Zn task - defcon russia 20
-
Upload
defconrussia -
Category
Technology
-
view
59 -
download
6
Transcript of Zn task - defcon russia 20
![Page 1: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/1.jpg)
Task “Infected terminal”ZeroNights E.0x04 Hackquest
Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky
![Page 2: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/2.jpg)
Roman Bazhin• Security researcher at Digital Security
• Ethical gop-stopper
George Nosenko• Security researcher at Digital Security
• Nominant of Pwnie awards
Peter Kamensky• Security researcher at Digital Security
© 2002—2014, Digital Security
#whoami
![Page 3: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/3.jpg)
Legend and EULAOn one of Moscow's pos-terminals was found sample of malware of some functioning botnet network...
Warning: Run this file only under virtual machine. And it's not a joke.
![Page 4: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/4.jpg)
Game Network Diagram
![Page 5: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/5.jpg)
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
![Page 6: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/6.jpg)
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Internal game network
External game network
![Page 7: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/7.jpg)
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
![Page 8: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/8.jpg)
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Check every 5 min.
![Page 9: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/9.jpg)
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Check every 5 min.
![Page 10: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/10.jpg)
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3 Check every 5 min.
Post address of C&Cevery 15 min.
C&C
![Page 11: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/11.jpg)
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
![Page 12: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/12.jpg)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&C
![Page 13: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/13.jpg)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
![Page 14: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/14.jpg)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
![Page 15: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/15.jpg)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
![Page 16: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/16.jpg)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
![Page 17: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/17.jpg)
Bot / Components
![Page 18: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/18.jpg)
Bot / Components
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA Social Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Timer
Init
Loader
Init
Init
Init
![Page 19: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/19.jpg)
C&C / Components
Crypt (Spritz)
Request
Key
CMDC
Key
Response
H
Datetime
TGA
C&C Transport
CKey
C&C Transport
![Page 20: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/20.jpg)
Bot / C&C Transport / Container
BC 3A EB 15 11 42 00 03 00 00 00 04 00 04 00 01
00 01 00 02 00 01 00 05 00 00 00 00 00 04 00 05
0A 20 01 00 00 02 00 03 E0 E1 00 02 00 06 FC FF
00 01 00 02 01 00 03 00 00 4E 54 53 00 02 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 0C 00 01
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
00 03 01 ...
PNG, JPG, GIF, PDF
Crypted data
Media footer
Media header
Marker Size of packet Pickled data
![Page 21: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/21.jpg)
Bot / Commands• CMD_MAKE_TOKEN
• CMD_GET_CMD
• CMD_MAKE_NOP
• CMD_MAKE_NETWORK_DISCONNECT
• CMD_GET_CONTRIBUTORS
• CMD_GET_MSGBOX // Show messagebox
• CMD_GET_PLIST // Get list of processes
• CMD_GET_CNAME // Get name of computer
• CMD_MAKE_LOAD // Load shellcode
• CMD_MAKE_INJ // Inject shellcode to process
![Page 22: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/22.jpg)
Bot / Protection
![Page 23: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/23.jpg)
Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA Social Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Timer
Init
Init
Init
Init
Loader
![Page 24: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/24.jpg)
Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA Social Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
LoaderTimer
Custom Python (py)
Cython (pyx)InitPyx
InitPyx
InitPyx
InitPyxpy2exe bootloader
![Page 25: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/25.jpg)
Bot / Protection / py2exe sections
.text
.data
.rsrc
Overlay (PKZIP)
PYTHON27.DLL
PYTHONSCRIPT BootLoader
Lib with pyx
![Page 26: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/26.jpg)
Bot / Protection / Custom Python
![Page 27: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/27.jpg)
Custom Python• Inspired by Dropbox *
• Anti-Decompilation• Bytecode Encryption• Bytcode Remapping
• Anti-Dump• PyCodeObject modification• Disable marshalling
• Execution Prevention• Disable PyRun…
* http://www.slideshare.net/extremecoders/reversing-obfuscated-python-applications-dropbox-38138420
![Page 28: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/28.jpg)
Custom Python / Anti-Decompilation / Bytecode Encryption• marchal.c (w_object(), r_object())
• plain-text: PyCodeObject.co_code
• algorithm: xxtea
• key_128bit = f(random, sizeof(co_code))
B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00
00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43
00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01
B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
Bytecode version
Timestamp
Type of data
Marshaled bytecode
Entropy
Size of encrypted bytecode
