SlideShare une entreprise Scribd logo

Zn task - defcon russia 20

DefconRussia
DefconRussia

http://defcon-russia.ru

Technologie
1  sur  50
Télécharger pour lire hors ligne
Task “Infected terminal” ZeroNights E.0x04 Hackquest Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky
Roman Bazhin • Security researcher at Digital Security • Ethical gop-stopper George Nosenko • Security researcher at Digital Security • Nominant of Pwnie awards Peter Kamensky • Security researcher at Digital Security © 2002—2014, Digital Security #whoami
Legend and EULA On one of Moscow's pos-terminals was found sample of malware of some functioning botnet network... Warning: Run this file only under virtual machine. And it's not a joke.
Game Network Diagram
Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Internal game network External game network
Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Check every 5 min.
Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Check every 5 min.
Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 Check every 5 min. Post address of C&C every 15 min. C&C
Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
Game Network Diagram / Players Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 Player 1 Player N C&C
Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
Bot / Components
Bot / Components Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Timer Init Loader Init Init Init
C&C / Components Crypt (Spritz) Request Key CMDC Key Response H Datetime TGA C&C Transport C Key C&C Transport
Bot / C&C Transport / Container BC 3A EB 15 11 42 00 03 00 00 00 04 00 04 00 01 00 01 00 02 00 01 00 05 00 00 00 00 00 04 00 05 0A 20 01 00 00 02 00 03 E0 E1 00 02 00 06 FC FF 00 01 00 02 01 00 03 00 00 4E 54 53 00 02 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 0C 00 01 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 00 03 01 ... PNG, JPG, GIF, PDF Crypted data Media footer Media header Marker Size of packet Pickled data
Bot / Commands • CMD_MAKE_TOKEN • CMD_GET_CMD • CMD_MAKE_NOP • CMD_MAKE_NETWORK_DISCONNECT • CMD_GET_CONTRIBUTORS • CMD_GET_MSGBOX // Show messagebox • CMD_GET_PLIST // Get list of processes • CMD_GET_CNAME // Get name of computer • CMD_MAKE_LOAD // Load shellcode • CMD_MAKE_INJ // Inject shellcode to process
Bot / Protection
Bot / Protection Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Timer Init Init Init Init Loader
Bot / Protection Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Loader Timer Custom Python (py) Cython (pyx) InitPyx InitPyx InitPyx InitPyxpy2exe bootloader
Bot / Protection / py2exe sections .text .data .rsrc Overlay (PKZIP) PYTHON27.DLL PYTHONSCRIPT BootLoader Lib with pyx
Bot / Protection / Custom Python
Custom Python • Inspired by Dropbox * • Anti-Decompilation • Bytecode Encryption • Bytcode Remapping • Anti-Dump • PyCodeObject modification • Disable marshalling • Execution Prevention • Disable PyRun… * http://www.slideshare.net/extremecoders/reversing-obfuscated-python-applications-dropbox-38138420
Custom Python / Anti-Decompilation / Bytecode Encryption • marchal.c (w_object(), r_object()) • plain-text: PyCodeObject.co_code • algorithm: xxtea • key_128bit = f(random, sizeof(co_code)) B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00 00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43 00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01 B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 Bytecode version Timestamp Type of data Marshaled bytecode Entropy Size of encrypted bytecode Encrypted bytecode Standard marshaled blob Custom Python marshaled blob
Custom Python / Anti-Decompilation / Bytecode Remaping • opcode.h • random opcode mixing #define STOP_CODE 0 #define POP_TOP 1 #define ROT_TWO 2 #define ROT_THREE 3 #define DUP_TOP 4 #define ROT_FOUR 5 #define NOP 9 … #define BINARY_POWER 0 #define PRINT_ITEM 1 #define INPLACE_OR 2 #define DUP_TOP 3 #define GET_ITER 4 #define BINARY_MULTIPLY 5 #define BINARY_XOR 9 …
Custom Python / Anti-Dump / PyCodeObject modification • code.h • It prevents the use of other Python implementation /* Bytecode object */ typedef struct { PyObject_HEAD int co_argcount; /* #arguments, except *args */ int co_nlocals; /* #local variables */ int co_stacksize; /* #entries needed for evaluation stack */ int co_flags; /* CO_..., see below */ … PyObject *co_consts; /* list (constants used) */ PyObject *co_names; /* list of strings (names used) */ PyObject *co_varnames; /* tuple of strings (local variable names) */ PyObject *co_freevars; /* tuple of strings (free variable names) */ PyObject *co_cellvars; /* tuple of strings (cell variable names) */ PyObject *co_code; /* instruction opcodes */ … } PyCodeObject;
Custom Python / Anti-Dump / Disable Marshalling • marshal.c : w_object() • PyMarshal_WriteObjectToFile() --> w_object()
Custom Python / Execution Prevention • pythonrun.c • Patched to do nothing • PyRun_FileExFlags • PyRun_SimpleFileExFlags • PyRun_AnyFileExFlags • PyRun_InteractiveLoopFlags • Unpached • PyRun_SimpleString
Bot / Protection / Custom Python / Bypass
Custom Python / Bypass / Bytecode Encryption • RE -> write decryptor OR • Bypass anti-dump B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00 00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43 00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01 B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 Standard Python Custom Python
Custom Python / Bypass / Enable Marshalling • Grab a marshalling from other (e.g. PyPy) • Looking for the real offset co_code of field
Custom Python / Bypass / Opcode unmapping • Differential analysis • Generating two "pyc" file set • Finding the opcode mapping • Opcode unmapping
Bot / Protection / Cython
Cython (c-api) def function(a, b): c = a + b – 0x0A return c ^ 0x70 PyObject *__pyx_f_4temp_function(PyObject *va, PyObject *vb){ PyObject * vl1, vl2, vl3; __Pyx_RefNannySetupContext("function", 0); vl1 = PyNumber_Add(va, vb); vl2 = PyNumber_Subtract(vl1, vg_int_10); vl3 = PyNumber_Xor(vl2, vg_int_112); __Pyx_RefNannyFinishContext(); return vl3; }
Cython (Pure C) cdef long function(long a, long b): c = a + b – 0x0A return c ^ 0x70 long __pyx_f_4temp_function(long va, long vb){ long vl1, vl2; __Pyx_RefNannySetupContext("function", 0); vl1 = ((va, vb) – 0x0A); vl2 = (vl1 ^ 0x70); __Pyx_RefNannyFinishContext(); return vl2; }
Bot / Protection / Cython / Solving
Cython / Solving / Localization Python < 3 • __Pyx_AddTraceback • __Pyx_MODULE_NAME • __Pyx_NAMESTR • ModuleInit • Py_InitModule4 • PyImport_AddModule to __builtin__ • __Pyx_InitGlobals • __Pyx_InitStrings -> __Pyx_StringTabEntry • PyImport_GetModuleDict • PyDict_SetItemString Python >= 3 • __Pyx_AddTraceback • __Pyx_MODULE_NAME • __Pyx_NAMESTR • ModuleInit • PyModule_Create • PyImport_AddModule to builtins • __Pyx_InitGlobals • __Pyx_InitStrings -> __Pyx_StringTabEntry • PyImport_GetModuleDict • PyDict_SetItemString
PoS terminal
PoS terminal in action
Service monitor Re-launch bot and pos-processes every 5 minutes
Job restriction • Restricted token • Trimmed privileges • Memory peak limit • Low integrity • 2 processes only
Shell storage • Service also grabs all injected shellcodes • pos_1 / 75 shellcodes • pos_2 / 59 shellcodes
Shellcode first attempt Trying to download and spawn from C&C meterpreter shell
Shellcode of winner Send to C&C 2gb of DSec VM memory :D
Hints (for 4 days) • Use ntp2d.mcc.ac.uk (UTC+4) • Dropbox • PYX • DGA • Do not touch C&C !!1 • Good bot-knocking with stable sessions depends from the correct implementation of the protocol • The flag is NOT in key, .flag, flag.txt, etc. • Job restrictions, 2 processes only • Flag format: ZN0x04_{<SHA-256>} • …
Questions? Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky

Recommandé

Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 

Recommandé

Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world! Hacks in Taiwan (HITCON)
 
