Python in a hacker's toolbox v. 2016 Gynvael Coldwind Security PWNing Conference, Warszawa 2016 Keynote? Raczej prelekcja techniczna. O prelegencie All opinions expressed during this presentations are mine and mine alone. They are not opinions of my lawyer, barber and especially not my employer. Menu Sandboxing Język i VM Bezpieczeństwo RE Ta prezentacja zawiera fragmenty ● Data, data, data... ● "On the battlefield with the dragons" (+ Mateusz Jurczyk) ● "Ataki na systemy i sieci komputerowe" ● "Pwning (sometimes) with style - Dragons' notes on CTFs" (+ Mateusz Jurczyk) ● "Python in a hacker's toolbox" Język i VM Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Python Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Język rozwijany przez Python Software Foundation Python Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Język rozwijany przez Python Software Foundation Python Python Enhancement Proposal (w skrócie: PEP) Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Język rozwijany przez Python Software Foundation Python Python Enhancement Proposal (w skrócie: PEP) Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Python Implementacje https://wiki.python.org/moin/PythonImplementations Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... CPython Brython CLPython Jython HotPy pyjs Python Implementacje PyMite PyPy pyvm SNAPpy RapydScript IronPython tinypy https://wiki.python.org/moin/PythonImplementations Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Jython Python Implementacje https://wiki.python.org/moin/PythonImplementations Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Brython Python Implementacje https://wiki.python.org/moin/PythonImplementations Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... Python Implementacje IronPython https://wiki.python.org/moin/PythonImplementations Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... CPython Implementacja wzorcowa Python Implementacje https://wiki.python.org/moin/PythonImplementations Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... CPython 2.7 3.X Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... O tym jest ta CPython prezentacja 2.7 3.X Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... 2c-python Compyler Cython Python Kompilatory GCC Nuitka Pyc Shed Skin unPython https://wiki.python.org/moin/PythonImplementations Python 2.6, 2.7, 3, CPython?, IronPython??, Jython???, oh my... py2app PyInstaller Bundlery cx_Freeze Python ("freezery") py2exe bbfreeze http://tynecki.pl/pdf/A-comparison-of-reverse-engineering-methods-for-Python-compiled-binaries-Piotr-Tynecki.pdf Python jako język programowania (1 IV) Python jako język programowania (1 IV) Python jako język programowania (1 IV) Python jako język programowania (1 IV) Python jako język programowania (1 IV) Python jako język programowania (1 IV) Python jako język programowania (1 IV) http://gynvael.coldwind.pl/?id=599 Python jako język programowania obiektowy dynamicznie typowany bardzo rozsądne inty masa bibliotek świetna introspekcja RE PY → PYC → PY def func(a): python -m compileall simple.py print(a+1) func(41) >>> print( PY → PYC → PY datetime.datetime.fromtimestamp(0x58206240)) 2016-11-07 12:15:12 znak nowej linii sygnatura wersji timestamp PY → PYC → PY zserializowany obiekt klasy code PY → PYC → PY >>> import marshal >>> marshal.loads(open("simple.pyc").read()[8:]) <code object <module> at 0x7fdcd3fa66b0, file "simple.py", line 1> PY → PYC → PY >>> import marshal >>> marshal.loads(open("simple.pyc").read()[8:]) <code object <module> at 0x7fdcd3fa66b0, file "simple.py", line 1> kod bajtowy maszyny stosowej >>> import dis >>> dis.dis(c) 1 0 LOAD_CONST 0 (<code object func at...>) 3 MAKE_FUNCTION 0 6 STORE_NAME 0 (func) 4 9 LOAD_NAME 0 (func) 12 LOAD_CONST 1 (41) 15 CALL_FUNCTION 1 18 POP_TOP 19 LOAD_CONST 2 (None) 22 RETURN_VALUE PY → PYC → PY func = MAKE_FUNCTION(CONST[0]) func(41) return None >>> import dis >>> dis.dis(c) 1 0 LOAD_CONST 0 (<code object func at...>) 3 MAKE_FUNCTION 0 6 STORE_NAME 0 (func) 4 9 LOAD_NAME 0 (func) 12 LOAD_CONST 1 (41) 15 CALL_FUNCTION 1 18 POP_TOP 19 LOAD_CONST 2 (None) 22 RETURN_VALUE PY → PYC → PY func = MAKE_FUNCTION(CONST[0]) >>> dis.dis(c.co_consts[0]) 2 0 LOAD_FAST 0 (a) 3 LOAD_CONST 1 (1) 6 BINARY_ADD 7 PRINT_ITEM 8 PRINT_NEWLINE 9 LOAD_CONST 0 (None) 12 RETURN_VALUE PY → PYC → PY func = MAKE_FUNCTION(CONST[0]) print(a+1) return None >>> dis.dis(c.co_consts[0]) 2 0 LOAD_FAST 0 (a) 3 LOAD_CONST 1 (1) 6 BINARY_ADD 7 PRINT_ITEM 8 PRINT_NEWLINE 9 LOAD_CONST 0 (None) 12 RETURN_VALUE PY → PYC → PY def func(a): def func(a): print(a+1) print(a+1) return None func(41) func(41) return None Easy Python Decompiler - https://sourceforge.net/projects/easypythondecompiler/ Decompyle++: https://github.com/zrax/pycdc uncompyle2: https://github.com/Mysterie/uncompyle2 Kod bajtowy a wersje CPython http://gynvael.coldwind.pl/rebook/py_opcodes.html Przykład RE What’s wrong with this? (Hack.lu 2013, 250) hello.tar What’s wrong with this? (Hack.lu 2013, 250) library.zip ... __main__hello__.pyc ... What’s wrong with this? (Hack.lu 2013, 250) __main__hello__.pyc http://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html [Names] 'sys' 'hashlib' 'sha256' 'dis' 'multiprocessing' 'UserList' 'encrypt_string' 'rot_chr' 'SECRET' 'argv' What’s wrong with this? (Hack.lu 2013, 250) __main__hello__.pyc http://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html [Names] [Code] 'sys' Object Name: encrypt_string 'hashlib' ... 'sha256' [Disassembly] 'dis' 0 BUILD_LIST 0 'multiprocessing' 3 STORE_FAST 1: new_str 'UserList' 6 SETUP_LOOP 99 (to 108) 'encrypt_string' 9 LOAD_GLOBAL 0: enumerate 'rot_chr' 12 LOAD_FAST 0: s 'SECRET' 15 CALL_FUNCTION 1 'argv' 18 <INVALID> What’s wrong with this? (Hack.lu 2013, 250) __main__hello__.pyc http://nedbatchelder.com/blog/200804/the_structure_of_pyc_files.html # Source Generated with Decompyle++ [Names] # File: __main__hello__.pyc (...) 