PoC||GTFO
VOLUME 2
THE BOOK OF POC||GTFO, VOLUME 2.
Copyright © 2018 by Travis Goodspeed.
While you are more than welcome to copy pieces of this book and distribute it electronically, only No Starch Press may produce this printed compilation commercially. Feel free to photocopy these articles for classroom use, or just to do your part in the самиздат, tradition.
Printed in China
First printing
22 21 20 19 18 1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-934-5
ISBN-13: 978-1-59327-934-9
For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900; [email protected]
www.nostarch.com
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.
This is not a book about astronomy; rather, this is a book about telescopes.
Man of The Book
Manul Laphroaig, T.G. S.B.
Editor of Last Resort
Melilot
TEXnician
Evan Sultanik
Editorial Whipping Boy
Jacob Torrey
Funky File Supervisor
Ange Albertini
Assistant Scenic Designer
Philippe Teuwen
and sundry others
Contents
Introduction
9 Elegies of the Second Crypto War
9:1 Zen and the Art of PoC
9:2 From Newton to Turing by Manul Laphroaig
9:3 Globalstar Satellite Comms
by Colby Moore
9:4 Pool Spray Tips
by Peter Hlavaty
9:5 2nd Underhanded Crypto
by Birr-Pixton and Arciszewski
9:6 Cross-VM Side Channels
by Sophia D’Antoine
9:7 Antivirus Tumors
by Eric Davisson
9:8 Brewing TCP/IPA
by Ron Fabela
9:9 APRS and AX.25 Shenanigans
by Vogelfrei
9:10 Galaksija
by Voja Antonić
9:11 Root Rights are a Grrl’s Best Friend
by fbz
9:12 What if you could listen to this PDF?
by Philippe Teuwen
9:13 Oona’s Puzzle Corner
by Oona Räisänen
10 The Theater of Literate Disassembly
10:1 Please stand; now, please be seated
10:2 The Little, Brown Dog
by Manul Laphroaig
10:3 Pokémon Plays Twitch
by DwangoAC, Ilari and P4Plus2
10:4 This PDF is a Gameboy exploit
by Philippe Teuwen
10:5 SWD Marionettes
by Micah Elizabeth Scott
10:6 Reversing a Pregnancy Test
by Amanda Wozniak
10:7 Apple ][ Copy-Protection Techniques
by Peter Ferrie
10:8 Reverse Engineering the MD380
by Travis Goodspeed
11 Welcoming Shores of the Great Unknown
11:1 All aboard!
11:2 In Praise of Junk Hacking
by M. Laphroaig
11:3 Star Wars on a Vector Display
by Trammell Hudson
11:4 MBR Nibbles
by Eric Davisson
11:5 E7 Protection of the Apple ][
by Peter Ferrie
11:6 A Tourist’s Guide to Cortex M
by Goodspeed and Speers
11:7 Ghetto CFI
by Jeffrey Crowell
11:8 A Tourist’s Guide to MSP430
by Speers and Goodspeed
11:9 The Treachery of Files
by Evan Sultanik
11:10 In Memory of Ben Byer
by FailOverflow
12 Collecting Bottles of Broken Things
12:1 Lisez Moi!
12:2 Surviving the Computation Bomb
by Manul Laphroaig
12:3 Z-Wave Carols
by Badenhop and Ramsey
12:4 Comma Chameleon
by Krzysztof Kotowicz, Gábor Molnár
12:5 A Crisis of Existential Import
by Chris Domas
12:6 Network Job Entries
by Soldier of Fortran
12:7 Ирония Судьбы
by Mike Myers and Evan Sultanik
12:8 UMPOwn: Ring 3 to Ring 0 in 3 Acts
by Alex Ionescu
12:9 A VIM Execution Engine
by Chris Domas
12:10 Doing Right by Neighbor O’Hara
by Andreas Bogk
12:11 Are Androids Polyglots?
by Philippe Teuwen
Charade des temps modernes
13 Stones from the Ivory Tower, Only as Ballast
13:1 Listen up you yokels!
13:2 Reverse Engineering Star Raiders
by Lorenz Wiest
13:3 How Slow Can You Go?
by James Forshaw
13:4 A USB Glitching Attack
by Micah Elizabeth Scott
13:5 MD380 Firmware in Linux
by Travis Goodspeed
13:6 Silliness in Three Acts
by Evan Sultanik
13:7 Reversing LoRa
by Matt Knight
13:8 A Sermon on Plumbing, not Popper
by P.M.L
13:9 Where is ShimDBC.exe?
by Geoff Chappell
13:10 A Schizophrenic Ghost
by Sultanik and Teuwen
Useful Tables
Index
Colophon
Introduction
Dear reader, this is a weird book.
This is the second volume of collected works from the prestigious International Journal of Proof of Concept or Get The Fuck Out, a publication for ladies and gentlemen with an interest in reverse engineering, file format polyglots, radio, operating systems, and other assorted technical subjects. The journal’s individual issues are published in a variety of countries across the Americas and Europe, but this volume you hold contains five of our finest releases in 784 action-packed pages, indexed and cross referenced for your convenience.
These articles are the very best stories that engineers and programmers might swap in front of a campfire, the clever tricks that are all too often rejected from the academic conference, but swapped discretely in its hallways by those who know better than their peers. Like the Brothers Grimm, our little gang has spent years collecting these stories, editing and illustrating them so that they won’t be forgotten.
Concerning radio, you will learn how Colby Moore reverse engineered Globalstar’s simplex communications protocol,1 how Vogelfrei sees the AX.25 protocol that underlies much of ham radio,2 how Badenhop and Ramsey join Z-Wave networks with a stolen crypto key,3 and how Matt Knight reverse engineered the real details of the LoRa protocol, which differ from the patent.4
If you’re more interested in preservin
g vintage hardware, we have an English translation of the article by Voja Antonić that introduced the very first Yugoslavian computer,5 the most complete modern collection of tricks for breaking Apple ][ copy protection,6 and the tale of how Lorenz West reverse engineered every last byte of Star Raiders.7
For modern targets, you will find Travis Goodspeed’s work reverse engineering the Tytera MD380 two-way radio8 and emulating its AMBE audio codec under Linux,9 Peter Hlavaty’s tips for spraying the Windows kernel pools,10 Alex Ionescu’s UMPown technique for escalating from Ring 3 to Ring 0 on Windows,11 and Micah Elizabeth Scott’s impressive work with a Wacom tablet.12
You will also fine some damned clever file format tricks, which are explored through polyglot files that are valid in more than one format. In addition to begin valid PDF and ZIP files, pocorgtfo09.pdf is also a valid WavPack audio file;13 pocorgtfo10.pdf is a recording of button presses to exploit Pokemon Red with an IRC client as a payload;14 pocorgtfo11.pdf is a Ruby quine that hosts itself over HTTP;15 pocorgtfo12.pdf is a self-replicated Android application that can be installed like any other APK file, and then shared with another phone over bluetooth;16 and pocorgtfo13.pdf is a Postscript file, but be careful rendering it, because it will include a copy of /etc/passwd!
Each of these technical tricks, however simple or complicated, was written by a good neighbor much like yourself. With a bit of patience and perseverance, the details in these articles should be sufficient for you to repeat those results, rebuilding these proofs of concept in your own home, on your own computer, with your own mind.
And as you study these pages, you will learn the differences between how machines ought to work and how they really do work. You will see that software can be exploited to create strange behavior, that hardware can be patched with altered firmware, that files can be legal in more than one format, and other fine facts. Far more importantly than knowing that these things are possible, you will learn to do these things yourself. Ain’t that nifty?
Your neighbor,
Pastor Manul Laphroaig, T.G. S.B.
9 Elegies of the Second Crypto War
PASTOR MANUL LAPHROAIG’S
TABERNACLE CHOIR
SINGS REVERENT ELEGIES
OF THE
SECOND CRYPTO WAR
9:1 Zen and the Art of PoC
Neighbors, please join me in reading this tenth release of the International Journal of Proof of Concept or Get the Fuck Out, a friendly little collection of articles for ladies and gentlemen of distinguished ability and taste in the field of software exploitation and the worship of weird machines. This is our tenth release, given on paper to the fine neighbors of Novi Sad, