50
Task “Infected terminal” ZeroNights E.0x04 Hackquest Roman @ nezlooy Bazhin George @ intROPy Nosenko Peter @Python0x0 Kamensky
| Date post: | 06-Aug-2015 |
| Category: |
Technology |
| Upload: | defconrussia |
| View: | 57 times |
| Download: | 6 times |
Task “Infected terminal”ZeroNights E.0x04 Hackquest
Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky
Roman Bazhin• Security researcher at Digital Security
• Ethical gop-stopper
George Nosenko• Security researcher at Digital Security
• Nominant of Pwnie awards
Peter Kamensky• Security researcher at Digital Security
© 2002—2014, Digital Security
#whoami
Legend and EULAOn one of Moscow's pos-terminals was found sample of malware of some functioning botnet network...
Warning: Run this file only under virtual machine. And it's not a joke.
Game Network Diagram
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Internal game network
External game network
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Check every 5 min.
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Check every 5 min.
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3 Check every 5 min.
Post address of C&Cevery 15 min.
C&C
Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&C
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)
Bot / Components
Bot / Components
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA Social Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Timer
Init
Loader
Init
Init
Init
C&C / Components
Crypt (Spritz)
Request
Key
CMDC
Key
Response
H
Datetime
TGA
C&C Transport
CKey
C&C Transport
Bot / C&C Transport / Container
BC 3A EB 15 11 42 00 03 00 00 00 04 00 04 00 01
00 01 00 02 00 01 00 05 00 00 00 00 00 04 00 05
0A 20 01 00 00 02 00 03 E0 E1 00 02 00 06 FC FF
00 01 00 02 01 00 03 00 00 4E 54 53 00 02 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 0C 00 01
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
00 03 01 ...
PNG, JPG, GIF, PDF
Crypted data
Media footer
Media header
Marker Size of packet Pickled data
Bot / Commands• CMD_MAKE_TOKEN
• CMD_GET_CMD
• CMD_MAKE_NOP
• CMD_MAKE_NETWORK_DISCONNECT
• CMD_GET_CONTRIBUTORS
• CMD_GET_MSGBOX // Show messagebox
• CMD_GET_PLIST // Get list of processes
• CMD_GET_CNAME // Get name of computer
• CMD_MAKE_LOAD // Load shellcode
• CMD_MAKE_INJ // Inject shellcode to process
Bot / Protection
Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA Social Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Timer
Init
Init
Init
Init
Loader
Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA Social Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
LoaderTimer
Custom Python (py)
Cython (pyx)InitPyx
InitPyx
InitPyx
InitPyxpy2exe bootloader
Bot / Protection / py2exe sections
.text
.data
.rsrc
Overlay (PKZIP)
PYTHON27.DLL
PYTHONSCRIPT BootLoader
Lib with pyx
Bot / Protection / Custom Python
Custom Python• Inspired by Dropbox *
• Anti-Decompilation• Bytecode Encryption• Bytcode Remapping
• Anti-Dump• PyCodeObject modification• Disable marshalling
• Execution Prevention• Disable PyRun…
* http://www.slideshare.net/extremecoders/reversing-obfuscated-python-applications-dropbox-38138420
Custom Python / Anti-Decompilation / Bytecode Encryption• marchal.c (w_object(), r_object())
• plain-text: PyCodeObject.co_code
• algorithm: xxtea
• key_128bit = f(random, sizeof(co_code))
B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00
00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43
00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01
B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
Bytecode version
Timestamp
Type of data
Marshaled bytecode
Entropy
Size of encrypted bytecode
Encrypted bytecode
Standard marshaled blob
Custom Python marshaled blob
Custom Python / Anti-Decompilation / Bytecode Remaping• opcode.h
• random opcode mixing
#define STOP_CODE 0
#define POP_TOP 1
#define ROT_TWO 2
#define ROT_THREE 3
#define DUP_TOP 4
#define ROT_FOUR 5
