BBS-Era Exploitation for Fun and Anachronism
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 7 | |
| Number of Parts | 20 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/32740 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
REcon 20167 / 20
3
5
6
9
10
13
15
17
20
00:00
Multiplication signPoint (geometry)Bulletin board systemJSONXMLUML
01:05
InternetworkingBulletin board systemModemMultiplication signBitError messageRoundness (object)Group actionLecture/Conference
02:09
Multiplication signSurfaceComputer programmingReverse engineeringExistenceSlide ruleTerm (mathematics)Physical systemVector graphicsClient (computing)SoftwareScripting languageRadical (chemistry)Server (computing)TetraktysRippingMassMereologyPoint (geometry)Java appletField (computer science)Density of statesModemBitComputer fileTouchscreenBootingControl flowCharge carrierCuboidBus (computing)Interface (computing)Communications protocolEndliche ModelltheorieView (database)InternetworkingConnected spaceProgrammable read-only memoryTelnetCodeInformation securityMechanism designVulnerability (computing)DissipationLine (geometry)Computer architecturePasswordDialectSelf-organizationFile Transfer ProtocolDrop (liquid)Scaling (geometry)Bulletin board systemNeuroinformatikPairwise comparisonWebsiteCursor (computers)Mobile appRight angleGoodness of fitNumbering schemeSystem callContrast (vision)Content (media)Computer animation
11:51
Real numberBuffer overflowMemory management2 (number)BitSequenceFreewareLine (geometry)Pointer (computer programming)Electronic mailing listResource allocationEscape characterState of matterMultiplication signMessage passingPower (physics)Point (geometry)Vector graphicsCrash (computing)MereologyPublic domainAsynchronous Transfer ModeAddress spaceGame controllerDemo (music)DebuggerCuboidCodeBinary multiplierBuffer solutionParameter (computer programming)Numbering schemeCircleDensity of statesFood energyVariable (mathematics)CurvatureServer (computing)Right angleCartesian coordinate systemPerspective (visual)Client (computing)Content (media)Sheaf (mathematics)SurfaceLie groupKey (cryptography)Primitive (album)outputCommunications protocolFunctional (mathematics)Integrated development environmentFile formatPressureExtreme programmingElectronic signatureEvent horizonSemiconductor memoryMetropolitan area networkWindowComputer fileDifferent (Kate Ryan album)HTTP cookieStructural loadSoftware testingRevision controlProcess (computing)Mathematical analysisLimit (category theory)ScatteringString (computer science)Pascal's triangleComputer programmingDataflowVideo game consoleExtension (kinesiology)Proof theoryCore dump32-bitStack (abstract data type)Control flowFuzzy logicEmailEmulatorGoodness of fitRow (database)Graphical user interfaceComputer animation
21:34
Demo (music)Real numberCodeModemNumbering schemeCrash (computing)Message passingComputer wormEmailCombinational logicSource codeComputer animation
23:02
CASE <Informatik>Computer animation
23:27
Demo (music)Image resolutionCuboidDensity of statesGame theorySource code
25:11
Cartesian coordinate systemBulletin board systemTerm (mathematics)Block (periodic table)Video gameEndliche ModelltheorieSystem callNumbering schemeNeuroinformatikPersonal digital assistantDeterminismEmulatorRight anglePhysical systemLecture/ConferenceMeeting/Interview
28:11
Source codeComputer animation
Transcript: English(auto-generated)
00:21
So this is probably, in my opinion, this is the perfect talk for the end of the first day. So who here was on BBS's back in the day? OK, so all of you, I'm sure, have wondered at some point in your lives if, like, what if we knew then what we know now?
00:44
I think all of us have wondered that. So I'm happy to introduce Derek Soder and Paul Mehta from Psylence. So cool, cool talk. Thanks. Yeah, that sounds great.
01:01
Yeah, cool. Well, so yeah, I'm Derek. And I'm Paul. And I'm glad you guys are all here. BBS era is something most of us remember and have nostalgic worries about. And I thought we might talk a little bit about the inspiration for the talk to begin with.
01:22
Yeah, you know, it started as an April Fool's joke. But like a lot of things that started as jokes, it ended up getting serious. And we decided, you know, around about the time that the Recon CFP opened, hey, wouldn't that make a fun talk, you know, something a little exotic. Yeah, we did end up actually preparing an April Fool's Day
01:42
press release that just kind of announced one of the vulnerabilities, like, as though it were heart bleed or ghost or something. We didn't end up making a logo for it because, you know, just gifts back then. Gifts were so patented back then, I think. So anyways, that was basically the inspiration.
02:01
And looks like they accepted the talk. And so now y'all get to hear all about it. All right, so the modem era, before the internet. And everything was one to one connection. So you had one modem. You could only talk to one other computer.
02:21
And yeah, for the few of you who are familiar with BBSs, welcome back. It's good to see you. For everybody else, we're going to talk just a little bit about what is a BBS. So BBS is one of the things on this screen. We're going to be hacking one of them.
02:42
Point to whichever one you think it is. Go on, don't be shy. OK, well, all right. I see just a few of y'all are participating. And if you're pointing at the kitty, you win. Congratulations. So the server-side software that we were looking at is called Wildcat.
03:02
And Derek, I know you're going to tell me something about Wildcat. Yeah, the funny thing about Wildcat is Wildcat is wild. There you go. There's your anachronism. Check that box. Yeah, go take it away. So we're looking at essentially the architecture
03:21
of how they talk to each other. And it's over a phone line. So everyone from the 90s has heard that sound when you pick up a phone and someone's using the internet. Yeah, call waiting is a bane of my existence.
03:40
And so there is another side to it. There's also the client side. And the client side ends up rendering whatever the BBS sends back. And that leads you to Legend of the Red Dragon. Anybody? Awesome. Good times. That was my formative years.
04:00
So yeah, you've got exactly one computer, yours, connected to exactly one computer, the SysOps. Hopefully the SysOps isn't sitting there staring at everything you're doing all the time. But they totally could if they wanted to. And yeah, contrast that with today, where everything is connected to everything all the time. And we've come a long way.
04:22
They're probably still watching, but. And now it's not just one SysOps. So looking at this, we wanted to ask the question because, well, it's relevant. Are BBSs still relevant today? For scale, in the last 30 days or so,
04:41
there have been 10 new BBSs that have gone up. Well, welcome to the internet. Wrong term. And I think in comparison, there have been roughly 16 million new websites per month or so. So the scale here, you gotta take into account.
05:00
But there are still new BBSs going up and people still use them. And I looked it up, actually, as of 2015, there's still 2.1 million people in America on dial-up. I got nothing to say about that. I doubt they're on BBSs, but I thought it was kind of interesting. So now that you all know everything about BBSs,
05:23
now here are the programs that we're gonna attack. Wildcat being the BBS software, the server. And then Ripturn being the clients, the terminal program. Ripturn typically calls Wildcat and with a sound that goes something like.
05:40
It's working. Is that, does that warm you right here? All right. All right. Yeah, good. We clipped it for, you know, for conciseness.
06:01
It actually ran on for like a minute or so. So we thought we'd look at back then and today. Who knows where this guy's from, the blue guy? Yeah, thank you. And the comparatively orange guy?
06:23
Yeah, there we go. The past and the present, united in one slide. So when it comes to software, what did we use back then and what do we use today? So back then, people would boot from a disk.
06:41
And today, we really have to use DOSBox or if you're running on like 2003, you can use NTVDM which, well, to debug. Back then? Yeah, remember DOS debug?
07:01
It doesn't even have break points. Oh, did I just step on something? It's not supposed to look that way. Okay, well, now today. The specific content's unimportant. Today, we use WinDebug mostly or GDB if you're on Unix and DOS debug which we actually found to be quite useless.
07:24
That's a DOSBox debugging interface. It's a bit of a pain. You can rebuild it with debugging support. Yeah, we just weren't able to bring very much good out of it. And looking at disassembly, I think you may have had to use debug back then.
07:42
The premier reverse engineering tool of the 80s and 90s. Nowadays, we have things like IDA and a slew of other tools at our disposal which makes it a lot easy from a reverse engineering point of view. Back then, today, we have things like Prokmon.
08:09
Back in the day, security was war dialing and guessing passwords. Today, it's these invisible million dollar O days. It's like the emperor's new clothing but in reverse.
08:21
You can't see them if you're a good person. I'm just kidding. I still like y'all. So, back then, you got stoned apparently
08:41
and today, it's a lot more annoying. Have to pay your ransoms in Bitcoin. Dead drops. Gold bullion. Gold bullion, okay.
09:03
And now, looking at the post-modem era. A great leap forward often requires two steps back. Not always though. This is not always a great leap forward or it's not always two steps back because we're about to take a couple big steps back.
09:24
Starting off talking about RIP term. I mean, I'm just gonna go through the basic tear down the same way we look at apps nowadays for like security assessment. What is the attack surface? It's a client but it's got all these protocols that it supports. There's the protocol that speaks with the modem
09:41
which we don't expect to have too much influence over. So this is a command to dial a number and then the modem might say back no carrier or connected or whatever. There's a telnet protocol. ANSI codes, really great. Before there was a RIP script which I'm about to get to, there was ANSI for all your color and cursor needs.
10:03
There are various file transfer protocols. XYZ, modem, I don't know. Didn't look into that because really once we looked at RIP script, there was no need to go anywhere else. This is super rich.
10:20
So these got telegraphics. They were working on, and if there's anybody from telegraphics here who worked there once upon a time, hi, love your software. Don't take any of this the wrong way. It's just a convenient old program for talking about modern day attacking. And it supported this really rich protocol
10:40
called RIP script for drawing vector graphics essentially. Like whereas with ANSI you can make ASCII art and pretty colorful ASCII art, but just ASCII art. With the RIP script, you could do all kinds of things, even accessing files on the client's computer. It's really, really crazy. So it's not script in the JavaScript sense
11:02
where you can actually massage the heap or something. Too bad, but you can do a lot. So we're gonna look at that for vulnerabilities. I wonder if we'll find anything. So we'd actually found something before we actually got to the reverse engineering part,
11:20
but when you actually open up RIP term in IDA, it doesn't really know what you're looking at. And it's not something you can massage into something nice. You have to actually take one step further before you can begin reversing it in IDA. And so we found two different ways to do this
11:44
that I'm sure there's a whole bunch more, but we thought that, so Derek here actually took the LE and reconstituted into a PE. Almost. Okay, so for a little bit of background,
12:00
the whole thing looks like a 16-bit DOS EXE, but the 16-bit code sets up like this DOS protected mode environment. It's like the WATCOM DOS extender, if you've heard of that. And then inside of the EXE, it's got embedded this linear executable, which is actually I think the same format, okay, almost the same format as Windows VXDs use.
12:21
It'll load that into memory, but there are just enough differences to make it annoying to where you can't just cut it out of the file and then load it straight in IDA. I got about as far as applying the relocations to it, but then I just ran out of time because Paul came up with a better way. So it was kind of funny, Derek was working on it, and I don't know, you spent a couple hours on it.
12:40
I was like, why don't you just do this? So I pulled it up, I ran it in NTVDM, and I was like, give me a byte sequence, Derek. So he was nice enough to spit one over, and did a search, dumped the region of memory to disk, opened that up in IDA, and there you go. It understands it and it's nice, it's easy,
13:03
it's an oldie, but I mean, we still use it all the time. So that worked nicely. And this here is the process basically dumping it and going from a crash to an analysis,
13:22
and what we found was, well, you guessed it. It's a little hard to read, but yeah. It's a string. Now this is how Derek actually ended up with the crash.
13:42
So what's your go-to technique nowadays? When in doubt, you just fuzz it and see what happens. And so we did. I wrote us just a real dumb fuzzer. The annoying thing are those message boxes you see popping up. There are certain commands you can do that will cause a message box, and then everything stops until it's dismissed.
14:01
So I wrote a little program that would just emulate escape keystrokes to make it go away every few seconds. Real cheesy, but good enough. I don't think you could do that back in the day. So this is just a recording of what it looked like, and it's drawing vector graphics here,
14:21
and you'll see lines and stuff like that, which we thought this is the perfect place to look. There's just like, I'm gonna go with dozens, dozens of commands. They're all that bang pipe and then command sequence,
14:40
and then parameters. And so the fuzzer's really just doing a bunch of that, just generating a bunch of bang pipe garbage. And sometimes you get a circle, sometimes you get a line, and then sometimes you get Rippy. No, the fuzzer's name is Rippy. And sometimes you get a crash.
15:02
Now this is the DOS extender itself intercepting the fault and then just doing a core dump thing to the console. What is that up in the corner? To my eyes this evening? So it didn't, of course,
15:21
actually crash at 414 the first time. Sorry, what was that, Steve? But this is, after we massaged the proof of concept a little bit, we got control over most registers, most notably EIP. This is, that's a little, I don't know if I quite have time to get into it, but this is a little weird.
15:40
Like I was expecting RIPTERM to be like 16-bit, totally real mode. But no, it's not only is it like protected mode, but it's actually 32-bit flat address space. I guess the DOS4GW extender, presumably the 4G stands for like four gigabytes. So that's why this crash dump looks like such a familiar format.
16:05
Now when it comes to exploiting RIPTERM, this is like taking a step back in time and realizing, wow, okay, we have the keys to the kingdom here. There's no depth. Pretty much everything is RWX.
16:22
It's like, okay, sweet. There is no ASLR. That's also nice. No safe SEH. No SEH. No stack cookies. Control flow guard, oh. They didn't have control flow guard back then? I don't know what they were thinking.
16:42
No CET, or control flow enhancement technology. That's a new one. And it wasn't a problem. So we kind of went from, we took it to an extreme.
17:02
We tried to do like ROP, and it totally worked. But then we were like, what's the point? Which kind of summed it up nicely. So we had our choice of tools. We had Windybug on NTVDM,
17:20
which is pretty cool because you get to see it executing in protected mode with arbitrary selectors or in virtual 86 mode or whatever. Pretty convenient. There is, of course, the DOSBox debugger. But that wasn't a pleasant experience. So it's not actually a debugger,
17:40
so you can't set real breakpoints. And it's very frustrating to use. This brings us to the other application that we looked at, the server side. So pretty much Wildcat is, at least from our client perspective, it's all just text-based GUI.
18:03
So, yeah, UI, we'll say. So this is pretty much your attack surface. Whatever you can get it to do, or whatever protocols it's going to speak, which is mostly just like user keystrokes and input. But there's file transfer. We didn't really get into that because,
18:21
oh, well, first we should talk about how to reverse Wildcat. This went a lot better than RIPterm, let me tell you. Like, IDA works like a charm. It knows, okay, so Wildcat was written in Pascal. It's all like 16-bit. And IDA, bless its heart, it knows all those functions. Like, it has Flirt signatures, so.
18:40
It found their alloc, found their copies, and it's like, oh, that's pretty handy. Yeah, the decompiler didn't quite work. Didn't expect it to so much. But nobody wants to go back to far pointers. Okay, now let's actually talk about tearing it down.
19:01
So we walked through a bunch of the functionality, and this is just like a test drive version of Wildcat off of some public domain or some freeware CD. So I'll just cut to the chase. This is where we ended up looking. Messages, enter a message. You can enter a message, but.
19:22
And now they have a 151 line limit, which, okay, you can only enter 151 lines, but you can insert wherever you like. Yeah, so they didn't bother to check which line you put there. And I'll tell you why that's cool.
19:41
So Pascal has all of these string, like these counted strings. There's no like, strcpy buffer overflow that I know of in Pascal. So like, the lines in these message were truncated at 80 characters. But then you get to thinking, well, how about heap allocations?
20:00
There are almost no heap allocations in Wildcat. Its use of the heap is paltry, but it uses it here, and here there's like a 16-bit arithmetic overflow. You put in a line number, it multiplies it by 81 to go find the place in the buffer to put it, and. So we were thinking it'd be funny if part of the exploit includes,
20:21
okay, go here, enter a message at line 810, enter these contents. Essentially, 810 worked out to the size of a line times the number that you enter, and to wrap it, you only have to wrap a 16-bit variable. So you can end up overflowing the previous string,
20:43
and you overflow the character that says how many characters are in that string. The good point of it was, yeah, like pretty much almost arbitrary control over where it writes to within that 64K segment. The bad part is it's within the 64K segment.
21:01
And there were basically, there's no heap header to overflow. There was a free list, but because it uses a heap so little, it didn't actually matter over writing the free list pointers. So we did not get code execution in Wildcat. It turns out to be a useful tool in crafting like a malicious message, but that's a story for another day.
21:23
You want a demo? Yeah, okay, so we have a bit of a demo here. How do we get out of this? Sure, all right, so the demo's up here, Derek, for you.
21:41
This is using that 16-bit wrap that we just talked about and entering some malicious payload. Now, this is DOSBox on both sides here, and they're talking to each other. Cool, yeah, DOSBox is neat because it emulates modems.
22:01
Oh, sorry. Yeah, do you wanna drive? Sure. I think we just need to save it and open it. Yeah, so I think this was best done as a snapshot because you can enter this stuff by text, and nobody wants to wait around for that. Imagine entering your shellcode with like alt number, number, number combinations,
22:21
byte by byte. That's for real. So we're just gonna go there, and we're gonna read that message that we just entered. Presumably, you leave it for someone else, and what you end up with is a nice crash,
22:40
and then it disconnects, and you can turn this crash into code execution fairly easily. So it's like receiving a phishing email with an exploit attached to it, but old school. Just call this number with your modem. All right, okay, so we just did that.
23:37
Motherfucker, motherfuckers who thought their ass would age like wine.
23:43
If you mean it turns to vinegar, it does. If you mean it gets better with age, it don't. Now, we have one more demo to show you guys, and this is kind of where we left it.
24:01
I think it shows off as perfectly. Have you guys ever tried to get someone to play a game, and they're like, yeah, I'll do it in a minute. Just leave me alone. They never get around to it. Well, I think we may have solved that, Derek.
24:26
Fine, okay, so I tried to decrease the resolution just before, so you guys could see it better, but the wonder is a DOS box.
25:01
Sorry about that, guys. Thanks. Thank you for telling me. Okay, here we go.
25:25
So this is just running RIPterm, and it's talking to another application over a modem here. So we're gonna see an incoming call.
25:41
Why don't we answer it? And you launch Doom on the system. Now, you guys remember this? We were thinking about what to do with it,
26:01
and it brings me back, so. The 90s live again, if only in our emulators. All right, so now that's the conclusion, and any questions? Well, feel free to ask questions or watch us play Doom. We're not gonna make them watch us play Doom.
26:22
All right. Buddy, everybody ready to go to the bar? Yeah, I wouldn't. So the comment was that in 2013,
26:41
there was a recon BBS. I had no idea.
27:01
Oh, I wish we'd known about that. We tried to stay away from hacking real computers. Opportunity missed. Well, send me the number. Y'all heard it here first.
27:30
Sure, why not? Sounds reasonable. I wonder if those would be expensive or cheap. Yeah. What is the demand for those? We'll set the price at $1 million, sounds reasonable.
27:42
9,99,95. Or they could just go and, you know, fuss at themselves. Now they know how, because, you know. Antique Rojo. Yeah, it's like software antiques. Anything else? Anything else? Y'all have been too kind.
28:01
Okay, thanks. All right, thank you.