• Lock and Load: Exploiting Counter Strike via BSP Map Files

    What makes Counter Strike an interesting target is that it relies on a game lobby for players to find and select servers to play on. Upon connecting to the server, the game client will automatically download any required resources (maps, textures, sounds, etc.). Once all of the resources have been downloaded, they have to be loaded and parsed from disk into memory. Only then will the client begin receiving commands and entity updates from the server.

    This automatic resource fetching looked like the ticket to a remotely exploitable vulnerability via a local file.

    The vulnerability discussed in this article has been disclosed to Valve Security and the patch publicly deployed on July 10th.

    I would like to extend my thanks to the Valve Security team and specifically to Alfred Reynolds who was my liaison during the disclosure process. The whole process, from initial email to fix, lasted less than 30 days. I certainly look forward to disclosing to Valve in the future. Read more →

  • CRC-32 VLSI Design Die Shots

    This is a follow up to my previous post on creating a CRC-32 chip from scratch using Cadence. Check it out as it goes over the design details.

    tl;dr: see die shot images

    After submitting my CRC-32 design to MOSIS for fabrication, I had to wait quite a while for the results (over 6 months), but considering it was

    1. Free
    2. An actual chip that I can physically hold in my hands
    3. Something I designed myself from scratch

    I was willing to wait. The wait was finally over in late December of 2015.

    CRC-32 VLSI Chips from MOSIS Read more →

  • Google CTF 2016 - For2

    We are given a PCAPNG file with a bunch of USB packets. By scanning through the PCAP, I noticed that there appears to be a large amount of URB_INTERRUPT packets after some initial configuration and setup. On a hunch, I immediately suspected either a USB keyboard or mouse due to the amount of data and the fact that all incoming packets were created from interrupts (i.e some kinda of slow I/O device driven by a human).

    While looking at the packets, I initially assumed this was a keyboard as it would be straight forward to hide a flag in keyboard data. I tried the obvious choice and googled for some Python that already solved this problem and I came across this keyboard PCAP parser. I noticed that the offsets used in the file were not close to the size of the packets I was seeing, so I did some more research on USB HID devices and I came across this great page on USB mice packets.

    The packet structure described here matched what I was seeing in the PCAP data. I confirmed this by looked for a USB descriptor packet from the device. I found the right packet at number 84 (below).

    No. |   Time   | Source | Dest | Protocol | Length | Info
    84  | 6.505211 | 1.3.0  | host |   USB    |   46   | GET DESCRIPTOR Response DEVICE

    The device descriptor decoding showed that this was definitely a mouse. Read more →

  • Very Good News: Poorly Written Ransomware (LoroBot)

    Author’s note: this report was written by me for Practical Malware Analysis (CAP6137 spring 2016) at UF. It’s written in a role-playing fasion.

    Our team at Skynth Security has discovered and analyzed a new ransomware sample categorized as W32.VeryBadNews!Ransom. Upon execution, it changes the desktop background to an extortion image asking for money and it encodes important user files with a fixed Xor key. It logs all encoded files and pops up a notable message in notepad: “Very bad news”.

    Unlike more sophisticated ransomware, this malware does not actually encrypt files in a cryptographically sound way. Nor does it randomly generate a key or public-private keypair for per computer encryption. It uses a fixed Xor key that is used for encrypting and decrypting all files.

    The best part is that the malware author included a routine for decrypting the file system as well. Using the command line argument rafgapnkucmghgklmgtiftqgtswqtrim, the malware will read the CryptoLogFile and decrypt any file path present in there.

    There are no significant obfuscation methods besides some strange repeating strings. The binary is quite easy to read and is not packed. It is apparent that is traversing the file system due to the imports FindFirstFileA, FindNextFileA, and GetLogicalDrives.

    If this were to be accurately detected, a host check for the creation of either C:\Windows\CryptLogFile.txt or C:\Ïðî÷òè Ìåíÿ - êàê ðàñøèôðîâàòü ôàéëû.txt would be sufficient. Read more →

  • CRC-32 VLSI Design using Cadence's Virtuoso

    This semester at UCF I enrolled in a 5000 level (graduate level) Very Large Scale Integration (VLSI) class entitled EEE5390 “Full-Custom VLSI Design”. It caught my eye back in the Spring of 2014 when I noticed another student’s screen as they designed a chip. The mash-up of colored rectangles and wiring intrigued me. Later I learned that the best designs would actually be fabricated through MOSIS, a university chip fabrication service. This was a big pull in my decision to take the class – how often do you get to say your design is baked in to a working piece of silicon?

    With that, I decided to give it a shot this spring.

    VLSI Rats Nest Read more →

  • Bitmap Fun

    This week a friend of mine suggested that I make something cool with bitmaps. Normally most of the code I write is pretty low level, but I’ve gotten more and more interested in graphics. So, I thought of an interesting idea and challenged myself to implement it. Here are some of the results:

    Read more →
  • CSAW CTF: Exploitation 200

    My previous experience with exploitation from the IO wargame on Smash the Stack led me to choose this challenge as my first target in the CSAW competition.

    The challenge text is such:

    nc 54321
    Read the key out of ./key in the current working directory.

    I/O Analysis

    Okay, lets run the command and see what type response we get. Note: on my machine `nc’ is `ncat’ because I am using the version that comes with nmap:

    $ ncat 54321
    Wecome to my first CS project.
    Please type your name:

    I’ll take that misspelling as subtle humor. This seems pretty straight forward: we give the program a specially crafted input name and it gives us the key. Time to investigate the executable. Read more →

  • CSAW CTF: Reversing 400

    After downloading the executable, I use file to get some information:

    thinkfast ~/learning/csaw-2012 $ file csaw2012reversing
    csaw2012reversing: ELF 64-bit LSB executable, x86-64, ...

    Uh oh. My system is 32 bit and I don’t have any cross compilers installed. Luckily, I have an Amazon AWS account. I spin up a generic Ubuntu 64 bit micro instance, transfer the file, and begin investigating.

    A quick run of the program prints the target key, but it’s encrypted. No command line arguments are accepted, therefore this problem requires a patch. Read more →

subscribe via RSS