Encrypted bytecode
Standard marshaled blob
Custom Python marshaled blob
![Page 29: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/29.jpg)
Custom Python / Anti-Decompilation / Bytecode Remaping• opcode.h
• random opcode mixing
#define STOP_CODE 0
#define POP_TOP 1
#define ROT_TWO 2
#define ROT_THREE 3
#define DUP_TOP 4
#define ROT_FOUR 5
#define NOP 9
…
#define BINARY_POWER 0
#define PRINT_ITEM 1
#define INPLACE_OR 2
#define DUP_TOP 3
#define GET_ITER 4
#define BINARY_MULTIPLY 5
#define BINARY_XOR 9
…
![Page 30: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/30.jpg)
Custom Python / Anti-Dump / PyCodeObject modification• code.h
• It prevents the use of other Python implementation
/* Bytecode object */
typedef struct {
PyObject_HEAD
int co_argcount; /* #arguments, except *args */
int co_nlocals; /* #local variables */
int co_stacksize; /* #entries needed for evaluation stack */
int co_flags; /* CO_..., see below */
…
PyObject *co_consts; /* list (constants used) */
PyObject *co_names; /* list of strings (names used) */
PyObject *co_varnames; /* tuple of strings (local variable names) */
PyObject *co_freevars; /* tuple of strings (free variable names) */
PyObject *co_cellvars; /* tuple of strings (cell variable names) */
PyObject *co_code; /* instruction opcodes */
…
} PyCodeObject;
![Page 31: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/31.jpg)
Custom Python / Anti-Dump / Disable Marshalling• marshal.c : w_object()
• PyMarshal_WriteObjectToFile() --> w_object()
![Page 32: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/32.jpg)
Custom Python / Execution Prevention• pythonrun.c
• Patched to do nothing• PyRun_FileExFlags
• PyRun_SimpleFileExFlags
• PyRun_AnyFileExFlags
• PyRun_InteractiveLoopFlags
• Unpached• PyRun_SimpleString
![Page 33: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/33.jpg)
Bot / Protection / Custom Python / Bypass
![Page 34: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/34.jpg)
Custom Python / Bypass / Bytecode Encryption• RE -> write decryptor
OR
• Bypass anti-dump
B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00
00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43
00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01
B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
Standard Python
Custom Python
![Page 35: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/35.jpg)
Custom Python / Bypass / Enable Marshalling• Grab a marshalling from other
(e.g. PyPy)
• Looking for the real offset co_code of field
![Page 36: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/36.jpg)
Custom Python / Bypass / Opcode unmapping• Differential analysis
• Generating two "pyc" file set
• Finding the opcode mapping
• Opcode unmapping
![Page 37: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/37.jpg)
Bot / Protection / Cython
![Page 38: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/38.jpg)
Cython (c-api)
def function(a, b):
c = a + b – 0x0A
return c ^ 0x70
PyObject *__pyx_f_4temp_function(PyObject *va, PyObject *vb){
PyObject * vl1, vl2, vl3;
__Pyx_RefNannySetupContext("function", 0);
vl1 = PyNumber_Add(va, vb);
vl2 = PyNumber_Subtract(vl1, vg_int_10);
vl3 = PyNumber_Xor(vl2, vg_int_112);
__Pyx_RefNannyFinishContext();
return vl3;
}
![Page 39: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/39.jpg)
Cython (Pure C)
cdef long function(long a, long b):
c = a + b – 0x0A
return c ^ 0x70
long __pyx_f_4temp_function(long va, long vb){
long vl1, vl2;
__Pyx_RefNannySetupContext("function", 0);
vl1 = ((va, vb) – 0x0A);
vl2 = (vl1 ^ 0x70);
__Pyx_RefNannyFinishContext();
return vl2;
}
![Page 40: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/40.jpg)
Bot / Protection / Cython / Solving
![Page 41: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/41.jpg)
Cython / Solving / LocalizationPython < 3
• __Pyx_AddTraceback
• __Pyx_MODULE_NAME
• __Pyx_NAMESTR
• ModuleInit• Py_InitModule4
• PyImport_AddModule to __builtin__
• __Pyx_InitGlobals
• __Pyx_InitStrings -> __Pyx_StringTabEntry
• PyImport_GetModuleDict
• PyDict_SetItemString
Python >= 3
• __Pyx_AddTraceback
• __Pyx_MODULE_NAME
• __Pyx_NAMESTR
• ModuleInit• PyModule_Create
• PyImport_AddModule to builtins
• __Pyx_InitGlobals
• __Pyx_InitStrings -> __Pyx_StringTabEntry
• PyImport_GetModuleDict
• PyDict_SetItemString
![Page 42: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/42.jpg)
PoS terminal
![Page 43: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/43.jpg)
PoS terminal in action
![Page 44: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/44.jpg)
Service monitorRe-launch bot and pos-processes every 5 minutes
![Page 45: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/45.jpg)
Job restriction• Restricted token
• Trimmed privileges
• Memory peak limit
• Low integrity
• 2 processes only
![Page 46: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/46.jpg)
Shell storage• Service also grabs all injected shellcodes
• pos_1 / 75 shellcodes
• pos_2 / 59 shellcodes
![Page 47: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/47.jpg)
Shellcode first attemptTrying to download and spawn from C&C meterpreter shell
![Page 48: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/48.jpg)
Shellcode of winnerSend to C&C 2gb of DSec VM memory :D
![Page 49: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/49.jpg)
Hints (for 4 days)• Use ntp2d.mcc.ac.uk (UTC+4)
• Dropbox
• PYX
• DGA
• Do not touch C&C !!1
• Good bot-knocking with stable sessions depends from the correct implementation of the protocol
• The flag is NOT in key, .flag, flag.txt, etc.
• Job restrictions, 2 processes only
• Flag format: ZN0x04_{<SHA-256>}
• …
![Page 50: Zn task - defcon russia 20](https://reader034.fdocuments.in/reader034/viewer/2022042518/55c30c67bb61eb9f568b469c/html5/thumbnails/50.jpg)
Questions?
Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky