Starting in Exploit Writing – Day 06

Share

Time for tutorial 6 (yeah I skipped #5, as I got the gist of it). After 6 days, I really got the hang of buffer overflows…too bad they aren’t much in use anymore, but everyone has to start somewhere. So below is EIP and SEH being overflowed with 0x0041, indicating that our “A” where translated to Unicode characters.

Buffer Overflow in Trilogic Player
EIP is being overflowed by 0x0041, indicading a buffer overflow with Unicode characters

Mona locates the Metasploit pattern overwriting SEH at 536. So our payload will be something like

And everything falls in place;

Overwriting nSEH and SEH in Trilogic
Both nSEH and SEH are overwritten with the expected values.

This is where it gets tricky. When following the tutorial, I was never able to see that EIP contained 0x00440044. It actually contained 0x00440045 after moving after the Access Violation exception. I can clearly see that SEH has been overwritten with 0x00420042 and 0x00430043. Fortunately according to one comment, I’m not the only one. When I tried to put 534 bytes of junk rather than 536, I end up with 0x0042004D in EIP (difference of 8). I don’t get why it does that.

At least I’m confident I understand the concepts, but that’s pretty much useless if I cannot put it into practice. For this example, mona can find POP-POP-RET addresses that will work when translated to Unicode. From my understanding, [nSEH] will be useless in Unicode-based exploit, simply because there’s no easy way to have a jump matching Unicode encoding. As such, we’ll need to jump to a register which contains a address close to our shell code and either 1) make sure no instruction between the address and shell code will break the exploit or 2) modify the register (add/sub) to have it jump into a NOP slide to our shell code…and then we have to figure out the shell code, but from what I read, talented people have already took care of this for us.

Useful sites (a.k.a shit I need to read):

  1. http://ref.x86asm.net/coder32.html
  2. http://www.blackhat.com/presentations/win-usa-04/bh-win-04-fx.pdf
  3. https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/

Starting in Exploit Writing – Day 05

Share

Today we’ll be studying “egg hunters” as of part 4 of the FuzzySecurity tutorials. Basically this technique is useful when the buffer remaining for your shell code is too small to do anything useful. So far we’ve been lucky and we had huge buffers to inject the shell code, but some time, you may be left with a couple of bytes only. With a “egg hunter”, instead of storing your shell code, you store a small function that will look for “magic bytes” in memory. Your shell code somewhere else in executable memory and tagged with these “magic bytes” so that your egg hunter finds it and executes it. Pretty straight forward.

Exploiting Kolibri Web Server

So my goal today was to test out the egg hunter example from the tutorial. However I got cocky and try to exploit the web server by smashing SEH rather than a normal buffer overflow. Everything went fine until I had to call the address containing the POP-POP-RET.

SEH Exploitation of the Kolibri Web Server
Exploitation of Kolibiri Web Server using the SEH Techique

The problem I’m running into is when looking for a “POP POP RET”, all the results are within Kolibri.exe, and all addresses starts with a null byte, i.e. “\x08\x89\x51\x00”. That means our payload will terminate at the null byte. I thought this wouldn’t be much of a problem, since [SEH] is an address anyway, the only difficulty would be that I may have to put the payload in the buffer prior to the [nSEH], and have a short jmp into the buffer placed into the [nSEH]. Now for some reason, it seems that SEH catches the exception, but never jumps to my POP-POP-RET address; it just terminates the program.

Pop-Pop-Ret Instructions from Kolibri Web Server
All the Pop-pop-ret instructions are located in Kolibri.exe and contains a null byte.