#define NOP 9
…
#define BINARY_POWER 0
#define PRINT_ITEM 1
#define INPLACE_OR 2
#define DUP_TOP 3
#define GET_ITER 4
#define BINARY_MULTIPLY 5
#define BINARY_XOR 9
…
Custom Python / Anti-Dump / PyCodeObject modification• code.h
• It prevents the use of other Python implementation
/* Bytecode object */
typedef struct {
PyObject_HEAD
int co_argcount; /* #arguments, except *args */
int co_nlocals; /* #local variables */
int co_stacksize; /* #entries needed for evaluation stack */
int co_flags; /* CO_..., see below */
…
PyObject *co_consts; /* list (constants used) */
PyObject *co_names; /* list of strings (names used) */
PyObject *co_varnames; /* tuple of strings (local variable names) */
PyObject *co_freevars; /* tuple of strings (free variable names) */
PyObject *co_cellvars; /* tuple of strings (cell variable names) */
PyObject *co_code; /* instruction opcodes */
…
} PyCodeObject;
Custom Python / Anti-Dump / Disable Marshalling• marshal.c : w_object()
• PyMarshal_WriteObjectToFile() --> w_object()
Custom Python / Execution Prevention• pythonrun.c
• Patched to do nothing• PyRun_FileExFlags
• PyRun_SimpleFileExFlags
• PyRun_AnyFileExFlags
• PyRun_InteractiveLoopFlags
• Unpached• PyRun_SimpleString
Bot / Protection / Custom Python / Bypass
Custom Python / Bypass / Bytecode Encryption• RE -> write decryptor
OR
• Bypass anti-dump
B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00
00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43
00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01
B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
Standard Python
Custom Python
Custom Python / Bypass / Enable Marshalling• Grab a marshalling from other
(e.g. PyPy)
• Looking for the real offset co_code of field
Custom Python / Bypass / Opcode unmapping• Differential analysis
• Generating two "pyc" file set
• Finding the opcode mapping
• Opcode unmapping
Bot / Protection / Cython
Cython (c-api)
def function(a, b):
c = a + b – 0x0A
return c ^ 0x70
PyObject *__pyx_f_4temp_function(PyObject *va, PyObject *vb){
PyObject * vl1, vl2, vl3;
__Pyx_RefNannySetupContext("function", 0);
vl1 = PyNumber_Add(va, vb);
vl2 = PyNumber_Subtract(vl1, vg_int_10);
vl3 = PyNumber_Xor(vl2, vg_int_112);
__Pyx_RefNannyFinishContext();
return vl3;
}
Cython (Pure C)
cdef long function(long a, long b):
c = a + b – 0x0A
return c ^ 0x70
long __pyx_f_4temp_function(long va, long vb){
long vl1, vl2;
__Pyx_RefNannySetupContext("function", 0);
vl1 = ((va, vb) – 0x0A);
vl2 = (vl1 ^ 0x70);
__Pyx_RefNannyFinishContext();
return vl2;
}
Bot / Protection / Cython / Solving
Cython / Solving / LocalizationPython < 3
• __Pyx_AddTraceback
• __Pyx_MODULE_NAME
• __Pyx_NAMESTR
• ModuleInit• Py_InitModule4
• PyImport_AddModule to __builtin__
• __Pyx_InitGlobals
• __Pyx_InitStrings -> __Pyx_StringTabEntry
• PyImport_GetModuleDict
• PyDict_SetItemString
Python >= 3
• __Pyx_AddTraceback
• __Pyx_MODULE_NAME
• __Pyx_NAMESTR
• ModuleInit• PyModule_Create
• PyImport_AddModule to builtins
• __Pyx_InitGlobals
• __Pyx_InitStrings -> __Pyx_StringTabEntry
• PyImport_GetModuleDict
• PyDict_SetItemString
PoS terminal
PoS terminal in action
Service monitorRe-launch bot and pos-processes every 5 minutes
Job restriction• Restricted token
• Trimmed privileges
• Memory peak limit
• Low integrity
• 2 processes only
Shell storage• Service also grabs all injected shellcodes
• pos_1 / 75 shellcodes
• pos_2 / 59 shellcodes
Shellcode first attemptTrying to download and spawn from C&C meterpreter shell
Shellcode of winnerSend to C&C 2gb of DSec VM memory :D
Hints (for 4 days)• Use ntp2d.mcc.ac.uk (UTC+4)
• Dropbox
• PYX
• DGA
• Do not touch C&C !!1
• Good bot-knocking with stable sessions depends from the correct implementation of the protocol
• The flag is NOT in key, .flag, flag.txt, etc.
• Job restrictions, 2 processes only
• Flag format: ZN0x04_{<SHA-256>}
• …
Questions?
Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky
