Monday, May 18, 2015

Defcon 2015 : Coding Challenge

This was an interesting challenge where you connect to a remote machine and you're given a set of x64 registers(no rsp, rbp), some bytes and are expected to send back a reply in the "same format". We can assume that the bytes correspond to some shellcode that we are supposed to emulate and send the results of.
I first tried using pyasmjit but for some reason had trouble getting it up and running. Later on, I ended up writing a solution that involves a python script to interact with the server, pwntools to disassemble the bytes received, nasm to assemble a binary, and a pintool to instrument the binary and print out the register state at the end.

The python script can be found here and the pintool can be found here. The pintool emulates the instructions till the "ret" instruction, prints out the registers then exits.

Monday, February 23, 2015

A simple PIN detection mechanism(and its circumvention)

PIN, the pintool and the application being instrumented share the address space. However, no libraries are shared-- there typically are 3 versions of glibc in the address space to avoid any unwanted interaction[1]. As a result of this ptrace based antidebugging checks are not detected even though PIN relies on ptrace.

A simple PIN detecting mechanism would be to scan /proc/self/maps and look for a page corresponding to the pinbin binary[2]. This can be circumvented by doing something as simple as renaming pinbin to something else and creating a symbolic link to it by the name of pinbin.


[1] http://www.cs.virginia.edu/kim/courses/cs851/papers/luk05pin.pdf
[2] https://gist.github.com/eQu1NoX/529e7dc69b8f4b3bb5e4