So I got stuck here for today. More to follow tomorrow

Sending mail directly using SMTP

Share

Since this is another thing I keep forgetting, I’ll just note it here. To send send emails by connecting directly to the SMTP port of a mail server with telnet, use these commands;

  1. telnet open.mailserver.com 25
  2. HELO domain.com
  3. MAIL FROM: whatever@domain.com
  4. RCPT TO: target@localhost.com
  5. DATA
  6. Subject:
  7. Cc:
  8. Reply-To:
  9. <message>
  10. MIME-Version: 1.0
  11. Content-Type: <content>; boundary=”<bondary>”
  12. Base64 encoded attachment
  13. <CR-LF>.<CR-LF>
  14. Quit

Since I’ll likely forget again, I’ve script some Python for it:

Starting in Exploit Development – Day 04

Share

Today, instead of following the FuzzySecurity tutorial, I’ve decided to solidify what I have learned so far by exploiting another FTP Server, this way we won’t yet stray far from the tutorial. We’ll exploit the PCMAN FTP 2.07 server.

The exploit is a buffer overflow in about any command send to the FTP server. We’ll attempt to exploit the STOR command. To do so, we basically reconstruct the Python script we’ve used in day 1:

Note that we are using a buffer of 3000 bytes. I’ve first attempted a payload size of 2000, but it failed to crash the server. At 3000, it was successful as you can see below:

Buffer Overflow in PCMAN FTP 2.07
We successfully smashed EIP with a payload of 3000 bytes in the STOR command.

Let’s replace our payload by a Metasploit pattern to find the offsets using !mona findmsp:

Mona showing at which offset EIP is overwritten
Mona found that EIP is being overwritten at offset 2006

Also interesting, is that SEH is not being overwritten here, so we cannot use the technique learned yesterday. The offset found, we can now start shaping our payload:

And we’ll test it to confirm everything is going smoothly:

EIP overwritten with "B"s
Our payload works, now we simply have to put the addresses and shell code needed

Ah ! Perfecto ! Now let’s figure out an address we can use to jump at [ESP]. We’ll do this using !mona jmp -r esp:

Search results for "jmp esp" in PCMAN 2.07
Search results for “jmp esp” instructions in memory for PCMAN FTP Server 2.07

Ideally, I would have like to find a “jmp esp” within the application itself, but all of them contained invalid bytes, so I’ll just use one from the Windows DLLs:

We’ll use the same payload as before, i.e. the windows\shell_bind_tcp as we are only interested in training purposes, so our final code will look like this:

And voila! I sometimes runs into issue when running the shell code on the target machine and it seems due to bad bytes in the shell, so this is something I’ll need to check out, i.e. how to determine which bytes should be avoided in the shell code. I usually fix it by regenerating a new payload in Metasploit. In any case, we have out shell:

Listening on port 4444
The exploit binded a shell on port 4444
Remote Shell from Exploiting PCMAN FTP 2.07
We successfully open a remote shell from the exploit in PCMAN FTP 2.07

All right, so now, we should be able to exploit basic buffer overflows from any simple program. Let’s move on…

Starting in Exploit Development – Day 03

Share

Today I’ve followed part 3 of the FuzzySecurity tutorial, which went pretty smoothly now that all the VMs and software have been setup and fixed. In the end, I was successful in binding a shell to a port. Yet, I had the feeling that I often have when learning by tutorial: it works now, but would I actually be able to replicate this while exploiting another application? And what really happened? I mean I have loaded my shell code, but yet, I don’t have a clear understanding of what SEH really is. So after completing the tutorial, I actually took time to try to figure out what exactly happened.

The Structure Exception Handler (SEH)

The SEH is a Windows native mechanism to handle both hardware and software exceptions in Windows at both kernel and user spaces. So when the normal flow of an application is interrupted, the SEH comes in to handle the management of the interruption. Basically, this is the native component of Windows which triggers the try…catch… statement you use in your programs. So how does SEH works?

SEH3 Stack Layout
The overall layout of the SEH in the stack (by Igor Skochinsky – 2006)

As depicted above, the SEH is a linked list in memory, in which each nodes contains 2 pointers; one pointer to the next node in the list and one pointer to the function who handles this specific exception. There is a node for each exception handled by the current function. These nodes are basically all your “catch (FileNotFoundException)…catch(NullPointerException)” etc…. Each node of the linked list stores the pointer to the Structure Exception Handler and a pointer to the next Structure Exception Handle. The root node, the default exception handler is actually stored in the stack. So in this tutorial, when we smash the stack, we gain control of those 2 pointers, which we will use to jump to our shell code.

