Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Zn task - defcon russia 20

681 views

Published on

http://defcon-russia.ru

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Zn task - defcon russia 20

  1. 1. Task “Infected terminal” ZeroNights E.0x04 Hackquest Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky
  2. 2. Roman Bazhin • Security researcher at Digital Security • Ethical gop-stopper George Nosenko • Security researcher at Digital Security • Nominant of Pwnie awards Peter Kamensky • Security researcher at Digital Security © 2002—2014, Digital Security #whoami
  3. 3. Legend and EULA On one of Moscow's pos-terminals was found sample of malware of some functioning botnet network... Warning: Run this file only under virtual machine. And it's not a joke.
  4. 4. Game Network Diagram
  5. 5. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
  6. 6. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Internal game network External game network
  7. 7. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
  8. 8. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Check every 5 min.
  9. 9. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Check every 5 min.
  10. 10. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 Check every 5 min. Post address of C&C every 15 min. C&C
  11. 11. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
  12. 12. Game Network Diagram / Players Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 Player 1 Player N C&C
  13. 13. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  14. 14. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  15. 15. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  16. 16. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  17. 17. Bot / Components
  18. 18. Bot / Components Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Timer Init Loader Init Init Init
  19. 19. C&C / Components Crypt (Spritz) Request Key CMDC Key Response H Datetime TGA C&C Transport C Key C&C Transport
  20. 20. Bot / C&C Transport / Container BC 3A EB 15 11 42 00 03 00 00 00 04 00 04 00 01 00 01 00 02 00 01 00 05 00 00 00 00 00 04 00 05 0A 20 01 00 00 02 00 03 E0 E1 00 02 00 06 FC FF 00 01 00 02 01 00 03 00 00 4E 54 53 00 02 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 0C 00 01 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 00 03 01 ... PNG, JPG, GIF, PDF Crypted data Media footer Media header Marker Size of packet Pickled data
  21. 21. Bot / Commands • CMD_MAKE_TOKEN • CMD_GET_CMD • CMD_MAKE_NOP • CMD_MAKE_NETWORK_DISCONNECT • CMD_GET_CONTRIBUTORS • CMD_GET_MSGBOX // Show messagebox • CMD_GET_PLIST // Get list of processes • CMD_GET_CNAME // Get name of computer • CMD_MAKE_LOAD // Load shellcode • CMD_MAKE_INJ // Inject shellcode to process
  22. 22. Bot / Protection
  23. 23. Bot / Protection Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Timer Init Init Init Init Loader
  24. 24. Bot / Protection Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Loader Timer Custom Python (py) Cython (pyx) InitPyx InitPyx InitPyx InitPyxpy2exe bootloader
  25. 25. Bot / Protection / py2exe sections .text .data .rsrc Overlay (PKZIP) PYTHON27.DLL PYTHONSCRIPT BootLoader Lib with pyx
  26. 26. Bot / Protection / Custom Python
  27. 27. Custom Python • Inspired by Dropbox * • Anti-Decompilation • Bytecode Encryption • Bytcode Remapping • Anti-Dump • PyCodeObject modification • Disable marshalling • Execution Prevention • Disable PyRun… * http://www.slideshare.net/extremecoders/reversing-obfuscated-python-applications-dropbox-38138420
  28. 28. Custom Python / Anti-Decompilation / Bytecode Encryption • marchal.c (w_object(), r_object()) • plain-text: PyCodeObject.co_code • algorithm: xxtea • key_128bit = f(random, sizeof(co_code)) B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00 00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43 00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01 B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 Bytecode version Timestamp Type of data Marshaled bytecode Entropy Size of encrypted bytecode Encrypted bytecode Standard marshaled blob Custom Python marshaled blob
  29. 29. Custom Python / Anti-Decompilation / Bytecode Remaping • opcode.h • random opcode mixing #define STOP_CODE 0 #define POP_TOP 1 #define ROT_TWO 2 #define ROT_THREE 3 #define DUP_TOP 4 #define ROT_FOUR 5 #define NOP 9 … #define BINARY_POWER 0 #define PRINT_ITEM 1 #define INPLACE_OR 2 #define DUP_TOP 3 #define GET_ITER 4 #define BINARY_MULTIPLY 5 #define BINARY_XOR 9 …
  30. 30. Custom Python / Anti-Dump / PyCodeObject modification • code.h • It prevents the use of other Python implementation /* Bytecode object */ typedef struct { PyObject_HEAD int co_argcount; /* #arguments, except *args */ int co_nlocals; /* #local variables */ int co_stacksize; /* #entries needed for evaluation stack */ int co_flags; /* CO_..., see below */ … PyObject *co_consts; /* list (constants used) */ PyObject *co_names; /* list of strings (names used) */ PyObject *co_varnames; /* tuple of strings (local variable names) */ PyObject *co_freevars; /* tuple of strings (free variable names) */ PyObject *co_cellvars; /* tuple of strings (cell variable names) */ PyObject *co_code; /* instruction opcodes */ … } PyCodeObject;
  31. 31. Custom Python / Anti-Dump / Disable Marshalling • marshal.c : w_object() • PyMarshal_WriteObjectToFile() --> w_object()
  32. 32. Custom Python / Execution Prevention • pythonrun.c • Patched to do nothing • PyRun_FileExFlags • PyRun_SimpleFileExFlags • PyRun_AnyFileExFlags • PyRun_InteractiveLoopFlags • Unpached • PyRun_SimpleString
  33. 33. Bot / Protection / Custom Python / Bypass
  34. 34. Custom Python / Bypass / Bytecode Encryption • RE -> write decryptor OR • Bypass anti-dump B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00 00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43 00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01 B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 Standard Python Custom Python
  35. 35. Custom Python / Bypass / Enable Marshalling • Grab a marshalling from other (e.g. PyPy) • Looking for the real offset co_code of field
  36. 36. Custom Python / Bypass / Opcode unmapping • Differential analysis • Generating two "pyc" file set • Finding the opcode mapping • Opcode unmapping
  37. 37. Bot / Protection / Cython
  38. 38. Cython (c-api) def function(a, b): c = a + b – 0x0A return c ^ 0x70 PyObject *__pyx_f_4temp_function(PyObject *va, PyObject *vb){ PyObject * vl1, vl2, vl3; __Pyx_RefNannySetupContext("function", 0); vl1 = PyNumber_Add(va, vb); vl2 = PyNumber_Subtract(vl1, vg_int_10); vl3 = PyNumber_Xor(vl2, vg_int_112); __Pyx_RefNannyFinishContext(); return vl3; }
  39. 39. Cython (Pure C) cdef long function(long a, long b): c = a + b – 0x0A return c ^ 0x70 long __pyx_f_4temp_function(long va, long vb){ long vl1, vl2; __Pyx_RefNannySetupContext("function", 0); vl1 = ((va, vb) – 0x0A); vl2 = (vl1 ^ 0x70); __Pyx_RefNannyFinishContext(); return vl2; }
  40. 40. Bot / Protection / Cython / Solving
  41. 41. Cython / Solving / Localization Python < 3 • __Pyx_AddTraceback • __Pyx_MODULE_NAME • __Pyx_NAMESTR • ModuleInit • Py_InitModule4 • PyImport_AddModule to __builtin__ • __Pyx_InitGlobals • __Pyx_InitStrings -> __Pyx_StringTabEntry • PyImport_GetModuleDict • PyDict_SetItemString Python >= 3 • __Pyx_AddTraceback • __Pyx_MODULE_NAME • __Pyx_NAMESTR • ModuleInit • PyModule_Create • PyImport_AddModule to builtins • __Pyx_InitGlobals • __Pyx_InitStrings -> __Pyx_StringTabEntry • PyImport_GetModuleDict • PyDict_SetItemString
  42. 42. PoS terminal
  43. 43. PoS terminal in action
  44. 44. Service monitor Re-launch bot and pos-processes every 5 minutes
  45. 45. Job restriction • Restricted token • Trimmed privileges • Memory peak limit • Low integrity • 2 processes only
  46. 46. Shell storage • Service also grabs all injected shellcodes • pos_1 / 75 shellcodes • pos_2 / 59 shellcodes
  47. 47. Shellcode first attempt Trying to download and spawn from C&C meterpreter shell
  48. 48. Shellcode of winner Send to C&C 2gb of DSec VM memory :D
  49. 49. Hints (for 4 days) • Use ntp2d.mcc.ac.uk (UTC+4) • Dropbox • PYX • DGA • Do not touch C&C !!1 • Good bot-knocking with stable sessions depends from the correct implementation of the protocol • The flag is NOT in key, .flag, flag.txt, etc. • Job restrictions, 2 processes only • Flag format: ZN0x04_{<SHA-256>} • …
  50. 50. Questions? Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky

×