The story of a failed research :)

Posted on by

Most of the stuff I publish here are stories of a successful research. Today, for a change, I will talk about a little failed project. Little, because I didn’t spend too much time on it, failed – because it did fail 🙂

I think it is important to talk about such projects as well, because not only we do fail many times in our research activities + who knows, maybe someone will  come up with a better, more clever idea than me and make it actually successful.

In the Beyond good ol’ Run key, Part 22  series. I talked about perl2exe and how the executables created using this tool can load some other arbitrary perl scripts. So, when I found out about it I thought how cool would it be to access the hidden script in a programmatic way and just dump it (assuming that I could use the fact I can load an arbitrary code as a backdoor & that I can somehow find ways to access the source code of the perl script).

Of course, if you ever dumped the hidden script from perl2exe you may wonder why would I even bother to try – knowing that the script can be easily dumped using typical reversing tricks. Well, it was simply an appealing idea to me to be able to do it in a neat way. In the end I couldn’t find a way to do it. The only consolation is that I was able to at least print the names of the routines used in the code, and enable various debugging messages.

In the aforementioned post I mentioned you can load an arbitrary perl code when the perl2exe-compiled script is loaded.

For example, we can create a (null)\sitecustomize.pl script that will be executed before the main script.

If it contains the code

print "foobar\n";

it will load like this (running the old wmi.exe perl2exed script here)

foobar1

Running the code before the script is one thing, it may be handy to run code at the end of the execution as well – at that stage we will be able to enumerate some properties that are not available until the main script actually executes.

We can add the END section to our backdoor:

print "foobar - start\n";
sub END
{
 print "foobar - end\n";
}

that will do the following:


 foobar2

To dump  the code of the perl script one needs to employ the B::Deparse module.

One can write something like this:

use B::Deparse;
my $deparser = B::Deparse->new;
print $deparser->coderef2text(\&foobar);
sub foobar
{
 print "Hello world\n";
}

and when executed it will print the source code of the foobar function :

foobar3

A more complex script:

use warnings;
use B::Deparse;

printit (\%main::, 0);

sub printit
{
  my $hash1 = shift;my %hash=%{$hash1};
  my $n     = shift;

  foreach my $k ( keys %hash )
  {
      #print "-" x $n;

      if (defined $h{$k})
         {
           print "(hash)";
           printit (%{$h{$k}}, $n+1);
         }
      if (defined &{$k})
      {
        my $deparser = B::Deparse->new;
        print "$k\n";
        print $deparser->coderef2text(\&{$k});
      }

   }
}

sub foobar
{
  print "Hello world\n";
}

will produce something like this:

foobar4

It is kinda getting close to a quine and what we need, but…

But unfortunately, B::Deparse is not available inside the compile perl2exe-compiled binary. It also doesn’t seem to be possible to include this module from a separate perl repository. One can change the content of the INC environment variable (responsible for inclusion of modules) with a push f.ex.:

push (@INC, "C:/Perl/site/lib");
push (@INC,"C:/Perl/lib" );

at the top of our backdoor, but for some reason the B::Deparse doesn’t load (the engine finds the files, but you can’t use its functionality . Perhaps the appropriate version of perl (same as in perl2exe used to compile the script) may work – this is one of the potential paths that I have not explored. Perhaps other ways to load a library may work as well.

At this stage I kinda gave up, but still played a bit with some environmental variables.

For example, adding these to the top of the backdoor (so they are executed before the main script executes):

$ENV{PERL_DL_DEBUG}=1;
$ENV{DEBUG_TIE_REGISTRY}=1;

will enable a lot of debugging messages.

foobar5

and also related to Registry:

foobar6

Finally, adding this bit to the END section:

 foreach my $k ( keys %main:: )
 {
   print "FUNCTION: $k\n" if (defined &{$k});
 }

so that the final script looks like

print "foobar - start\n";

#$ENV{PERL_DL_DEBUG}=1;
#$ENV{DEBUG_TIE_REGISTRY}=1;

sub END
{
  print "foobar - end\n";
 
 foreach my $k ( keys %main:: )
  {
    print "FUNCTION: $k\n" if (defined &{$k});
  }

}

will allow us to print all the routines defined in the main script:

foobar7

GetSoftwareInfoGetHardwareInfo are indeed functions defined inside the wmi.exe – these may be still handy pieces of information if you want to quickly narrow down where the source of the original script is in memory (if you do a memory dump).

At this stage it is not a very useful piece of research. One could potentially employ this in sandboxing to produce a very detailed log, but  dumping the actual source code would be a much better choice.

Was it a wasted time? Hmm probably.

If you know, or come up with an idea how to print more useful info, or maybe even a source code – please let me know.

The story of a possible prank

Posted on by

In 2011 a security researcher pulled – what I believe – a prank on a well-known org. He made them publish a paper with an appendix containing a non-sensical data. I reported this to the org in 2012 as soon as I discovered it. I was actually flabbergasted at that time that someone could be that bold to pull the org’s leg this way (risking both author’s and org’s credibility), but it was still 2 months before the infamous Nmap Guide made it to the news and trolling security orgs became a norm.

I forgot about it for a long time, but recently it came back to me & I checked the web site of the org to see if they pulled the paper – the paper is still there – 3+ years after I reported it – the goofy appendix is of course there as well.

I must emphasize that I do not have a proof that it is a prank, but the non-sensical information included in the paper cannot be a result of a typo, or an accident; it looks like someone deliberately made stuff up. Of course, if it is just a result of the author’s ignorance or it was the intern who wrote that it would make it for even more lulz.

I don’t want to mention the gore details for many reasons. Thanks for understanding.

I do want to mention though 2 interesting side-effects of this paper being published:

  • The information was copied to other blogs (not too many, but always).
  • Based on the information in this paper someone created IDS signatures – talk about quality & tests

You may be wondering why I am posting such a vague info at all.

It’s simple: question everything you read.

I personally make tones of mistakes. I sometimes read some of my older posts and I find bugs. Not only typos, but actual logical bugs that make me really ashamed. I don’t like to be wrong, I really don’t, but if I am the only finding out then what about the poor guys who believed it then and believe it now?

There is a certain responsibility of a writer, a researcher to ensure the quality of the writing is at the appropriate level. But it is impossible if there is no feedback. Especially the critical one.

To certain extent I can understand frustration of HC when he insists on receiving feedback from readers. Seeing people retweeting, but not reading can be certainly disheartening. In my opinion expectations of a blog writer should be very low here, and it keeps me sane writing & babbling anytime I feel like – at certain level I don’t even care – these are more my notes that I feel may be interesting to share, less my interest or a will to change the world (we all die; I am great at parties 🙂 ).

BUT

But if there is one thing that I care about is accuracy. If I make a mistake and no one tells me, it really sucks. And the fact is that most of people don’t even bother to read in-depth anymore. Everything is ‘just in time’ – you only read stuff when you need it. I do it all the time. Skimming is a necessity. And this is fine, as long as the stuff you read is correct.

But it rarely is 100%.

So if you read this – please read whatever you read with an assumption that what you read may not be 100% right. It is especially important with materials endorsed by orgs. Like everyone who made their hands dirty & sinned by publishing – they sometimes publish bad quality stuff. Only these who don’t do anything make no mistakes at all.

Keep your eyes open.