So in this case, what is happening is that we smash the stack with “A”s, overwriting EIP with an invalid pointer (0x41414141). Since this is not a valid value, an “Illegal Instruction”/”Access Violation” exception is thrown and thus triggers the SEH handler code. This means the code pointed by the “SEH Handler” [SEH] part of the stack will be called, which is actually a call to the next node in the SEH linked list.

By writing an address pointing to “POP POP RET” instructions at [SEH] and having it executed them, we will load the stack address of [nSEH] into EIP and as such, execute the op code at [nSEH]. So if we insert a short JMP to the address of our shell code (0xEB06 [shellcode]) at the address pointed by [nSEH], we’re done.

This technique won’t work with SafeSEH and SEHOP.

Moving on with Exploiting DVDX Player

You should have no issue generating the Playlist file to overflow the EIP register and trigger a exception.

Crashing EIP of DVDX Player
Crashing DVDX Player by overflowing EIP with a specially crafted playlist

Then by replacing the long string of “A” by a Metasploit pattern and !mona findmsp, we can find the offsets, as in past tutorials;

Offsets calculated by Mona when exploiting DVDX Player
Mona located the Metasploit pattern overwritting the SEH record at 608 bytes and 1384 bytes for our payload

Since we’re interested in exploiting SEH in this tutorial, we’re interested at which offset  the SEH is being overwritten by the Metasploit pattern. In this case, it’s overwritten at 608 bytes and we have 1384 bytes of buffer for our shell code. That means that the nSEH is at 608 bytes and SEH at 612: “A”*608 + [nSEH] + [SEH] + [Shellcode].

To link with what we’ve read in the first section, here is what happens: Our string of 608 “A” will crash the EIP and cause an exception, jumping directly to the contents of [SEH]. [SEH] must contain an address. [SEH] is located at [ESP]+8 at execution. Remember that the ESP is an indirect pointer to the top of the stack, and the stack grows downwards. By POPping two times and returning, we will load the stack address of [nSEH] into the EIP and execute whatever instruction at this address. To be perfectly honest, I’ll need to further understand this part….

Accordingly, we will look in memory for a “POP POP RET” combination using “!mona seh“. Mona will return quite a few results. We will prefer results located in DLLs owned by DVDX Player, since they are OS-independent.

Using Mona to locate POP-POP-RET to defeat SEH
Mona returns multiple POP-POP-RET combination to defeat SEH.

We’ve picked up 0x640345e7 (“\xe7\x45\x03\x64”) since it’s located within DVDX Player and contains no invalid bytes. We now got the [SEH] part of our payload:

Now for [nSEH], we’ll need to put a “jmp [offset]” instruction in it.  Our shell code begins right after the [SEH] (4 bytes) and our jmp instruction is 2 bytes. The short jump op code is 0xEB, followed by the number of bytes to jump from EIP, i.e. 6 bytes. So the instruction to insert at [nSEH] is “\xeb6\x90\x90”:

All that is left is the shellcode, which is a quick NOP slide and a shell bind. Done! Excited, I plug the payload into DVDX Player and fail miserably to have have the shell code executed. I used the same shell code as the previous tutorial in an attempt to minimize the number of things that can go wrong. By doing so, everything went wrong. Well not exactly everything, but the previous shell code had byte “0x1A” in it, which created additional READ exception in the code once the shell code loaded. So I regenerated the code without bytes 0x00, 0x0A, 0x0D and 0x1A and everything went perfect. Or almost. When running the shell code, Windows asked me to unblock port 4444 to listen to inbound connection. I guess using a reverse shell or a “download and execute” is quieter…

Windows Asking to Unblock DVDX Player
Using a shell_bind_tcp payload will result in Windows asking you to unblock the application you are exploiting.