'sys' 'hashlib' import sys 'sha256' import dis 'dis' import multiprocessing 'multiprocessing' import UserList 'UserList' 'encrypt_string' def encrypt_string(s): 'rot_chr' pass 'SECRET' # WARNING: Decompyle incomplete 'argv' What’s wrong with this? (Hack.lu 2013, 250) Autorzy zadania zmodyfikowali kod bajtowy CPython. What’s wrong with this? (Hack.lu 2013, 250) Autorzy zadania zmodyfikowali kod bajtowy CPython. Na przykład: ... 114 LOAD_FAST 1: new_str 117 CALL_FUNCTION 1 120 IMPORT_STAR <the end> What’s wrong with this? (Hack.lu 2013, 250) Autorzy zadania zmodyfikowali kod bajtowy CPython. Na przykład: ... 114 LOAD_FAST 1: new_str 117 CALL_FUNCTION 1 120 IMPORT_STAR <the end> #define RETURN_VALUE 83 #define IMPORT_STAR 84 What’s wrong with this? (Hack.lu 2013, 250) 53 ↔ 54 62 ↔ 63 44 ↔ 45 19 ↔ 18 57 ↔ 58 What’s wrong with this? (Hack.lu 2013, 250) 53 ↔ 54 DELETE_SLICE vs STORE_MAP 62 ↔ 63 BINARY_LSHIFT vs BINARY_RSHIFT 44 ↔ 45 ? vs ? 19 ↔ 18 BINARY_POWER vs ? 57 ↔ 58 INPLACE_MULTIPLY vs INPLACE_DIVIDE What’s wrong with this? (Hack.lu 2013, 250) BUILD_LIST 0 STORE_FAST 1 (new_str) encrypt_string SETUP_LOOP 98 (to 107) ... GET_ITER FOR_ITER 85 (to 107) ... COMPARE_OP 2 (==) POP_BLOCK POP_JUMP_IF_FALSE 68 ... RETURN_VALUE LOAD_FAST 1 (new_str) LOAD_FAST 1 (new_str) ... ... JUMP_ABSOLUTE 19 JUMP_ABSOLUTE 19 What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) CALL_FUNCTION 1 LOAD_CONST 1 (33) BINARY_SUB LOAD_FAST 1 (amount) BINARY_ADD LOAD_CONST 2 (94) BINARY_MODULE LOAD_CONST 1 (33) BINARY_ADD CALL_FUNCTION 0 RETURN_VALUE What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) CALL_FUNCTION 1 LOAD_CONST 1 (33) BINARY_SUB LOAD_FAST 1 (amount) BINARY_ADD LOAD_CONST 2 (94) BINARY_MODULE LOAD_CONST 1 (33) BINARY_ADD CALL_FUNCTION 0 RETURN_VALUE What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) <c> CALL_FUNCTION 1 LOAD_CONST 1 (33) BINARY_SUB LOAD_FAST 1 (amount) <element na stosie> BINARY_ADD LOAD_CONST 2 (94) BINARY_MODULE LOAD_CONST 1 (33) BINARY_ADD CALL_FUNCTION 0 RETURN_VALUE What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) <c> CALL_FUNCTION 1 ord(c) LOAD_CONST 1 (33) BINARY_SUB LOAD_FAST 1 (amount) BINARY_ADD LOAD_CONST 2 (94) BINARY_MODULE LOAD_CONST 1 (33) BINARY_ADD CALL_FUNCTION 0 RETURN_VALUE What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) <c> CALL_FUNCTION 1 ord(c) LOAD_CONST 1 (33) ord(c) <33> BINARY_SUB LOAD_FAST 1 (amount) BINARY_ADD LOAD_CONST 2 (94) BINARY_MODULE LOAD_CONST 1 (33) BINARY_ADD CALL_FUNCTION 0 RETURN_VALUE What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) <c> CALL_FUNCTION 1 ord(c) LOAD_CONST 1 (33) ord(c) <33> BINARY_SUB ord(c)-33 LOAD_FAST 1 (amount) BINARY_ADD LOAD_CONST 2 (94) BINARY_MODULE LOAD_CONST 1 (33) BINARY_ADD CALL_FUNCTION 0 RETURN_VALUE What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) <c> CALL_FUNCTION 1 ord(c) LOAD_CONST 1 (33) ord(c) <33> BINARY_SUB ord(c)-33 LOAD_FAST 1 (amount) ord(c)-33 <amount> BINARY_ADD LOAD_CONST 2 (94) BINARY_MODULE LOAD_CONST 1 (33) BINARY_ADD CALL_FUNCTION 0 RETURN_VALUE What’s wrong with this? (Hack.lu 2013, 250) LOAD_GLOBAL 0 (chr) rot_chr LOAD_GLOBAL 1 (ord) LOAD_FAST 0 (c) <c> CALL_FUNCTION