading Shellcode (2)
In Las Vegas
Advanced Tips
Stage 2 – Binary Loader for executing binary
Vulnerable
DaemonAttacker
Payload LoaderPayload Loader
New Connection&
Read Payload
New Connection&
Read Payload
Binary LoaderBinary Loader
Shellcode – Staged Loading Shellcode (2)
In Las Vegas
Advanced Tips
Stage 3 – Executable Binary for executing on Binary Loader
Vulnerable
Daemon
Payload LoaderPayload Loader
Attacker
New Connection&
Read Payload
New Connection&
Read Payload
Binary LoaderBinary Loader
Read DataRead Data
Executable BinaryExecutable Binary
Shellcode
In Las Vegas
Advanced Tips
Shellcode Generator
In Las Vegas :Conclusions
Look at the big picture :D
There are many things to cheat other teams
Attack is not only way to be winner
In Las Vegas
Conclusions
I wanna see the result below :D !!!
Participate Defcon CTF Qualification, and Go to Las Vegas !!
In Las Vegas
Conclusions
Rank Team Score
1 KimchiMan 7900 Qualified!
2 Since1999 7800 Qualified!
3 Unji 7400 Qualified!
4 Little H4ma 7400 Qualified!
5 Phantom: Secret between 0 and 1 7400 Qualified!
6 Be5t of B3st 7400 Qualified!
7 SW M4e5tro 7200 Qualified!
8 H4nGukSaRam 7100 Qualified!
9 H4des 7100 Qualified!
10 RolyPoly 7100 Qualified!
http://phrack.org/issues.html?issue=66&id=14#article
Binary Mangling with Radare by pancake
Defcon 101 by ramses@PLUS
:D
참고자료
SapHeads’s Write-up for Binary 400
http://x-n2o.com/bin400-dc20
Multi-Stage loading Shellcode by Jarkko Turkulainen
http://www.klake.org/~jt/mstage/
If you have questions, contact me :[email protected]
Thank you for listening.
www.CodeEngn.comCodeEngn ReverseEngineering Conference