I wonder if anything I wrote made any sense since I’ve been so focus into this exploit today. The ascii diagram from FuzzySecurity summarize the principle well enough:

Summary of the SEH Exploitation Technique
Summary of the SEH Exploitation Technique from FuzzySecurity (c) b33f
Well enough for today, my frontal lobe is overheating. More tomorrow…

[1] “Structured Exception Handling.” Windows Dev Center. http://msdn.microsoft.com/en-us/library/windows/desktop/ms680657(v=vs.85).aspx (accessed March 15, 2014).

[2] Skochinsky, Igor. “Reversing Microsoft Visual C++ Part I: Exception Handling.” OpenRCE. http://www.openrce.org/articles/full_view/21 (accessed March 15, 2014).

[3] Mariani, Brian. “Structured Exception Handler Exploitation.” Exploit-db. http://www.exploit-db.com/wp-content/themes/exploit/docs/17505.pdf (accessed March 15, 2014).

Phusking PhotoBucket and Other Pictures Sharing Sites

Fusking picture sharing sites in order to retrieve pictures from private album.

Share

It came to me while I was reading an article on Slashdot about sites popping up, offering the customer to hack into a Facebook, MySpace or other social site for 75$ to 100$. EWeek as a similar article[1]. Seems like those sites mostly use social engineering by sending grammatically deficient e-mail to the victim and somehow, still working most of the time. Most of the time, the goal is to get access to private pictures or information. Hacking Facebook and MySpace accounts is the new “How do I hack Hotmail accounts” of the decade. Just search Google for “facebook hacking service” and plenty of website will be returned.

Same thing with pictures from services like PhotoBucket or Flickr and such. Getting pictures from private albums is much more easier thought and is done thru fusking. The goal is simply to access directly pictures from the private album by guessing the filename of the picture.

As you might know, most cameras have a default naming convention, i.e DSC0001.jpg, Picture0001.jpg etc… (see then end of this article for a complete list) and humans, being lazy as they are, don’t bother renaming them. Since I believe that a example is the best way to learn than 30 pages of detailed explanation, here how it’s done.

Let’s create an account on PhotoBucket first. I used a username I always take everywhere, but it seems that Photobucket didn’t liked it:

PhotoBucket New Account Error
PhotoBucket didn't like me the first time...

Anyway, just deleting the Photobucket cookie solve the problem. Registered using brand new data. Small tips, if you are looking for zip code, try this page: Find A Zip, it has about every zip code for every town in the US (I haven’t verified but looks like it…).

Once in, I created a private album and put two pictures in it; one I renamed and the other I left with a camera default filename.

PhotoBucket Private Album Creation
Private album I created in Photobucket

I named one of those pictures DSC0005.jpg and the other an uncommon name:

PhotoBucket Private Pictures
Private pictures I put into my private album

The URL of my private album is

http://s991.photobucket.com/albums/af33/Cheetah897/Real%20Private%20Album/

The filename is

DSC0005.jpg

So just to try out the concept,  I signed out and look if, with the album’s URL and the filename, could access the picture. Oh ! Look at that:

PhotoBucket Private Picture Direct Link
Accessing a private picture thru a direct link

So you should be able to guess the rest from here. Nevertheless, there are tools out there to even do the guessing work for you. The one I will use is PHUSK. It’s especially done for PhotoBucket and is for Windows. This shouldn’t be hard to program for another website and another platform.

PHUSK 1.5 Main Window
PHUSK 1.5 Main Window

There is really not much to explain, just type the username of the victim and set up any properties you want (which are pretty much self explanatory). On the first try, it didn’t found any private album, so I had to specify it by selecting “advanced mode” which show this window:

PHUSK 1.5 Advanced Mode Windows
PHUSK 1.5 Advanced Mode Windows

Select “Add Album”, type the album name and then it will appear in the list of albums (which is ordered).

PHUSK 1.5 Add Album Name
PHUSK 1.5 Added Album Name in the List

Started PHUSK again and this time it found the private album, it will then try to brute force filenames, which might take a while.

PHUSK 1.5 Result Window
My private picture with a default filename has been found !

I changed the default lists to make it faster, otherwise it might take a long time (411 albums name X 439 filenames X ~9999 file numbers each…).

Here is a list of filenames used by PHUSK. This can be use to build your own list.

###.jpg Unknown-#.jpg Me.jpg
##.jpg Untitled-###.jpg ME.jpg
#.jpg Untitled-##.jpg mygirls.jpg
Picture###.jpg Untitled-#.jpg Mygirls.jpg
Picture##.jpg untitled-###.jpg MYGIRLS.jpg
Picture#.jpg untitled-##.jpg fine.jpg
Photo###.jpg untitled-#.jpg Fine.jpg
Photo##.jpg stuff###.jpg FINE.jpg
Photo#.jpg stuff##.jpg sexy.jpg
#####.jpg stuff#.jpg Sexy.jpg
####.jpg Stuff###.jpg SEXY.jpg
CIMG####.jpg Stuff##.jpg hot.jpg
CIMG####.JPG Stuff#.jpg Hot.jpg
DSCN####.jpg stuff-###.jpg HOT.jpg
PICT####.jpg stuff-##.jpg hott.jpg
DSC_####.jpg stuff-#.jpg Hott.jpg
DSC0####.jpg mycamerapics###.jpg HOTT.jpg
Image###.jpg mycamerapics##.jpg really.jpg
Image##.jpg mycamerapics#.jpg Really.jpg
Image##.JPG mypics###.jpg REALLY.jpg
Image#.jpg mypics##.jpg ass.jpg
PICT####.JPG mypics#.jpg Ass.jpg
IMG_####.jpg Misc-###.jpg ASS.jpg
_MG_####.jpg Misc-##.jpg bad.jpg
000_####.jpg Misc-#.jpg Bad.jpg
001_####.jpg misc###.jpg BAD.jpg
100_####.jpg misc##.jpg face.jpg
100-####.jpg misc#.jpg Face.jpg
100-####_IMG.jpg misc-new###.jpg FACE.jpg
101_####.jpg misc-new##.jpg page.jpg
101-####.jpg misc-new#.jpg Page.jpg
101-####_IMG.jpg New###.jpg PAGE.jpg
102_####.jpg New##.jpg tits.jpg
102-####.jpg New#.jpg Tits.jpg
102-####_IMG.jpg New-###.jpg TITS.jpg
103-####.jpg New-##.jpg boobs.jpg
103_####.jpg New-#.jpg Boobs.jpg
0##########.jpg new###.jpg BOOBS.jpg
1##########.jpg new##.jpg breasts.jpg
0########.jpg new#.jpg Breasts.jpg
1########.jpg new-###.jpg BREASTS.jpg
########.jpg new-##.jpg naughty.jpg
#######.jpg new-#.jpg Naughty.jpg
######.jpg Old###.jpg NAUGHTY.jpg
Cimg####.jpg Old##.jpg smile.jpg
DCAM####.jpg Old#.jpg Smile.jpg
DC####S.jpg old###.jpg SMILE.jpg
DCFN####.jpg old##.jpg light.jpg
DCP_####.jpg old#.jpg Light.jpg
DCP0####.jpg nude###.jpg LIGHT.jpg
dsc#####.jpg nude##.jpg kiss.jpg
DSC#####.jpg nude#.jpg Kiss.jpg
DSC####.jpg Nude###.jpg KISS.jpg
dsc0####.jpg Nude##.jpg kisses.jpg
DSCF####.jpg Nude#.jpg Kisses.jpg
DSCF####.JPG Sexy###.jpg KISSES.jpg
dscf####.jpg Sexy##.jpg muah.jpg
DSCI####.jpg Sexy#.jpg Muah.jpg
DSCI####.JPG sexy###.jpg MUAH.jpg
dscn####.jpg sexy##.jpg mwah.jpg
EX00####.jpg sexy#.jpg Mwah.jpg
HPIM####.jpg sexxy###.jpg MWAH.jpg
IM00####.jpg sexxy##.jpg drunk.jpg
IMAG####.jpg sexxy#.jpg Drunk.jpg
IMAGE_####.jpg pictures###.jpg DRUNK.jpg
IMAGE####.jpg pictures##.jpg drunken.jpg
IMG0####.jpg pictures#.jpg Drunken.jpg
IMG####.jpg Pictures###.jpg DRUNKEN.jpg
Img#####.jpg Pictures##.jpg sleep.jpg
IMG_00####.jpg Pictures#.jpg Sleep.jpg
IMG_#####.jpg sexypic###.jpg SLEEP.jpg
IMG_####.JPG sexypic##.jpg sleeping.jpg
IMGA####.JPG sexypic#.jpg Sleeping.jpg
IMGP####.JPG sexypics###.jpg SLEEPING.jpg
IMGP####.jpg sexypics##.jpg tongue.jpg
IMPG####.jpg sexypics#.jpg Tongue.jpg
KIF_####.jpg Smile###.jpg TONGUE.jpg
mvc#####.jpg Smile##.jpg cute.jpg
MVC0####.jpg Smile#.jpg Cute.jpg
MVC-####.jpg smile###.jpg CUTE.jpg
MYDC####.jpg smile##.jpg hehe.jpg
P00#####.jpg smile#.jpg Hehe.jpg
P10#####.jpg mirror###.jpg HEHE.jpg
P101####.jpg mirror##.jpg us.jpg
PC00####.jpg mirror#.jpg Us.jpg
PANA####.JPG single###.jpg US.jpg
PDR_####.JPG single##.jpg mesexy.jpg
PDR_####.jpg single#.jpg Mesexy.jpg
PDRM####.JPG Happy###.jpg MESEXY.jpg
PDRM####.jpg Happy##.jpg underwear.jpg
pdrm####.jpg Happy#.jpg Underwear.jpg
pict####.jpg happy###.jpg UNDERWEAR.jpg
Picture#####.jpg happy##.jpg thong.jpg
Picture####.jpg happy#.jpg Thong.jpg
Picture###-1.jpg picture###.jpg THONG.jpg
Picture##-1.jpg picture##.jpg panties.jpg
Picture#-1.jpg picture#.jpg Panties.jpg
Picture###-2.jpg cute###.jpg PANTIES.jpg
Picture##-2.jpg cute##.jpg bra.jpg
Picture#-2.jpg cute#.jpg Bra.jpg
Photo####.jpg xxx###.jpg BRA.jpg
Photo###-1.jpg xxx##.jpg costume.jpg
Photo##-1.jpg xxx#.jpg Costume.jpg
Photo#-1.jpg delete###.jpg COSTUME.jpg
S#######.jpg delete##.jpg heart.jpg
S######.jpg delete#.jpg Heart.jpg
S#####.jpg Halloween###.jpg HEART.jpg
S####.jpg Halloween##.jpg bed.jpg
SANY####.jpg Halloween#.jpg Bed.jpg
SDC#####.jpg halloween###.jpg BED.jpg
scan#####.jpg halloween##.jpg shower.jpg
SPA#####.jpg halloween#.jpg Shower.jpg
ST@_#####.jpg Me###.jpg SHOWER.jpg
STA#####.jpg Me##.jpg bath.jpg
STP#####.jpg Me#.jpg Bath.jpg
PANA###.jpg ME###.jpg BATH.jpg
{user}#.jpg ME##.jpg closet.jpg
DSCI###.jpg ME#.jpg Closet.jpg
DigitalCamera###.jpg me###.jpg CLOSET.jpg
Image(##).jpg me##.jpg kitchen.jpg
Image(##).JPG me#.jpg Kitchen.jpg
mvc-###.jpg 1-###.jpg KITCHEN.jpg
MVC-###.jpg 1-##.jpg fridge.jpg
Sony#.jpg 1-#.jpg Fridge.jpg
PhotoMoto_####.jpg IMG_###.jpg FRIDGE.jpg
###-1.jpg IMG_##.jpg table.jpg
##-1.jpg IMG_#.jpg Table.jpg
#-1.jpg naughty###.jpg TABLE.jpg
Picture###.png naughty##.jpg risque.jpg
Picture##.png naughty#.jpg Risque.jpg
Picture#.png Naughty###.jpg RISQUE.jpg
stuff###.jpg Naughty##.jpg new.jpg
stuff##.jpg Naughty#.jpg New.jpg
stuff#.jpg ass###.jpg NEW.jpg
stuff-#.jpg ass##.jpg old.jpg
S###.jpg ass#.jpg Old.jpg
S##.jpg Ass###.jpg OLD.jpg
S#.jpg Ass##.jpg halloween.jpg
s###.jpg Ass#.jpg Halloween.jpg
s##.jpg Pic###.jpg HALLOWEEN.jpg
s#.jpg Pic##.jpg cleavage.jpg
unknown-###.jpg Pic#.jpg Cleavage.jpg
unknown-##.jpg pic###.jpg CLEAVAGE.jpg
unknown-#.jpg pic##.jpg pic.jpg
Unknown-###.jpg pic#.jpg Pic.jpg
Unknown-##.jpg me.jpg PIC.jpg