The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014Jian-Hong Pan
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacksCyber Security Alliance
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)Simen Li
 
Debugging TV Frame 0x09
Debugging TV Frame 0x09Debugging TV Frame 0x09
Debugging TV Frame 0x09Dmitry Vostokov
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevMake Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevJian-Hong Pan
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bwjktjpc
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Embedded JavaScript
Embedded JavaScriptEmbedded JavaScript
Embedded JavaScriptJens Siebert
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 

Contenu connexe

Tendances

SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014Jian-Hong Pan
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)Simen Li
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevMake Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevJian-Hong Pan
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bwjktjpc
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Embedded JavaScript
Embedded JavaScriptEmbedded JavaScript
Embedded JavaScriptJens Siebert
 

Tendances (20)

SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacks
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
 
Debugging TV Frame 0x09
Debugging TV Frame 0x09Debugging TV Frame 0x09
Debugging TV Frame 0x09
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevMake Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Embedded JavaScript
Embedded JavaScriptEmbedded JavaScript
Embedded JavaScript
 

En vedette

Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Chastukhin, cherbov where is my car dude
Chastukhin, cherbov where is my car dudeChastukhin, cherbov where is my car dude
Chastukhin, cherbov where is my car dudeDefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 
Tyurin Alexey - NTLM. Part 1. Pass-the-Hash
Tyurin Alexey - NTLM. Part 1. Pass-the-HashTyurin Alexey - NTLM. Part 1. Pass-the-Hash
Tyurin Alexey - NTLM. Part 1. Pass-the-HashDefconRussia
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementDefconRussia
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...DefconRussia
 

En vedette (20)

Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Chastukhin, cherbov where is my car dude
Chastukhin, cherbov where is my car dudeChastukhin, cherbov where is my car dude
Chastukhin, cherbov where is my car dude
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 
Tyurin Alexey - NTLM. Part 1. Pass-the-Hash
Tyurin Alexey - NTLM. Part 1. Pass-the-HashTyurin Alexey - NTLM. Part 1. Pass-the-Hash
Tyurin Alexey - NTLM. Part 1. Pass-the-Hash
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
 

Similaire à Zn task - defcon russia 20

ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321Teddy Hsiung
 
WAD : A Module for Converting Fatal Extension Errors into Python Exceptions
WAD : A Module for Converting Fatal Extension Errors into Python ExceptionsWAD : A Module for Converting Fatal Extension Errors into Python Exceptions
WAD : A Module for Converting Fatal Extension Errors into Python ExceptionsDavid Beazley (Dabeaz LLC)
 
Getting started cpp full
Getting started cpp fullGetting started cpp full
Getting started cpp fullVõ Hòa
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...David Beazley (Dabeaz LLC)
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Codemotion
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
What has to be paid attention when reviewing code of the library you develop
What has to be paid attention when reviewing code of the library you developWhat has to be paid attention when reviewing code of the library you develop
What has to be paid attention when reviewing code of the library you developAndrey Karpov
 
Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...
Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...
Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...Richard Rowland
 
EuroPython 2020 - Speak python with devices
EuroPython 2020 - Speak python with devicesEuroPython 2020 - Speak python with devices
EuroPython 2020 - Speak python with devicesHua Chu
 
Rust: код может быть одновременно безопасным и быстрым, Степан Кольцов
Rust: код может быть одновременно безопасным и быстрым, Степан КольцовRust: код может быть одновременно безопасным и быстрым, Степан Кольцов
Rust: код может быть одновременно безопасным и быстрым, Степан КольцовYandex
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Socket Programming Intro.pptx
Socket Programming Intro.pptxSocket Programming Intro.pptx
Socket Programming Intro.pptxssuserc4a497
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeYung-Yu Chen
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 

Similaire à Zn task - defcon russia 20 (20)

ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
 
WAD : A Module for Converting Fatal Extension Errors into Python Exceptions
WAD : A Module for Converting Fatal Extension Errors into Python ExceptionsWAD : A Module for Converting Fatal Extension Errors into Python Exceptions
WAD : A Module for Converting Fatal Extension Errors into Python Exceptions
 
Getting started cpp full
Getting started cpp fullGetting started cpp full
Getting started cpp full
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Gcrc talk
Gcrc talkGcrc talk
Gcrc talk
 
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
What has to be paid attention when reviewing code of the library you develop
What has to be paid attention when reviewing code of the library you developWhat has to be paid attention when reviewing code of the library you develop
What has to be paid attention when reviewing code of the library you develop
 
Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...
Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...
Why "Hello World" is a Massive Operation - From Python code to Stack Virtual ...
 
