Send Dailydave mailing list submissions to
dailydave@lists.immunitysec.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.immunitysec.com/mailman/listinfo/dailydave
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dailydave digest..."
Today's Topics:
1. Re: DefCON NOP Redux (Brandon Enright)
2. A growing darkness (Dave Aitel)
3. Re: DefCon CTF (Jared DeMott)
4. Re: A growing darkness (Mohammad Hosein)
5. Re: DefCON NOP Redux (RB)
6. Re: DefCon CTF (Chris Eagle)
7. Re: DefCon CTF (Red Dragon)
----------------------------------------------------------------------
Message: 1
Date: Thu, 14 Aug 2008 17:25:48 +0000
From: Brandon Enright <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] DefCON NOP Redux
To: "Anthony Lineberry" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 13 Aug 2008 18:34:17 -0700 or thereabouts "Anthony Lineberry"
<[EMAIL PROTECTED]> wrote:
> As for how school of root did it... I'd love to know some specifics.
> Past the fact that chris eagle has a factory of badasses. haha
>
Yeah there was pretty much a constant stream of badass flowing from
that table. I was worried that if it got any worse Kenshoto was going
to have to reprogram the score board to use a log() scale.
atlas suggests that they wrote a "service-r00tkit" that prevented
others from scoring: http://atlas.r4780y.com/cgi-bin/atlas
I'd love to hear the details too.
Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkikapwACgkQqaGPzAsl94JqDgCfdmlDzxB6124rAykoUDKvP4qR
mqwAoKfW8tP3U+9UcqFUfRIh1w7hBAMi
=q9Qn
-----END PGP SIGNATURE-----
------------------------------
Message: 2
Date: Thu, 14 Aug 2008 15:47:27 -0400
From: Dave Aitel <[EMAIL PROTECTED]>
Subject: [Dailydave] A growing darkness
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It's dark and storming here - not rare for Miami.
For those of you who like to read about heap overflows, Nico's blog has
some information on the work he did to make the Citrix bug CANVASized:
http://eticanicomana.blogspot.com/
Likewise his post on the rollarcoaster ride that is writing heap
overflows is a good one. :>
We find that ready-to-use kernel rootkits are a key part of what people
want in an attack platform these days. To this end Daniel Palacio (an
intern at Immunity this summer) wrote a Linux rootkit we hope to release
shortly as part of CANVAS. Bas has since written a loader for it [1]
that uses the debug registers to "hook" things. You may or may not have
seen this technique being used [2] but it's good to have something ready
to go in your toolkit. There's some other cool features in the CANVAS
Linux rootkit but I'll wait till it's ready sometime next week to post
about them.
- -dave
[1] The loader itself is in CANVAS Early Updates for those of you who
want to play with it.
[2] I think a Windows rootkit uses this hooking technique but I can't
remember which one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIpIvPtehAhL0gheoRAsjMAJ0dV6QtjYeKxTMIXJ3B4lQh6DCMSgCffqqQ
Grzmj+AKSj37bABrA8nANaw=
=oOeE
-----END PGP SIGNATURE-----
------------------------------
Message: 3
Date: Thu, 14 Aug 2008 16:01:32 -0400
From: Jared DeMott <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] DefCon CTF
Cc: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Doc Brown wrote:
> On Wed, Aug 13, 2008 at 04:47:01PM -0400, Dave Aitel wrote:
>
>> One thing that was interesting this year at Defcon was CTF, which was a
>> bit of a blowout, even though the game itself was reasonably fair and
>> there were lots of good teams competing. At some point it would be cool
>> if school of root (the winning team) posted how they did it.
>>
>
> Team [EMAIL PROTECTED] enjoyed our 2 year winning streak, but we got sch00led
> hard. :) I couldn't be happier to lose[0] to them, though.
>
> As an outside observer of their team for many years, I think that SoR
> finally overcame the classic "too many people" problems and didn't step
> all over themselves like has happened for many teams over the years with
> more people than can sit at the CTF tables.
>
> Additionally, I think Kenshoto also raised the bar on the reversing,
> which gave a (well-deserved) advantage to the stronger reversers.
> I'm sure CollabREate[1] didn't hurt SoR either.
>
> As a quick list, I'd say this year the main difference seemed to be very
> well considered custom shellcode, excellent automation and tracking,
> strong network defense, and some additional tricks that we have some
> theories about. I'd love to hear more details too. :)
>
> -Doc
>
Ya, from what I saw (and from what ChrisEagle said) skewl just brought
out all the horses. With a 26 man team (to our 8-10) they were
overpoweringly strong, and led by the master CE to bring down the house
RE style. For the last couple years we've rocked as a balanced team and
mastered things like automation, counter attack, defense,
inline-snorting, and of course DRB with the RE power -- but this year
more than ever break through points (first to RE and exploit a vul) was
key -- score quick, score often. If the game stays the same, bringing a
small army of reversers is possibly a strong road to success, especially
if you've mastered the personal issues of large teams, and understand
the rest of the game as well. Skewl rocks, and they deserved to win.
I'm not at all suggesting that numbers was the only reason they won.
Though, I wonder if Kenshoto will try and address the large team
approach? I'm really not sure much can be done there, so I guess it's
just one strategic approach? CE trains folks that move on to gov and
industry, so now when he raises a call to arms, he can muster a sizable
team that we might have trouble matching. Though, I suppose we could
try that approach as well. I doubt we will though, I think our team has
always felt that sleek and tight was better than big. Though if you
tighten up big ... perhaps (obviously) you yield greater production?
jrod
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20080814/7b402393/attachment-0001.htm
------------------------------
Message: 4
Date: Fri, 15 Aug 2008 00:29:20 +0330
From: "Mohammad Hosein" <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] A growing darkness
To: "Dave Aitel" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="utf-8"
"hardened" kernels are killing our business ;)
its hard to believe one can find a "serious" Linux machine runs a virgin
kernel ( assuming general patches do not help virginity to be lost , hat's
off to Chandler ) . having PaX or Grsec or even worse , SELinux , installed
and running Rootkits dont stand a chance .
so thought you might want to consider taking a look at Gentoo's Hardened
kernel . its a good Start
Regards
-mh
On Thu, Aug 14, 2008 at 11:17 PM, Dave Aitel <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> It's dark and storming here - not rare for Miami.
>
> For those of you who like to read about heap overflows, Nico's blog has
> some information on the work he did to make the Citrix bug CANVASized:
> http://eticanicomana.blogspot.com/
>
> Likewise his post on the rollarcoaster ride that is writing heap
> overflows is a good one. :>
>
> We find that ready-to-use kernel rootkits are a key part of what people
> want in an attack platform these days. To this end Daniel Palacio (an
> intern at Immunity this summer) wrote a Linux rootkit we hope to release
> shortly as part of CANVAS. Bas has since written a loader for it [1]
> that uses the debug registers to "hook" things. You may or may not have
> seen this technique being used [2] but it's good to have something ready
> to go in your toolkit. There's some other cool features in the CANVAS
> Linux rootkit but I'll wait till it's ready sometime next week to post
> about them.
>
> - -dave
> [1] The loader itself is in CANVAS Early Updates for those of you who
> want to play with it.
> [2] I think a Windows rootkit uses this hooking technique but I can't
> remember which one.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIpIvPtehAhL0gheoRAsjMAJ0dV6QtjYeKxTMIXJ3B4lQh6DCMSgCffqqQ
> Grzmj+AKSj37bABrA8nANaw=
> =oOeE
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20080815/114c81cb/attachment-0001.htm
------------------------------
Message: 5
Date: Thu, 14 Aug 2008 15:03:03 -0600
From: RB <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] DefCON NOP Redux
To: [EMAIL PROTECTED]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
>> As for how school of root did it... I'd love to know some specifics.
>> Past the fact that chris eagle has a factory of badasses. haha
>>
>
> Yeah there was pretty much a constant stream of badass flowing from
> that table. I was worried that if it got any worse Kenshoto was going
> to have to reprogram the score board to use a log() scale.
>
> atlas suggests that they wrote a "service-r00tkit" that prevented
> others from scoring: http://atlas.r4780y.com/cgi-bin/atlas
As well as one certain team did in the quals and as poorly as that
same team did in the actual competition, I'm wondering if sk3wl owned
them early on and used them as a scoring conduit.
------------------------------
Message: 6
Date: Thu, 14 Aug 2008 16:38:48 -0700
From: Chris Eagle <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] DefCon CTF
To: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Actually, of the 26 people, only 18 were hands on keyboard types this
year. Of those we had a a wide range of experience levels from CTF
first timers to CTF old timers. The team was no larger or smaller than
we have used in the past and lost with. Perhaps our process is starting
to work a little better. Frankly we haven't decided what worked and
what didn't just yet, but we like all of the conjecture because we wish
we had thought of some of the ideas being tossed around. More things to
try next year I guess ;)
Chris
Jared DeMott wrote:
> Ya, from what I saw (and from what ChrisEagle said) skewl just brought
> out all the horses. With a 26 man team (to our 8-10) they were
> overpoweringly strong, and led by the master CE to bring down the house
> RE style. For the last couple years we've rocked as a balanced team and
> mastered things like automation, counter attack, defense,
> inline-snorting, and of course DRB with the RE power -- but this year
> more than ever break through points (first to RE and exploit a vul) was
> key -- score quick, score often. If the game stays the same, bringing a
> small army of reversers is possibly a strong road to success, especially
> if you've mastered the personal issues of large teams, and understand
> the rest of the game as well. Skewl rocks, and they deserved to win.
> I'm not at all suggesting that numbers was the only reason they won.
> Though, I wonder if Kenshoto will try and address the large team
> approach? I'm really not sure much can be done there, so I guess it's
> just one strategic approach? CE trains folks that move on to gov and
> industry, so now when he raises a call to arms, he can muster a sizable
> team that we might have trouble matching. Though, I suppose we could
> try that approach as well. I doubt we will though, I think our team has
> always felt that sleek and tight was better than big. Though if you
> tighten up big ... perhaps (obviously) you yield greater production?
>
> jrod
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
------------------------------
Message: 7
Date: Fri, 15 Aug 2008 00:55:57 -0700
From: "Red Dragon" <[EMAIL PROTECTED]>
Subject: Re: [Dailydave] DefCon CTF
To: "Jared DeMott" <[EMAIL PROTECTED]>
Cc: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On Thu, Aug 14, 2008 at 1:01 PM, Jared DeMott
<[EMAIL PROTECTED]>wrote:
> One thing that was interesting this year at Defcon was CTF, which was a
> bit of a blowout, even though the game itself was reasonably fair and
> there were lots of good teams competing. At some point it would be cool
> if school of root (the winning team) posted how they did it.
>
>
> Team [EMAIL PROTECTED] enjoyed our 2 year winning streak, but we got sch00led
> hard. :) I couldn't be happier to lose[0] to them, though.
>
> As an outside observer of their team for many years, I think that SoR
> finally overcame the classic "too many people" problems and didn't step
> all over themselves like has happened for many teams over the years with
> more people than can sit at the CTF tables.
>
> Additionally, I think Kenshoto also raised the bar on the reversing,
> which gave a (well-deserved) advantage to the stronger reversers.
> I'm sure CollabREate[1] didn't hurt SoR either.
>
> As a quick list, I'd say this year the main difference seemed to be very
> well considered custom shellcode, excellent automation and tracking,
> strong network defense, and some additional tricks that we have some
> theories about. I'd love to hear more details too. :)
>
>
> Ya, from what I saw (and from what ChrisEagle said) skewl just brought out
> all the horses. With a 26 man team (to our 8-10) they were overpoweringly
> strong, and led by the master CE to bring down the house RE style. For the
> last couple years we've rocked as a balanced team and mastered things like
> automation, counter attack, defense, inline-snorting, and of course DRB with
> the RE power -- but this year more than ever break through points (first to
> RE and exploit a vul) was key -- score quick, score often. If the game
> stays the same, bringing a small army of reversers is possibly a strong road
> to success, especially if you've mastered the personal issues of large
> teams, and understand the rest of the game as well. Skewl rocks, and they
> deserved to win. I'm not at all suggesting that numbers was the only reason
> they won. Though, I wonder if Kenshoto will try and address the large team
> approach? I'm really not sure much can be done there, so I guess it's just
> one strategic approach? CE trains folks that move on to gov and industry,
> so now when he raises a call to arms, he can muster a sizable team that we
> might have trouble matching. Though, I suppose we could try that approach
> as well. I doubt we will though, I think our team has always felt that
> sleek and tight was better than big. Though if you tighten up big ...
> perhaps (obviously) you yield greater production?
>
I think it's just unfair in term of the number of people in the team.
Especially for "foreign" teams since US teams normally have more ppl.
Chris's team was like 2.5 times larger than other teams.
--rd
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.immunitysec.com/pipermail/dailydave/attachments/20080815/8d598533/attachment.htm
------------------------------
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
End of Dailydave Digest, Vol 37, Issue 6
****************************************