So basically, the way out of phuskers is only to rename your files so that it won’t fit any of the above masks. So a simple description (3-5 words) on what’s on the picture might be able to defeat most of these software.

So here you have it how to get pictures from Photobucket.  Although I haven’t shown it here, this concept can be used for other picture sharing sites. As in anything that ever existed, this can be used for good and evil purposes. I started to get interested in computer security by reading that stuff when I was young so my goal here is to do the same, knowing that some script kiddies will probably use this.

Sayonnara


1 Security Researchers Find Alleged Facebook Hacking Service ”, Brian Prince, eWeek, September 18, 2009,http://www.eweek.com/c/a/Security/Security-Researchers-Find-Alleged-Facebook-Hacking-Service-358854/ 2009-12-29

A Study of Smart Cards

Share

Cards are quite an interesting species of object that have invaded our lives in every way: we either use them for public transit, laundry, gift cards, phone cards, credit cards etc… One could gather quite a lot of power buy not only understanding their functioning, but also by being able to tamper their data. I must admit that I have absolutely no knowledge (or almost) of those devices, but hopefully, by the end of this project, this will have completely changed.

Visual Study of Smart Cards

Smarts card are usually the size of the credit cards and dimensions are defined accordingly to the ISO/IEC 7810 standard. The standard defines four card sizes: ID-1, ID-2, ID-3 and ID-000. Smart cards are usually comprised in the ID-1 category although some are into the ID-000 category, which mostly comprise of SIM cards. Each of them are 0.76 mm thick. The properties are defined as follow1:

Example of a card using a chip
Example of a card using a chip
Format Dimension Usage
ID-1 85.60 × 53.98 mm Most banking cards and ID cards
ID-2 105 × 74 mm German ID cards issued prior to Nov 2010
ID-3 125 × 88 mm Passports and Visas
ID-000 25 × 15 mm SIM cards

The material use for the card is usually Polyvinyl chloride (PVC). Of course the most interesting item on rhe card is that golden connector. There are various type of connectors as shown in the picture below:

Different Layouts of Cardpads
Different Layouts of Cardpads

There are also three main types of smart cards: contact cards, contactless and vault cards [2]

The three main types of Smart Card available
The three main types of Smart Card available

Actually the two that are actually important in everybody’s life are the contact and contactless cards, the latest being use in public transit most of the time. For now I’ll concentrate on contact cards.

Contact Cards

Information is transferred using electrical connectors, i.e the golden chip on the card to the reader. Usually, the chip as around 8 connectors as follow:

Now contact cards are divided in two categories : memory cards and multiprocessor cards. Memory cards are furthermore divided into 3 categories:

  • Straight Memory Cards
  • Protected/Segmented Memory Cards
  • Stored Value Memory Cards

The Project

I recently got handed a laundry smart card and for some reason, got fascinated with it. I never really played with hardware but studying those devices have interested me to the point of studying them in a special project. The goal is to be able to modify the contents of the memory of the card. This project will be conducted in two phases :

  1. Dump the content of the memory into my computer
  2. Alter the content and write it back to the card

System Description

A client is handled a Smart Card called “SmartCity” from a company called Coinamatic, which provide laundry solutions to property managers. The card can be loaded and recharged using coins or debit/credit cards through “reload centers“. You can put up to 50$ maximum on the card. To use the facilites, you need to insert the card  into a slot built into the washers/dryers. The washer is a Commercial Energy Advantage Top Load Washer MAT14PRAWW model. The dryer is a 27″ Commercial Single-Load Electric Stack Dryer model MLE24PRAZW.

