The malware threat landscape is continuously evolving. In this blog post, I would like to introduce the basic concept of malware and malware analysis, the ideas of both static and dynamic malware analysis. Besides, malware evasive techniques and novel solutions will be introduced as well as modern research such as automatic protocol RE and Android malware behavior analysis will be mentioned in last sections.
Sau cơn mưa, đừng vội bỏ áo mưa (1 icon nào đó của vozforums)
Nội dung bài viết được thực hiện trên 1 trang mà tôi tự tiện clone lại đề của Bkav.
Nếu bạn đã đọc đến đây thì tức là bạn đang tìm kiếm lời giải cho 1 vấn đề, và hãy tiếp tục đọc xuống bên dưới, nếu bạn muốn tự khám phá thì hãy dừng lại ở đây và quay trở lại khi tạm thời chưa nghĩ ra ý tưởng, hoặc những ý tưởng của bạn đúng nhưng tôi lại setup sai 😕
Đây là một trong những kỹ thuật cơ bản dùng để khai thác lỗ hổng ở vùng nhớ heap
Glibc tổ chức 1 heap chunk như sau:
struct malloc_chunk {
INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */
INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */
struct malloc_chunk* fd; /* double links -- used only if free. */
struct malloc_chunk* bk;
/* Only used for large blocks: pointer to next larger size. */
struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
struct malloc_chunk* bk_nextsize;
};
Visitors sometimes feel bored with our web blog because of too many boring stuffs which not often appear in their casual work/study. I just want to post such a simple tutorial for beginners and if you are experienced in CTF's pwn then just skip it. Enjoy!
Continue reading Writeup for beginners - BoF Vulnerability Lab (Syracuse University)
Chinese Remainder Theorem
=========================
Suppose 
are positive integers and coprime in pair. For any sequence of integers 
, there exists an integer x solving the following system of congruence equations:
There exists an unique modulo solution of the system of simultaneous congruences above:
in which:
Continue reading Basic concepts of Chinese Remainder Theorem with respect of RSA/AES
THRESHOLD SIGNATURE SCHEME
Assuming there are 20 employees in a company, and if each employee has his or her own copy of the secret key then it is hard to assure on individuals due to compromise and machine break down. In the other hand, if there is a valid signature requires all 20 employees’ signature in the company then it will be very secure but not be easy to use. Therefore we can implement a scheme which requires only sign 5 or more out of 20 employees then it will be valid and that is exactly what a (5,20) threshold signature scheme tries to achieve. In addition, if a threat agent wants to compromise the system and obtain a message, he must compromise at least 5 people in the scheme and that is a harder thing to do compared to a traditional public scheme.
Deciphering
| Ciphertext: “VaqrprzoreoeratraWhyvhfraJnygreUbyynaqreqrgjrroebrefinaRqvguZnetbganne
NzfgreqnzNaarjvytenntzrrxbzraznnezbrgabtrrarragvwqwrovwbzn oyvwiraBznmnyurgzbrvyvwxuroorabzNaarabtrracnnejrxraqnnegrubhqrafpuev wsgRqvguSenaxvarraoevrsnnaTregehqAnhznaauhaiebrtrerohhezrvfwrvaSenaxs hegnzZnva” |
The given ciphertext has only letters without space, punctuation or separated key, there are two classic cipher systems such as substitution cipher and transposition cipher which are known to be easy to attack by using frequency analysis or bruteforce techniques. Continue reading Deciphering Ceasar basic concept
ASLR tắt, bug cho phép ghi đè 2 byte vào địa chỉ char *buf = malloc(20);. Với ASLR tắt thì địa chỉ map của [heap] section sex fix ở dạng 0x0804xxxx, do đó ta có thể điều khiểu *buf = got_table một cách dễ dàng. Phương pháp khai thác như sau:
Mã khai thác: https://gist.github.com/peternguyen93/f4e9bf786c2df2ab968f
Lỗ hổng stack base buffer overflow rất rõ ràng khi sử dụng hàm gets(buf), do binary được compiled 32 bit do đó ta có thể control địa chỉ flag và đọc được bất cứ dữ liệu nào của memory
void find_flag(char *flag)
{
char buf[256];
make_flag(flag); //đổi flag
while(1){
gets(buf);
printf("%s%s\n",buf,flag);
}
}
Mã khai thác
https://gist.github.com/peternguyen93/e187ad6cee83346298ce
Binary sử dụng các kỹ thuật anti-debug và cấm sử dụng các syscall (execve,fork,clone). Ngoài ra lỗ hổng buffer overflow khá là rõ ràng, binary được compile bằng PIE. Tuy nhiên, hàm read không tự động viết null bye vào cuối, do đó ta có thể leak được canary và libc_base , thông qua các bước sau:
https://gist.github.com/peternguyen93/c4dda7ef5dd7cb549a2f
SQL Injection, do chưa filter đấu '\'. Ngoài ra trước khi hết thúc xử lý request, web100 gọi hàm re.findall(r'(y+)*',row), hàm regex findall match tất cả các substring có thể match, ngoài ra chuỗi regex (y+)* với một chút google ta có kq sau https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS , đo đó có thể build một query cho phép ta có thể phân biệt được trạng thái đúng hoặc sai để blind flag dựa trên time base.
https://gist.github.com/peternguyen93/75839e252257e9da62e4
Lỗ hỗng rất rõ ràng khi web app sử dụng pickle data serialization, thông qua đó ta có thể sử dụng code injection để có được shell trên server.
https://gist.github.com/peternguyen93/c168c15919a3203acfe2
Lỗi LFI cho phép có thể lấy được mã nguồn của website, trong đó thấy được một script cgi lấy thông tin về thời gian. Script này bị lỗi command injection, do giới hạn các hàm connect back, để get shell ta lợi dụng file /run/cgicounter ta có thể đọc từng ký tự của command trả về.
I'm too lazy to write up in deep these challenges, but i will give you my solution to solve these challenges. You will do it by yourself before you read my exploit script, that makes you understand deeper. I hope you enjoy with this. Happy pwnning.
The bug is easy to find at function Coordidate, this is basic format string bug
But before you enter printf(s), we must to bypass the check a pair float number is parsed from s, to bypass it we just append format string bug to the end of the pair '51.492137,-0.192878' , for more information about atof read this http://www.cplusplus.com/reference/cstdlib/atof/
So the payload to exploit this bug too easy:
But the game is not over, before we exploit the bug, we need to solve 2 problems:
We must to write a program to solve the game to enter TARDIS mode (this task is to quite strange)
We must bypass timecheck to enter vulnerable function
time_c > 0x55592B6C && time_c <= 0x55592B7F;
We must set time_c in range (0x55592b6c,0x55592b7f].
Take a look at READ_DATA function , will be triggered after 2 second.
OMG, the buffer was used for saving the connection to localtime server was used to store user input. We just send 9 zero bytes to server and then wait until READ_DATA is triggered and then send 4 bytes in require range, and we will enter vulnerable function.
Our poc here : https://gist.github.com/peternguyen93/f06aa5e27626598a1c21
This is very interesting challenge.
After doing RE we find some usefull information:
This program implementing basic Polish Notation by using JIT compiler.
The structure of jit is:
Take a look at function handle_digit
When we inputted a string of number is seperated by space character , the jit compiter will push it in the stack_buffer.
We know that size of stack_buf is 0x1000 (located below stack_code), in this function there are no unbound checking if we push the stack_buf into stack_code, and so this bug does.
We just write own shellcode and then overwrite some opcode in the end of asm_code with own shellcode (because cgc executable is not have sys_execve syscall so we just use some syscall provided by CGC to read the flag).
Our shellcode :
_start: push 0x3 pop eax push ebx pop ecx push 0x3 pop ebx push 0x50 pop edx ;ebx hold my buffer int 0x80 push 0x2 pop eax push 0x1 pop ebx int 0x80
Our poc is : https://gist.github.com/peternguyen93/e7d08cf109b38af6baae
This is the first time i wrote writeup using english, if something went wrong or some point you dont understand, feel free to ask me above