Reversing and
    Exploiting
   Green Dam
             [0xdf]
Valkyrie-X Security Research Lab


             VXRL 2009   ...
Special Thank You
•  Mr. Byoungyoung Lee from PLUS and
   who is the mentor/advisor of Valkyrie-X




                    ...
Background
•  Focus on research and studies on
   software/system exploitation, vulnerability
   and reverse engineering, ...
4
Agenda
•  Reversing a few critical modules in Green
   Dam.
•  Exploitation Possibility




                    VXRL 2009 ...
Let us start 




    VXRL 2009    6
Reversing
•  XNet2.exe
  –  It is the major Green Dam service
  –  It is for installation and register software key
     t...
Prepare and set up processes




                               8
Installation
•  Installation – Software Key Registration To
   Registry.




                                             9
More Interesting stuff is…




          VXRL 2009          10
11
Prepare a list of processes




                              12
Installation Password
•  After Green Dam converts the password
   using the MD5 algorithm, it saves it in text
   format w...
Easy Password




    VXRL 2009   14
Green Dam – Data File
•  Decrypted file content
  –  Contain keywords for filtering
•  The data file naming convention and...
Green Dam – Data File




                        16
VXRL 2009   17
Green Dam – Connected IPs
•  Connected IPs
  –  Connected to ISP in USA?
  –  Connected to NIST’s time server?




       ...
VXRL 2009   19
20
VXRL 2009   21
Green Dam – Monitored Software
•  Monitored software
  –  We could find it from injlib32.dll
  –  Injlib32.dll is injected...
23
24
25
Green Dam – Exploitation
•  Possible vulnerabilities in Green Dam
   version 3.1.7
  –  As Green Dam is injected to the br...
What is Stack Buffer Overflow?




             VXRL 2009           27
What is Stack Buffer Overflow?
          (from Wikipedia.org)




                VXRL 2009        28
How can we exploit?
•  We try out input 2048 ‘A’s and submit it as
   an URL.
•  We attach OllyDbg to the process of
   In...
Demo




VXRL 2009   30
Exploitation Summary
•  Successfully overwritten with our input.
•  Deploying shellcode will be our next
   mission.
•  No...
Our Conclusion




     VXRL 2009   32
Conclusion
•  We strongly suggest not installing this
   software.
•  It gives vulnerability, it is not just filtering
   ...
Thank you for your listening
•  Anthony Lai (0xdf)
     •  0xdarkfloyd@gmail.com




                       VXRL 2009   34
Reference
•  Technical Analysis of Green Dam
    –  http://wikileaks.org/wiki/
       A_technical_analysis_of_the_Chinese_...
Tools
•  MD5 Decryption
    –  http://www.md5decrypter.com/
•  IDA Pro (Get a free version)
    –  http://www.hex-rays.com...
Upcoming SlideShare
Loading in …5
×

Green Dam Analysis Valkyrie-X by Alnthony Lai

1,146 views

Published on

Reversing and Exploiting Green Dam
by Anthony Lai 賴灼東
2009.07.21

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,146
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Green Dam Analysis Valkyrie-X by Alnthony Lai

  1. 1. Reversing and Exploiting Green Dam [0xdf] Valkyrie-X Security Research Lab VXRL 2009 1
  2. 2. Special Thank You •  Mr. Byoungyoung Lee from PLUS and who is the mentor/advisor of Valkyrie-X VXRL 2009 2
  3. 3. Background •  Focus on research and studies on software/system exploitation, vulnerability and reverse engineering, penetration test and crypto problems. •  Activity:We joined CTF and ranked at 68 in DefCon 17 Prequalifying Round out 230 teams. VXRL 2009 3
  4. 4. 4
  5. 5. Agenda •  Reversing a few critical modules in Green Dam. •  Exploitation Possibility VXRL 2009 5
  6. 6. Let us start  VXRL 2009 6
  7. 7. Reversing •  XNet2.exe –  It is the major Green Dam service –  It is for installation and register software key to the system –  It is responsible for password check and reset –  Commander of XDaemon.exe and gn.exe –  Kick start a number of processes with the following executables: •  Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG, HH, Looklog and LookPic VXRL 2009 7
  8. 8. Prepare and set up processes 8
  9. 9. Installation •  Installation – Software Key Registration To Registry. 9
  10. 10. More Interesting stuff is… VXRL 2009 10
  11. 11. 11
  12. 12. Prepare a list of processes 12
  13. 13. Installation Password •  After Green Dam converts the password using the MD5 algorithm, it saves it in text format within the kwpwf.dll file located in the C:WINDOWSsystem32 directory. When opened using Notepad, if the content is then replaced with "D0970714757783E6CF17???????????? ????????" and saved, the password can then be restored to the original "1122??????". VXRL 2009 13
  14. 14. Easy Password VXRL 2009 14
  15. 15. Green Dam – Data File •  Decrypted file content –  Contain keywords for filtering •  The data file naming convention and filtering classification are exactly the same as Cybersitter from Solid Oak. VXRL 2009 15
  16. 16. Green Dam – Data File 16
  17. 17. VXRL 2009 17
  18. 18. Green Dam – Connected IPs •  Connected IPs –  Connected to ISP in USA? –  Connected to NIST’s time server? VXRL 2009 18
  19. 19. VXRL 2009 19
  20. 20. 20
  21. 21. VXRL 2009 21
  22. 22. Green Dam – Monitored Software •  Monitored software –  We could find it from injlib32.dll –  Injlib32.dll is injected to every critical process. –  Handle.dll is to create process/thread to monitor any messages received from injected DLL. (as it supports transmitstring). Handler.dll Injlib32.dll Notepad.exe VXRL 2009 22
  23. 23. 23
  24. 24. 24
  25. 25. 25
  26. 26. Green Dam – Exploitation •  Possible vulnerabilities in Green Dam version 3.1.7 –  As Green Dam is injected to the browser process and it cannot handle long URL –  Stack Buffer Overflow is found. •  The exploit is published in Milw0rm.com. It should be the same VXRL 2009 26
  27. 27. What is Stack Buffer Overflow? VXRL 2009 27
  28. 28. What is Stack Buffer Overflow? (from Wikipedia.org) VXRL 2009 28
  29. 29. How can we exploit? •  We try out input 2048 ‘A’s and submit it as an URL. •  We attach OllyDbg to the process of Internet Explorer named as iexplore.exe for debugging purpose in runtime. VXRL 2009 29
  30. 30. Demo VXRL 2009 30
  31. 31. Exploitation Summary •  Successfully overwritten with our input. •  Deploying shellcode will be our next mission. •  No patch is provided  VXRL 2009 31
  32. 32. Our Conclusion VXRL 2009 32
  33. 33. Conclusion •  We strongly suggest not installing this software. •  It gives vulnerability, it is not just filtering but monitor the use of software and the content you typing into. VXRL 2009 33
  34. 34. Thank you for your listening •  Anthony Lai (0xdf) •  0xdarkfloyd@gmail.com VXRL 2009 34
  35. 35. Reference •  Technical Analysis of Green Dam –  http://wikileaks.org/wiki/ A_technical_analysis_of_the_Chinese_'Green_Dam_Youth- Escort'_censorship_software •  Analysis of Green Dam Censorware System –  http://www.cse.umich.edu/~jhalderm/pub/gd/ VXRL 2009 35
  36. 36. Tools •  MD5 Decryption –  http://www.md5decrypter.com/ •  IDA Pro (Get a free version) –  http://www.hex-rays.com/idapro/ –  http://www.amazon.com/exec/obidos/ASIN/1593271786/ datarescuesanv VXRL 2009 36

×