Next post : the card reader/writer

See also:

EMV 4.2 Specification, EMVCo, May 2008, http://emvco.com/ accessed on 2009-07-20

Infineon SLE4442, Flylogic Engineering’s Analytical Blog, December 1st, 2007, http://www.flylogic.net/blog/?p=17 accessed on 2009-07-20

How-to: Read a FedEx Kinko’s smart card (SLE4442), Ian Lesnet, Hack-a-day, November 28th, 2008, http://hackaday.com/2008/11/25/how-to-read-a-fedex-kinkos-smart-card-sle4442/, accessed on 2009-07-20

Intelligent 256-Byte EEPROM SLE 4432/SLE 4442, Siemens, 1995, http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf accessed on 2009-07-20

Kinko’s Smart Card (Siemens SLE4442 memory chip), Strom Calson, http://www.stromcarlson.com/projects/smartcard/format.pdf accessed on 2009-07-20

1K EEPROM – Security Logic with Two Application Zones AT88SC102, Atmel, 1999, http://www.datasheetcatalog.org/datasheet/atmel/DOC1419.PDF accessed on 2009-07-20

[1] ISO/IEC 7810, Wikipedia, http://en.wikipedia.org/wiki/ISO/IEC_7810 accessed on 2009-07-20

[2] Types of Chip Cards, Smart Card Basics, 2005,  http://www.smartcardbasics.com/cardtypes.html accessed on 2009-07-20

RAAF website defaced

Share

Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.

This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”

Racist incident in Australia against Indian students has increased in the last months
Racist incident in Australia against Indian students has increased in the last months

This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:

“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1

Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.

It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.

Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.

See also:

Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17

WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17


1Indian hacks RAAF website over student attacks”, Asher Moses, The Sydney Morning Herald, July 16, 2009, http://www.smh.com.au/technology/security/indian-hacks-raaf-website-over-student-attacks-20090716-dmgo.html accessed on 2009-07-16

2 “How did Atul Dwivedi hack the RAAF web site this week?”, David M Williams, ITWire, July 17, 2009, http://www.itwire.com/content/view/26344/53/ accessed on 2009-07-16

Firefox Javascript Vulnerability

Share

Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of Firefox and affects machine running a x86, SPARC or arm architectures.

The vulnerability resolves around the return value of the escape function in the JIT engine. It’s exploited using the <font> tag. The code for the exploit is public and can be found at milw0rm. The exploit use a heap spraying technique to execute the shellcode.

A fix should be available soon, but the best solution is always to disable Javascript, although a lot of sites rely on it to operate. Another way is to use the NoScript plug-in, which let you enable and disable scripts easily according to a whitelist/blacklist system.

See also:

Mozilla Firefox Memory Corruption Vulnerability”, Secunia, July 14, 2009, http://secunia.com/advisories/35798/ accessed on 2009-07-15

Exploit 9137”, SBerry, July 13, 2009, http://milw0rm.com/exploits/9137 accessed on 2009-07-15

Stopgap Fix for Critical Firefox 3.5 Security Hole”, Brian Krebs, The Washington Post, July 14, 2009, http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html accessed on 2009-07-15

Critical JavaScript vulnerability in Firefox 3.5”, Mozilla Security Blog, July 14, 2009, http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/ accessed on 2009-07-15


1 “Mozilla Foundation tackles Firefox bug”, Nick Farell, The Inquirer, Wednesday, 15, July, 2009, http://www.theinquirer.net/inquirer/news/1433480/mozilla-foundation-tackles-firefox-bug accessed on 2009-07-15