Toorcon has sadly come to an end, but I promised everyone that I'd release NoxDbg. So here it is. The install.txt is actually somewhat important to read, due to some weird things that happened with the DL module that I had to fix. Hopefully the instructions actually work for you.
And just what is NoxDbg? Well, if you like the Dbg part in pyDbg, but not the py, NoxDbg might be for you. The bottom line is that it allows for one to script debuggers in ruby. There are many tasks that this is beneficial for such as: fuzzer creation, random code injection, and any other random tasks that you can come up with that aren't so suitable for a human to be doing. So, download NoxDbg and tell me what needs to be fixed or added. Note, I intentionally did NOT include process snapshotting since it is extremely hard to do correctly with the handle fixups.
Hopefully we will have a release of Byakugan out soon, since I know a lot of people are getting annoyed at not being able to try it out.
Oh, one more thing, to get in contact with me about NoxDbg or whatever your concern is, drop me a line at lin0xx [at] metasploit [dot] com or join metasploit on silc.nologin.org.
Well, instead of going to defcon this year, I've decided to take a new route and go to a far away place in asia that isn't at all like the city that never sleeps in the southwest corner of the USA. Yes, that's right ladies and gentlemen, Lin0xx is headed to Vietnam to talk about Byakugan. Vnsecon is a completely new conference, and to my knowledge, is the only one to ever exist in Vietnam! This should be quite cool. If any .vn or other hackers want to meet up with me there, email me!
Pusscat recently gave a talk at Toorcon Seattle about a certain project we are working on known as Byakugan. Yeah, I know I said I'd talk about this *after* we found out about the status of blackhat, but because of this speech, I see no reason to hold back. The bottom line is that crackers have all the fun OllyDbg plugins and other tools. Exploit developers have what? Hrm, well, hardly any tools in the area of exploitation-centric debugging. Byakugan is a WinDbg extension that is intended to change this.
While exploit developers may have tools such as ADMuatate and (the network side of) Metasploit, these don't help with the process side debugging issues that can be *really* painful when it comes to owning a target. The (public) tools we have for return address finding are OllyUni, Metasploit's msfpe/elfscan (and opcode db), and eEye's EEREAP. The former options offer somewhat simple return address finding methods. EEREAP is quite complex with an emulation engine that can find return addresses that most humans would not ever be able to do themselves. However, the bottom line is that these require some sort of human based configuration / help to know where to return to. The opcode database provides reliable return addresses quickly in many environments. The downside is, this tool has no real knowledge of the process space layout other than what the user dictates to the interface. The most often used method that the author has seen for finding return addresses is even less automated than the solutions mentioned above. Many times, a hacker will simply assemble the desired opcode to return to and then use a memory searching function in their debugger of choice (on Windows, usually WinDbg or OllyDbg) to search for a sequence. Aside from the author's observations that the OllyDbg search function rarely works as advertised, this method is quite cumbersome and often produces results that are not within executable memory (if we're talking about exploiting N^X systems), so the process must be repeated. In the author's opinion, having a human do this task is degenerate. Byakugan is designed to, through pattern recognition, offer a semi intelligent tool to automatically find valid return addresses that return into a memory space with input controlled by the attacker. That's right. One command, one screen full of valid return addresses within a charset you specify.
One other goal of the Byakugan project is good heap visualization. To date, no public, (yes, Pusscat and I both know that every one of you from Tipping Point / CORE / Immunity / Sabre / Errata / whoever else have an internal heap visualization tool that will never be released) well written, real time heap visualization tool exists to our knowledge. OllyDbg Heap Vis isn't dynamic in nature and other solutions have proven to be *quite* slow. Therefore, we have created a heap visualization portion of Byakugan known as Tenketsu. It hooks the RtlHeap api calls (including undocumented ones), works quite well under harsh environments, and is able to identify bugs such as double frees, along with operations such as heap block coalesces.
Other future features of Byakugan include the ability to interface with a fuzzer in order to give qualitative and quantitative results (ie, valid return addresses and even build a payload suitable to exploit the vulnerability itself), buffer modification detection, process snapshotting, code coverage improvement, and identification of the code segment that actually caused the exploit to be possible in the first place. There are other possibilities, but I can't give *everything* away here, can I?
With that, I close this post and thank Pusscat for her hard work on the project. If any of you have any questions, feel free to email lin0xx [at] metasploit [dot] com or pusscat [at] metasploit [dot] com.
Update: One thing I forgot: PaiMei and pyDbg. Yes, these both are useful for what they do. Pedram seems to gear PaiMei towards bug discovery, which is quite a departure from the normal general reverse engineering purpose that most debugging tools tout. However, like I said before, PaiMei is for bug discovery and code coverage it isn't going to help you write the actual exploit itself. pyDbg is what it says it is, a debugger framework. There's neither a connotation nor denotation that is implied that it is for exploit development.
Oh, more fun stuff. So, like, cracking is fun, right? Well, I gave a little introductory speech for it here. Now, because noone wants legal problems, these are all crackmes that I did and not *real* apps. However, the reverse engineering techniques that can be learned from doing crackmes are greatly beneficial, not only if you're taking part in activities that Noxusfiles.com would, of course, *never* condone. Since I now have obtained a new laptop with Windows Vista running on it, Office 2007 seemed like the most logical thing to run. However, not everyone has this application suite, so a 'normal' powerpoint version of the speech can be found here.
On another note, if you want more reverse engineering material, check out Rolf's nice tutorial on defeating virtual machine obfuscation techniques.
In other news, Pusscat (of Metasploit fame) and I have submitted a speech to blackhat this year. I'll talk more about it once we know if we've been accepted or not. Here's a hint: it won't be about firewalls ;) .
I also wrote up some shellcode to do dll injection (called Phantom Loader) when you have a file format exploit and there is a personal firewall preventing you from connecting to the attacker to recv() in a dll. The code will egg hunt for a certain sequence of bytes prepended to the dll and then load it into memory without touching the disk a second time. The proof of concept code for this will read a dll of your choice into memory via ReadFile() and then LoadLibrary() it with the dll injection code. This piece of code is a modification to the Metasploit remote dll injection payload.
Oh, yeah, forgot two things. I'm heading out to Norway to speak at HackCon on some newer anti-firewall stuff. I've added Symantec's NIS 2007 onto the 'pwn' list, along with the previous egg hunting dll injection code. A proof of concept for NIS will be up shortly. Also, if you need an app to quickly backdoor a box, NoxInject might be just what you need. It simply injects a thread into a process of your choice that will run a reverse connect shell. I might add that this is very useful against personal firewalls ;) .
Flash demos: ZoneAlarm payload and the Windows XP SP2 ICF payload
Email me at lin0xx [at] Metasploit [dot] com
Happy hacking!
-Lin0xx