Sunday, August 25, 2013

Binary Auditing Training Package - Vulnerability Analysis Challenges (stack1.exe) - ImmunityDebugger

This is the first video I made for the "Binary Auditing Training Package" of http://www.binary-auditing.com. If you are already familiar with the package you'll see that it contains LOTS of challenges, and I decided to go to the chapter 10 "Vulnerability Analysis", no reason in particular; Basically because it sounds sexy. hehe.

Today, I am presenting the solution for the first challenge which consists basically in giving a solution for /010 - vulnerability analysis/01_warming_up_on_stack/stack1.exe of the package playing around with the stack through buffers using the ImmunityDebugger as a main tool. I am going to create the same solution but now using the IDA disassembler.

It is good to mention that all of the challenges for this chapter are the old Gera's InsecureProgramming challenges compiled as Windows executables. Originally, the researchers interested in source-code auditing can use those challenges -written in C- to understand how the code looks and then also identify/exploit such vulnerabilities contained within the code. Of course we can get the source for all the challenges, but we are good boys and we are not cheating and our target is to solve the challenges from a Reverse Code Engineering (RCE) perspective.

Said so, here the video:



Suggestions? Comments? Drop me an e-mail: chr1x@izpwning.me

 Links: 
Binary Auditing Training Package (http://www.binary-auditing.com)

Published by No comments:
Labels: , , ,

Thursday, August 22, 2013

The Binary Auditing Training Package (chr1x's Walkthrough)

Some time ago, browsing the Internetz I found a very very nice resource for those who are interested in learning BA (Binary Analysis) using tools such as IDA Pro. This resource in a shape of a training package called "Free IDA Pro Binary Auditing Training Material for University Lectures". This training is a complete set of information along with different "challenges" (Crackme's and ReverseMe's sounds familiar?) which are included on the same package with the aim to test your new knowledge. Nasty, right?

Since I am a guy who LOVES challenges, I've decided to start solving the contained challenges as a self-learning practice. I am going to publish the challenges on a video format just to give you an easy and graphical view of the way I used to solve them.

It is good to mention that I am not just doing dead-code analysis using IDA, I am also planning to follow the flow through the dynamic part (using a Debugger) in order to get a good understanding about how to analyze -or use the tools- depending of the target/situation.

As soon as I complete each challenge, I will update this blog so I'd suggest you to subscribe to the blog and you can get noticed once new content is uploaded.

I am going to advance as my spare time permits, It's not a promise but I'll try to upload stuff in a regular manner.

Final words:

I would like to extend my gratitude to Dr. Thorsten Schneider for give us the opportunity to get access to such amazing resource FOR FREE.

Links:

The Binary Auditing Training / Official website: http://www.binary-auditing.com/
The Binary Auditing Training Package (zip file) can be obtained directly from here.
- Zip password: fdcd2ff4c2180329053650f3075d39f4
- MD5 Hash: c2b4720549b3410385087fa1b1e28bc7


Published by No comments:
Labels: , , , , , , ,

Sunday, August 11, 2013

Tool update: MagicNumber Scanner v1.1.0

UPDATE: I'm glad to announce that my friend preth00nker and I worked together in the new version ( v1.1.0) of MagicNumber Scanner.

CHANGELOG
===========

v1.0
  • Initial version
v1.1.0
  • Converting to class code
  • Refactoring code
  • Adding rspec test files
  • Adding HTML capability
You can grab your copy directly from git:

https://github.com/chr1x/magicnumscanner/

Download it, test it, and let us know if you find any bug or if you want to contribute with the signatures db.

Thanks!

-chr1x
Published by 4 comments:
Labels: ,

Friday, August 9, 2013

Pwning Everywhere: The Bus Android Tablet

Hello everybody,

This new section is called "Pwning Everywhere" in where basically I will post -as the name says- all the coolest hacks I made in software, hardware or any weird thing that crosses my way.

This time, like a very curious guy I am, when traveling on a bus I was very bored and then I tried to watch some horror movies in the Android tablet which is located in front of the sit, so I just started looking for something good to see -nothing- then I decided to explore a bit. After poking around for some time this is what I found:

Access to the config



Access to the File system (looking for the horror movies) hehe


Access to the File system


Found a functionality to execute a shell!


Application shell access!


This was the first time I worked with Android and I think it was not so bad after all, but bad for my neck!

NOTE: I did not modified/deleted anything, for those who are scared about cracking actions. hehe

Thanks for watching.

-chr1x
Published by No comments:
Labels: ,

Thursday, August 8, 2013

Tool release: MagicNumber Scanner v1.0

Hello everybody,

As you may know, for certain activities in Reversing -like malware analysis- require a lot of tasks that can be automated using scripting languages and a big question comes here: "How I can do it? How it works?". In order to try to find an answer to those questions I decided to start exploring in how to use Ruby from the "binary" perspective.

There are a lot of different ways to deal with binary data, in this case I found that the simple "File" method can do the job. One important thing here is that you should "open" such file in read-only AND binary mode, otherwise you will get a lot of bad stuff, in terms of processing the right data.

As a result of this little research I wrote a tool called: "MagicNumber Scanner v1.0" which is basically a tool that receive as input a file and try to identify the file-type based on file signatures or in other words, the "Magic numbers".

I didn't try to reinvent the wheel, since you can use the "file" *nix/linux command actually, but in this case I am adding a little bit more of information like the generated URL based on the file-extension that you can visit if you have any doubt about what the file is, what program you can use to open it, and so on.

Below some screen captures:

Screenshot #1: Results when scanning an EXE file


Here we have a second case in where I arbitrarily renamed a file from .gif to .zip, and the tool shows how the magic-number detection identify that the real file-type is in fact a GIF file.

Screenshot #2: Results when scanning a fake ZIP file (originally is a GIF file)


Features:
  • Magic-number scanning based on a simple signature list.
  • Automatically generates a URL with the identified extension pointing to the http://filext.com/ website. (e.g. http://filext.com/file-extension/EXE)
TODO:

  • Generation of HTML report that shows more information about the file extension.
I had great time researching how to do such *things* in Ruby, I did it the same in the past and I really liked as well, but is always good how to do it using different languages.

I would recommend you to download the code and see what I did, try to replicate the same but with other purpose. Remember, the sky is the limit.

How to install:

From git, or you can download the .rb file from here, or the .exe version from here.

If you find any bugs, let me know. 

...and like Jason Hawes from TAPS/GhostHunters says: Onto the next. 

Thanks! ]¬)

Published by 2 comments:
Labels: , , , , ,

Sunday, August 4, 2013

PE101 - a Windows executable walkthrough

I found a very nice reference for a PE executable. This one shows up a very deep explanation of a "Dissected PE" structure through a graphical Hex-editor perspective. Enjoy!

Screenshot


You can get it from here.
Published by No comments:
Labels: , , , ,

Malicious Software and its Underground Economy: Two Sides to Every Story - My experience

Hello everybody,

As many of you may know, the  Royal Holloway, University of London along with Coursera joined forces and opened to the Internet a free-of-change course called "Malicious Software and its Underground Economy: Two Sides to Every Story". This course was made by a couple of researchers, mainly the Dr. Lorenzo Cavallaro which is a wonderful guy with a broad very experience on the field as well as a high technical skill regarding malware- related topics.

Basically, the 6 week long course was amazing and very educational. Going from theoretical information (bonus quizzes) and practical/reversing challenge -with some anti-debugging tricks-, this last one if you wanted to get a *distinction* in the certificate . Fortunately, I completed and passed all the quizzes at the 1st time and also completed the Reverse Engineering challenge (in a couple of minutes, actually) ]¬P.

 What I learned? Well, I found very useful information regarding Botnets, Mobile malware as well as how the Internet gangs operates to perform certain activities. I belive from a researcher perspective, this can allow us to enrich/increase our knowledge and to identify new lines of investigation as well as fresh techniques in order to identify this kind of malicious activities.

I support the fact of the Universities can open and give opportunities to all the people that cannot attend -phisically talking- to the university, like in this case.

I had great time taking the course as well as solving the RCE challenge. Also, I would like to thank Dr. Lorenzo for all the good content and effort provided within the course.

Now, let's wait for my certificate. ]¬)

Course link: https://class.coursera.org/malsoftware-001/index
Published by 15 comments:
Labels: , ,
Subscribe to: Posts (Atom)