EuroPython 2020 - Speak python with devices
EuroPython 2020 - Speak python with devicesEuroPython 2020 - Speak python with devices
EuroPython 2020 - Speak python with devices
 
Rust: код может быть одновременно безопасным и быстрым, Степан Кольцов
Rust: код может быть одновременно безопасным и быстрым, Степан КольцовRust: код может быть одновременно безопасным и быстрым, Степан Кольцов
Rust: код может быть одновременно безопасным и быстрым, Степан Кольцов
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Socket Programming Intro.pptx
Socket Programming Intro.pptxSocket Programming Intro.pptx
Socket Programming Intro.pptx
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New Rope
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 

Plus de DefconRussia

George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...DefconRussia
 
Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C DefconRussia
 
Roman Korkikyan - Timing analysis workshop Part 2 Scary
Roman Korkikyan - Timing analysis workshop Part 2 ScaryRoman Korkikyan - Timing analysis workshop Part 2 Scary
Roman Korkikyan - Timing analysis workshop Part 2 ScaryDefconRussia
 
Roman Korkikyan - Timing analysis workshop Part 2 Practice
Roman Korkikyan - Timing analysis workshop Part 2 PracticeRoman Korkikyan - Timing analysis workshop Part 2 Practice
Roman Korkikyan - Timing analysis workshop Part 2 PracticeDefconRussia
 
Roman Korkikyan - Timing analysis workshop Part 1 Theory
Roman Korkikyan - Timing analysis workshop Part 1 TheoryRoman Korkikyan - Timing analysis workshop Part 1 Theory
Roman Korkikyan - Timing analysis workshop Part 1 TheoryDefconRussia
 
Peter Hlavaty - DBIFuzz
Peter Hlavaty - DBIFuzzPeter Hlavaty - DBIFuzz
Peter Hlavaty - DBIFuzzDefconRussia
 
Vadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitationVadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitationDefconRussia
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 

Plus de DefconRussia (8)

George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
 
Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C
 
Roman Korkikyan - Timing analysis workshop Part 2 Scary
Roman Korkikyan - Timing analysis workshop Part 2 ScaryRoman Korkikyan - Timing analysis workshop Part 2 Scary
Roman Korkikyan - Timing analysis workshop Part 2 Scary
 
Roman Korkikyan - Timing analysis workshop Part 2 Practice
Roman Korkikyan - Timing analysis workshop Part 2 PracticeRoman Korkikyan - Timing analysis workshop Part 2 Practice
Roman Korkikyan - Timing analysis workshop Part 2 Practice
 
Roman Korkikyan - Timing analysis workshop Part 1 Theory
Roman Korkikyan - Timing analysis workshop Part 1 TheoryRoman Korkikyan - Timing analysis workshop Part 1 Theory
Roman Korkikyan - Timing analysis workshop Part 1 Theory
 
Peter Hlavaty - DBIFuzz
Peter Hlavaty - DBIFuzzPeter Hlavaty - DBIFuzz
Peter Hlavaty - DBIFuzz
 
Vadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitationVadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitation
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Zn task - defcon russia 20

  • 1. Task “Infected terminal” ZeroNights E.0x04 Hackquest Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky
  • 2. Roman Bazhin • Security researcher at Digital Security • Ethical gop-stopper George Nosenko • Security researcher at Digital Security • Nominant of Pwnie awards Peter Kamensky • Security researcher at Digital Security © 2002—2014, Digital Security #whoami
  • 3. Legend and EULA On one of Moscow's pos-terminals was found sample of malware of some functioning botnet network... Warning: Run this file only under virtual machine. And it's not a joke.
  • 5. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
  • 6. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Internal game network External game network
  • 7. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
  • 8. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Check every 5 min.
  • 9. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C Check every 5 min.
  • 10. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 Check every 5 min. Post address of C&C every 15 min. C&C
  • 11. Game Network Diagram Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 C&C
  • 12. Game Network Diagram / Players Twitter / FriendFeed BotMasterTerminal 1 Terminal 2 Terminal 3 Player 1 Player N C&C
  • 13. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  • 14. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  • 15. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  • 16. Game Network Diagram / Players Twitter / FriendFeed BotMasterBotMaster (Player N) Terminal 1 Terminal 2 Terminal 3 Player 1 Player N C&CC&C (Player N)
  • 18. Bot / Components Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Timer Init Loader Init Init Init
  • 19. C&C / Components Crypt (Spritz) Request Key CMDC Key Response H Datetime TGA C&C Transport C Key C&C Transport
  • 20. Bot / C&C Transport / Container BC 3A EB 15 11 42 00 03 00 00 00 04 00 04 00 01 00 01 00 02 00 01 00 05 00 00 00 00 00 04 00 05 0A 20 01 00 00 02 00 03 E0 E1 00 02 00 06 FC FF 00 01 00 02 01 00 03 00 00 4E 54 53 00 02 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 0C 00 01 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 00 03 01 ... PNG, JPG, GIF, PDF Crypted data Media footer Media header Marker Size of packet Pickled data
  • 21. Bot / Commands • CMD_MAKE_TOKEN • CMD_GET_CMD • CMD_MAKE_NOP • CMD_MAKE_NETWORK_DISCONNECT • CMD_GET_CONTRIBUTORS • CMD_GET_MSGBOX // Show messagebox • CMD_GET_PLIST // Get list of processes • CMD_GET_CNAME // Get name of computer • CMD_MAKE_LOAD // Load shellcode • CMD_MAKE_INJ // Inject shellcode to process
  • 23. Bot / Protection Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Timer Init Init Init Init Loader
  • 24. Bot / Protection Crypt (Spritz) CMD Social network C&C Datetime C&C Transport C C TGA Social Transport Hashtag Key Key Key H C&C addr Tweet Loader Timer Custom Python (py) Cython (pyx) InitPyx InitPyx InitPyx InitPyxpy2exe bootloader
  • 25. Bot / Protection / py2exe sections .text .data .rsrc Overlay (PKZIP) PYTHON27.DLL PYTHONSCRIPT BootLoader Lib with pyx
  • 26. Bot / Protection / Custom Python
  • 27. Custom Python • Inspired by Dropbox * • Anti-Decompilation • Bytecode Encryption • Bytcode Remapping • Anti-Dump • PyCodeObject modification • Disable marshalling • Execution Prevention • Disable PyRun… * http://www.slideshare.net/extremecoders/reversing-obfuscated-python-applications-dropbox-38138420
  • 28. Custom Python / Anti-Decompilation / Bytecode Encryption • marchal.c (w_object(), r_object()) • plain-text: PyCodeObject.co_code • algorithm: xxtea • key_128bit = f(random, sizeof(co_code)) B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00 00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43 00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01 B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 Bytecode version Timestamp Type of data Marshaled bytecode Entropy Size of encrypted bytecode Encrypted bytecode Standard marshaled blob Custom Python marshaled blob
