cyberwart

CyberWART maintains custom implants for use in our penetration testing services — and for a few customers. Sometimes we have need to conduct assessments where the testing is “black” to all but the most senior leadership. In these cases, we need to leverage real-world techniques. An ongoing problem has been loading generic exe and executing them.

Most binders and similar tools out there use the MS CreateProcess() function. It’s a lovely function, but it’s argument is a file on disk. LoadLibrary() has a similar problem. These functions get the job done, but needing to write them on disk creates too much noise for me.

Next all the leet hackers will talk about writing a custom loader. It’s not all to hard to load a simple exe or dll but it’s difficult to do it for general EXEs. Fortunately, I found a wonderful MS class to help out! The Assembly Class Load() method does just the trick.

Assembly..::.Load Method (array<Byte>[])

Loads the assembly with a common object file format (COFF)-based image containing an emitted assembly. The assembly is loaded into the domain of the caller.

public:

static Assembly^ Load(

    array<unsigned char>^ rawAssembly

)

Leave it up to Microsoft to give the badguy the tools they need.

I (probably) have a long term reverse engineering gig coming up shortly. Therefore, I’ve been working to beef up my RE skills. I recently saw a blog posting that MS09-002 would likely be turned into an exploit. MS09-002 is actually a couple of vulnerabilities in IE7. I probably should have looked for something slightly less difficult, but it’s what has interested me.

Finding the patch and which files it updated was relatively trivial. Unfortunately, there were several DLLs modified. But given the bug description I took a few educated guesses. I grabbed those files and the unpatched equivalents. I loaded them in IDA and used Tenable’s patchdiff2 to find the differences. Here’s where I really ran into difficulties.

The first difficulty was that I had over 600 unmatched functions. I believe this is because my version of the DLL was out of date — I use VMware Server and therefore have limited snapshot ability. I searched around my VMs and found another few versions of the DLL. The most promising version had only 60 unmatched functions. I started digging into that version. Several hours of comparing lines of assembly I get frustrated at there being no differences. I look a little harder at patchdiff and while the functions are “unmatched” the CRC/hashes are the same. Some weird parsing quirk only separated them. I check the details on the DLL and unfortunately, it’s the same build — ie I wasted my time comparing two versions of the same file.

Now, I am again looking through my systems for a proper DLL, one that is sufficiently patched but not patched against MS09-002. For such a minor thing, this is a fairly difficult problem as I can’t find any resources that help. Any ideas?

Stolen from Metasploit:

Pathetic DDoS vs Security Sites

On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request. At the same time, Packet Storm and Milw0rm were being hit as well. About 95% of the bots would intermittently resolve metasploit.com and follow the target address with the connection flood. The other 5% continued to bang on the main metasploit.com IP address and port even after the host record was changed.

Solving this involved parking the metasploit.com host record at 127.0.0.1 and moving the other host names and services to a spare IP address. This allows for www.metasploit.com and most of our other domains and services to work properly. The only drawback is that until the flooding stops, we can’t use the metasploit.com A record, which happens to be the default for updating the Metasploit Framework installation. A fun side effect is that they handed us full control of the DDoS stream: we can point the metasploit.com record anywhere we like and the connection flood will follow it.

We will continue to find other ways to mitigate the flood; but until we can safely use the metasploit.com name again, our standard online update mechanism is going to fail. If you are trying to check out a fresh copy of Metasploit from subversion, use the https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the Immunity web site is being hit as well. If anyone has information on the folks involved, we would love to hear from you

We’re just hours away from Shmoocon 2009. I’m very excited. I’m looking forward to seeing my friends from around the country. Defcon is definitely the major US hacker conference, but nothing compares like Shmoocon for me. It’s local, it’s fun, there are smart people, and of course big brother. It’s quite a mix!

This year G2 is sending a lot of people — at least 10! So it should be a lot of fun. We have a booth, Guitar Hero, and maybe a few extras. The plan is to mainly have fun at the booth. Guitar Hero is going to run the whole time and we’re trying to hire like crazy so it’s hard to have a bad time. On Saturday night we’re having a Guitar Hero contest with $250 in prizes. While not a lot of money, it should help you keep up at the after parties. So stop by, say hi and help me justify the event to my management!

I’ve been monitoring traffic to Cyberwart more closely. Recently I saw this entry in the log:

moses.radium.ncsc.mil

Going to my favorite whois utility I see:

Network Whois record

Queried whois.arin.net with “144.51.73.129“…

OrgName:    National Computer Security Center
OrgID:      NCSC-3
Address:    9800 Savage Road
City:       Fort George G. Meade
StateProv:  MD
PostalCode:
Country:    US

NetRange:   144.51.0.0 - 144.51.255.255
CIDR:       144.51.0.0/16
NetName:    NCSC
NetHandle:  NET-144-51-0-0-1
Parent:     NET-144-0-0-0-0
NetType:    Direct Assignment
NameServer: ROMULUS.NCSC.MIL
NameServer: ZOMBIE.NCSC.MIL
NameServer: BARRIER.NCSC.MIL
NameServer: GRIZZLY.NRL.NAVY.MIL
Comment:
RegDate:    1990-11-13
Updated:    2008-12-31

RTechHandle: AMM32-ARIN
RTechName:   McCool, Anna M.
RTechPhone:  +1-301-688-5267
RTechEmail:  amm@romulus.ncsc.mil

I’m sure it was just a random employee but stuff like that is enough to make anyone uncomfortable.

At least I don’t think I’m a sysadmin, but as I try to keep more of my own hardware up and running it seems like I am. I finally upgraded the drives in my primary server. I had 1.5TB but I was running on slow so I bought a new drive. I’m not made of money so obviously I didn’t buy the drive from Dell with a 4x markup on it. As it turns out, to upgrade a drive on a 2950 you need two things that dont’ come with an off the shelf hard drive — first the tray and second an “Interposer board” specifically the PN939. On the upside, I got over fear of wrecking my system and tried the hot swap and it worked perfectly!