Add to Watchlist

BBS-Era Exploitation for Fun and Anachronism

0 views

Citation of segment
Embed Code
Purchasing a DVD Cite video

Formal Metadata

Title BBS-Era Exploitation for Fun and Anachronism
Title of Series REcon 2016
Part Number 7
Number of Parts 20
Author Soeder, Derek
Mehta, Paul
License CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
DOI 10.5446/32740
Publisher REcon
Release Date 2016
Language English

Content Metadata

Subject Area Computer Science
Abstract The bulletin board era was a golden age for those of us who were into computers (and in existence) at the time. Yet, think of how much better it could have been if we’d had today’s exploitation tradecraft to bring to bear back then. In this presentation, we’re taking modern technology back with us a couple decades and aiming it at BBS-era software, possibly to see what we can learn from attacking these scrutable-yet-unusual systems but mostly just because we can. We’ll use tools and techniques that didn’t publicly exist at the time to run, reverse engineer, attack, debug, and exploit old code. Finally, we’ll demonstrate some of the fun we could’ve had, if only we knew then what we know now… Source code and proofs-of-concept will be released.
Series
Annotations
Transcript
Loading...
tough bed and time and then that
in a and and
so this is brolly in my opinion is the perfect talk for the end of the 1st day of so who yeah who here was on was on is like back in the day OK so so all of you I'm sure have wondered at some point in their lives if like what if we knew then what we know now I always a wonder that so I'm happy to introduce their and pull that up from silence so cool cool talk this has been century then called well so yeah and and I'm Paul in debt
and I'm glad you guys are all here PBS error is something most of us remember and have nostalgic memories about and I thought we might talk a little bit about the inspiration for the talk to begin with it you know it started as an April Fool's joke but like a lot of things that stars jokes at end of getting serious and we decided that you know round about the time that the recon if he opened they wouldn't that make a fun talking of something a little exotic of yeah we didn't action preparing April Fool's they press releases that this kind of announced for the vulnerabilities like as though they were and as over overhard leader ghost or something uh women of making a logo for it because you know that just gives death and and this supplanted back and I think it's anyways but that was basically inspiration and looks like they accept the talking so managerial it right so the modem
error but before the internet and the everything was one-to-one connection so you had 1 model you can only talk to 1 another computer and that further for the few of you who and who are familiar at PBS is welcome back this view prevails we're going to talk just a little bit about what is a the so BBS is 1 of the things on the screen we're gonna be having 1 of them midpoint point to which are when you think it is FIL and don't be shy the OK well I think have and a suggest a field dissipating and if you're putting in the giddy you and congratulations so the yeah server-side software that we're looking at is called a wild and there tones of allows that is the funny thing about wildcat is Wildcat is 1 of the you this Fabio there'd mechanism check that box and yeah goes to take away so we're looking at
essentially the architecture of how they talk to each other and it's over phone lines so everyone from the nineties has heard that sound when you pick up a phone can someone using the internet cotton call-waiting is the bane of my existence and so there is another side to it is also the client side and the client side and the rendering whatever the BBS sends back and that leads you to let in the red dragon with anybody and also that the times as much performance years so yeah you get exactly 1 computer yours elected exactly on computer the desysopped hopefully this is up isn't sitting there staring everything you doing all the time but the Tillich could if it wanted to and both yeah interest would today where everything is connected everything all the time and I was come along way the approach to watching that the and that's not just once something so looking at this we wanted to go and ask the
question because while it's relevant and are BDS is still relevant today for scale and in the last 30 days or so there have been 10 new BBS is gonna up what called welcome to the internet has they long term and I think in comparison with their been roughly 16 million new websites per month or so so the steel here he got into account but there are still a BBS is going up and people still use them and I looked it up actually as of 2015 this still 2 . 1 million people in America on dialog again this is about that I got there on PBS is by I thought I was kind of interesting so now that
you all know about everything about BBS is no uh here the soft the programs organ attack wildcat being the BBS software that the server and then return to being the clients a terminal program retirement typically calls Wildcat and with the sound it goes something like who is working the so warm year a year of the of the tetrad how we we could differ enough for conciseness it actually ran on for like a minute or so and so we thought would look
at back then and today so I that who knows where this has from the the blue guy yeah thank you and the comparatively orange guy who of yeah there you know the mass in the president united in 1 slide so when it comes to a stop or what we use back then what we use today they had to back then people would boot from a desk and today we really have to use DOS box or a or if you're running on like 2003 you can use in the medium which is the take the bus back then there are a dozen debug no I didn't even didn't have break points and Otis upon some postal look that way but it will not be a is constant simple unimportant today we use wind about mostly or GDV if you're on Unix and their DOS about which we actually can be quite useless now that's a DOS spikes debugging interface it is a bit of a pain you can rebuild it with the debugging support yeah we just weren't able to bring very much to that of the and looking at this Assembly thank i think you may have had used debug back then the prom here reverse engineering tool of the ADC and is nowadays we have things like Heider and a slew of other tools at our disposal which makes a lot easy from a reverse engineering point of view come back then the today we have things that problem intact in the days of a Security was war dialing guessing passwords today this is invisible million-dollar 0 days this is like the emperor's new clothing but in reverse we can we can see that if you're a good person and understand who must I I killed him and I have so back then you got stoned that nearly and today it's a lot more knowing have to pay and big point the US as have been dead drops is how the gold bullion the gold again happen
In and now looking at the postmortem air the day before a above recitatives back not always there users could but this is not always a great leap forward of course not always 2 steps back because they see more about intake couple big steps back um starting off talking about rip term I mean I'm just gonna go through the basic care down the same way we look at nowadays for like street assessment what is the attack surface it's a client but it's got all these protocols it supports there is the the protocol that speaks with the modem which we don't expect to have much too much influence over so this is a command to dial the number and then the node might say that no carrier or connected or whatever there's a telnet protocol and NC codes really great before there was a script which about to get to you there was Freud a color and the cursor needs the the um their various file transfer protocols xyz modem I don't know I didn't then look into that because I really was we look to rich script there was no need to go anywhere else in this is super rich data and so these get telegraphic Sorokin and if there's anybody from telegraphic here who worked there was part time I love your software you don't take this wrong way system sister convenient all program uh um for a talk about modern attacking and is supported this really rich protocol called rich scripts for drawing vector graphics essentially like whereas with NCD make ASCII are and pretty colorful ASCII art but just ASCII art with the rich script you could do all kinds of things even accessing files on the host and from the client's computer and that's really really crazy so so is not script in the Java Script sense where you can actually like massage the Heber something too bad that you can do a lot of we're sorry look at that for vulnerabilities wonderful find anything
not so we actually found something before we actually got the reverse engineering part but when you actually open up rip terminator the doesn't really know you're looking at and it it's not something even massage into something nice you have to take 1 step further before you can begin in reversing it in idea and so we found 2 different ways to do this that I'm sure there's a whole bunch more but we thought that
the sidereal year actually took the and reconstituted into a P. almost of way so that so for a little bit of background about the whole thing looks like a 16 bit DOS EXE but this 16 bit code recessive like this DOS protected-mode environment is like that what come DOS-extender if you've heard of that and then inside of the exceeds that embedded this linear executable which is actually a think the same format or almost the same format as the windows the expertise used by the low that into memory but they're just just enough differences to make annoying to we can just cut it out of the file and loaded straight niter I got about as far as applying the relocations to it ran out of time because a popular with the way so he was kind of funny Derek was working on it and I have used a couple hours and because it was you just do this and so I pull it up the I ran it on DVD M and I like any byte sequence data so the nice enough to spare 1 over and did a search dump the regenerated this open that up in Idaho and they go the it understands it and this nice it's easy it's an oldie but I mean we still use it all the time so that work nicely the hand this here as the process basically dumping it and going from a crash to an analysis and what we found was quote you guessed it is a little arteries that yes this is the topic you who
knows this is how Derek actually ended up with the crash so who who was her go to technique nowadays when doubt he
despises you happens and so we didn't um artists to
real dumb buzzer uh the annoying thing those message boxes see popping up there certain commands you can do that will cause a message box and everything stops and those dismissed so uh I erodible program the dissimulate states like escape keystrokes to
make it go away every few seconds real
cheesy but the of uh so that you could do that back in the days of the so as the visitors were recording of what it looked like and it's trying vector graphics here and you'll see lines and stuff like that which we got is a perfect place to look and at the day there's a there's just like enjoyed dozens and dozens of commands like they're all that bank pipe and and command sequence and parameters and so the father's really just doing a bunch of that during lecture thank i garbage and sometimes you circle sometimes you
get a line and sometimes you get ready the notice that the father's name is really in the and sometimes you get
crash and this is the a DOS-extender itself but it the intercepting the fall and then just do and power cord of thing to to the Council what is not at the corner to my this evening about the the hit so it in any course actually crashing for for the 1st time when the so I was was as the circuit from but this is a after we miss I've super concept all that really got a a control over most registers most notably this is a a home fact might have time to get into it but this a little weird but I was expecting returned yet 16 you totally real mode but no it's so not only is it like protected-mode the section 32 bit flat address space I guess a DOS 40 of the extended him with a 40 centrally 40 rights so uh so that's why this pressure don't look such like such a familiar format the the now when it comes to exploiting return fire this is flights taking a step back in time and realizing while OK we you have the keys to the kingdom here there is no doubt primitive everything is RWX acts like OK sweet there is no way as lie that also nice you know safe sch no as EH no stack cookies control-flow varied but in any event also got half an hour what they were thinking but I know the for full full enhancement technology that's a new 1 enables the problem is that the the and you and but thanks the so we we kind of went from uh we took its to an
extreme we tried to do like Robert and you know it only work but then you're like what's the point which are you know kind of summed it up nicely so we could so we had a dresser tools we had a when debugging now on in which is pretty cool because you get to see it executing and you know protected mode with arbitrary selectors or on virtual 86 mode or whatever that making the it there is a course DOS box debugger led that when there was a pleasant experience so it's not actually debuggers so you can't set real breakpoints energy it's very frustrating use In this brings
us to the other application that we looked at the server side um so pretty much wildcat is released from our client perspective it's all just text-based UI like the to read of so yeah you I will say so this is pretty much attack surface whatever you can get to do or whatever protocols is going to speak which is mostly just like user keystrokes in input but there there's file-transfer we didn't really get into that because of 1st which talk
about Hatteras wildcat this 1 a lot better than return when we tell you like idea works like a charm it knows OK so wild was written Pascal is all like 16 bit and idea and bless his heart it knows all those functions like as for signatures so it found their man there Alex found their copies and it's book that's pretty handy the uh the Deacon power didn't quite work but I didn't expect it to so much that you know nobody wants to go back far pointers the
but in now sexual talk about turn it down so we walk through a bunch of functionality and this is just like a test drive version wildcat off of you know some like public domain or some freeware CD um so all the scatter chase this is a this arena putting messages interim message you can enter a message but then you know they have 150 wine 131 line limit which OK you can only and 181 lines but you can insert where be like that and so they didn't bother detector which line you put their um and I'll tell you why that's cool so Pascal has all of these strings like these counted strings and there's no likes the copy buffer overflow that I know of in Pascal so I like the lines news message were truncated 80 characters but but that they needed to thinking more how about he delegations there are almost no heap allocations in wildcat its use of the heap is paltry but use it here and here there's an like a 16 bit arithmetical overflow you put in a line number multiplies it by 81 to go find a place in the buffer to put it and so we were thinking we find it part of the exploitation includes OK go here ever message at wine 810 hinder these contents essentially 810 worked out to the size of a line times the number of O. The you enter and to rapid you only have to wrap a 16 bit variable so you can end up overflowing the previous string and your flow the character that says how many like characters are in a string the good point of it was yeah like pretty much almost arbitrary control over where rights to it within that 64 K segments without borders is within the 64 K segment um and there were basically there's no he at overflow there was a free list but because it uses a heap so little and they didn't actually matter overriding the free list pointers and so we did not the code execution in wild this turns out to be a useful tool in crafting like malicious message but not so you know as a story for another day and know 3rd yeah OK
so we have a bit of a demo here but we get out of this assumed she writes of the demos of
fear the this is using that 16
bit wrap that we just talked about and entering some malicious payload
a now this is dialogs on both sides here they're talking to each other equal uh yeah DOS vaccinate because it emulates modems and the OK say and yet you are drive should I think is needed to say that in an open it gas so I think this with best and done as a snapshot because you can enter the stuff I text and nobody was aware of that Imagen in your shellcode with like all number number number combinations byte-by-byte as Israel so is going to go there we're gonna read them as a so we just ended presumably you leave for someone else but the the and what you end up with is and I scratch and and then it disconnects and she you can turn this past the could excuse the values of so it's like the receiving a fishing mail e-mail with the use of the that exploit attached to it but old-school just call this number with a modem you this yeah
and were in this like not a case we just
do that now In the other
and that none of this
would put their like what it give you a history of the and usually it is but what they the of now that we have 1 more damaging guys and this is kind of but where we where we left it I think it shows up this perfectly because ever tried to get on the play a game and the like the although the minutes of stimulant maintaining ever get around it I think we may have some of that if the the goal of this I tried to decrease resolution just before so you guys to see better the the of the the the wonders of DOS belongs and and who survived as you things thank you for telling me the and
a very so this is running right term and talking to another application over the a model and so we're going to see an incoming calls whose life we answer it Due the high I In Yolane's Dumont assistant who the now you have remember this sleuthing about what to do with it and brings me back the nineties if only an hour in ML alright so now that's the conclusion and the questions of freedom has questions are what we do is were not a main what is played in the I by evaluating other block then would know yeah are they also they become was that in 2013 there was a recom BBS I had no idea and and and and this is a the we Our which we've known about that we we try to stay away from Happy real computers of the on opportunity in this will send me the number the the heart of the 1st do the and and the other half of the year when a centuries-old holder of those would be expensive achieve yeah well what is the demand for let's try said that when you may not have reasonable 90 95 or they could is going you know 1st themselves the shelling out because its and then it there's like suffer antiques and anything else anything else into kind if it that thank you
Point (geometry)
Computer animation
Multiplication sign
Point (geometry)
Group action
Touchscreen
Multiplication sign
Scientific modelling
View (database)
Auto mechanic
Bit
Field (computer science)
Connected space
Roundness (object)
Software
Meeting/Interview
Internetworking
Cuboid
Error message
Modem
Pairwise comparison
Existence
Scaling (geometry)
Multiplication sign
Line (geometry)
Client (computing)
Bulletin board system
Computer
Computer animation
Internetworking
Term (mathematics)
Website
Computer architecture
Point (geometry)
Computer programming
Slide rule
Server (computing)
View (database)
Density of states
Control flow
Client (computing)
Drop (liquid)
Mass
Programmable read-only memory
Bus (computing)
Tetraktys
Cuboid
Booting
Information security
Dialect
Interface (computing)
Bit
Radical (chemistry)
Computer animation
Software
Password
Self-organization
Reverse engineering
Computer programming
Ripping
Computer file
Java applet
Multiplication sign
Vector graphics
Client (computing)
Mereology
Number
Term (mathematics)
Scripting language
Modem
Physical system
Vulnerability (computing)
Surface
Machine code
Cursor (computers)
File Transfer Protocol
Radical (chemistry)
Computer animation
Software
Graph coloring
Telnet
Charge carrier
Vertex (graph theory)
Communications protocol
Reverse engineering
Read-only memory
Process (computing)
Computer file
File format
Structural load
Multiplication sign
Mathematical analysis
Density of states
Bit
Line (geometry)
Machine code
Sequence
Crash (computing)
Computer animation
Integrated development environment
Subtraction
Window
Computer programming
Message passing
Computer animation
State of matter
Cuboid
Escape character
Computer animation
Real number
Vector graphics
Circle
Parameter (computer programming)
Line (geometry)
Sequence
Game controller
Curvature
Key (cryptography)
File format
Multiplication sign
Density of states
Sheaf (mathematics)
Primitive (album)
Bit
Line (geometry)
Event horizon
Power (physics)
Crash (computing)
Computer animation
Right angle
Lie group
HTTP cookie
Pressure
Address space
Asynchronous Transfer Mode
Point (geometry)
Server (computing)
Real number
Surface
Debugger
Extreme programming
Client (computing)
Cartesian coordinate system
Food energy
Perspective (visual)
Computer animation
Cuboid
output
Communications protocol
Asynchronous Transfer Mode
Point (geometry)
Dataflow
Game controller
Multiplication sign
Public domain
Mereology
Scattering
Power (physics)
Number
Revision control
String (computer science)
Software testing
Resource allocation
Metropolitan area network
Pascal's triangle
Multiplication
Electronic mailing list
Memory management
Content (media)
Bit
Machine code
Line (geometry)
Variable (mathematics)
Limit (category theory)
Functional (mathematics)
Exploit (computer security)
Electronic signature
Message passing
Pointer (computer programming)
Computer animation
Buffer solution
Right angle
Freeware
Buffer overflow
Computer animation
Demo (music)
Lecture/Conference
Bit
Computer worm
Email
Computer animation
Combinational logic
Modem
Number
Computer animation
Personal digital assistant
Image resolution
Lecture/Conference
Game theory
Video game
Computer animation
Term (mathematics)
Personal digital assistant
Block (periodic table)
Computer
Scientific modelling
Cartesian coordinate system
Bulletin board system
System call
Number
Loading...
Feedback

Timings

  430 ms - page object

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)