  • 29. Custom Python / Anti-Decompilation / Bytecode Remaping • opcode.h • random opcode mixing #define STOP_CODE 0 #define POP_TOP 1 #define ROT_TWO 2 #define ROT_THREE 3 #define DUP_TOP 4 #define ROT_FOUR 5 #define NOP 9 … #define BINARY_POWER 0 #define PRINT_ITEM 1 #define INPLACE_OR 2 #define DUP_TOP 3 #define GET_ITER 4 #define BINARY_MULTIPLY 5 #define BINARY_XOR 9 …
  • 30. Custom Python / Anti-Dump / PyCodeObject modification • code.h • It prevents the use of other Python implementation /* Bytecode object */ typedef struct { PyObject_HEAD int co_argcount; /* #arguments, except *args */ int co_nlocals; /* #local variables */ int co_stacksize; /* #entries needed for evaluation stack */ int co_flags; /* CO_..., see below */ … PyObject *co_consts; /* list (constants used) */ PyObject *co_names; /* list of strings (names used) */ PyObject *co_varnames; /* tuple of strings (local variable names) */ PyObject *co_freevars; /* tuple of strings (free variable names) */ PyObject *co_cellvars; /* tuple of strings (cell variable names) */ PyObject *co_code; /* instruction opcodes */ … } PyCodeObject;
  • 31. Custom Python / Anti-Dump / Disable Marshalling • marshal.c : w_object() • PyMarshal_WriteObjectToFile() --> w_object()
  • 32. Custom Python / Execution Prevention • pythonrun.c • Patched to do nothing • PyRun_FileExFlags • PyRun_SimpleFileExFlags • PyRun_AnyFileExFlags • PyRun_InteractiveLoopFlags • Unpached • PyRun_SimpleString
  • 33. Bot / Protection / Custom Python / Bypass
  • 34. Custom Python / Bypass / Bytecode Encryption • RE -> write decryptor OR • Bypass anti-dump B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00 00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43 00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01 B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00 00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02 00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01 Standard Python Custom Python
  • 35. Custom Python / Bypass / Enable Marshalling • Grab a marshalling from other (e.g. PyPy) • Looking for the real offset co_code of field
  • 36. Custom Python / Bypass / Opcode unmapping • Differential analysis • Generating two "pyc" file set • Finding the opcode mapping • Opcode unmapping
  • 37. Bot / Protection / Cython
  • 38. Cython (c-api) def function(a, b): c = a + b – 0x0A return c ^ 0x70 PyObject *__pyx_f_4temp_function(PyObject *va, PyObject *vb){ PyObject * vl1, vl2, vl3; __Pyx_RefNannySetupContext("function", 0); vl1 = PyNumber_Add(va, vb); vl2 = PyNumber_Subtract(vl1, vg_int_10); vl3 = PyNumber_Xor(vl2, vg_int_112); __Pyx_RefNannyFinishContext(); return vl3; }
  • 39. Cython (Pure C) cdef long function(long a, long b): c = a + b – 0x0A return c ^ 0x70 long __pyx_f_4temp_function(long va, long vb){ long vl1, vl2; __Pyx_RefNannySetupContext("function", 0); vl1 = ((va, vb) – 0x0A); vl2 = (vl1 ^ 0x70); __Pyx_RefNannyFinishContext(); return vl2; }
  • 40. Bot / Protection / Cython / Solving
  • 41. Cython / Solving / Localization Python < 3 • __Pyx_AddTraceback • __Pyx_MODULE_NAME • __Pyx_NAMESTR • ModuleInit • Py_InitModule4 • PyImport_AddModule to __builtin__ • __Pyx_InitGlobals • __Pyx_InitStrings -> __Pyx_StringTabEntry • PyImport_GetModuleDict • PyDict_SetItemString Python >= 3 • __Pyx_AddTraceback • __Pyx_MODULE_NAME • __Pyx_NAMESTR • ModuleInit • PyModule_Create • PyImport_AddModule to builtins • __Pyx_InitGlobals • __Pyx_InitStrings -> __Pyx_StringTabEntry • PyImport_GetModuleDict • PyDict_SetItemString
  • 43. PoS terminal in action
  • 44. Service monitor Re-launch bot and pos-processes every 5 minutes
  • 45. Job restriction • Restricted token • Trimmed privileges • Memory peak limit • Low integrity • 2 processes only
  • 46. Shell storage • Service also grabs all injected shellcodes • pos_1 / 75 shellcodes • pos_2 / 59 shellcodes
  • 47. Shellcode first attempt Trying to download and spawn from C&C meterpreter shell
  • 48. Shellcode of winner Send to C&C 2gb of DSec VM memory :D
  • 49. Hints (for 4 days) • Use ntp2d.mcc.ac.uk (UTC+4) • Dropbox • PYX • DGA • Do not touch C&C !!1 • Good bot-knocking with stable sessions depends from the correct implementation of the protocol • The flag is NOT in key, .flag, flag.txt, etc. • Job restrictions, 2 processes only • Flag format: ZN0x04_{<SHA-256>} • …
  • 50. Questions? Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky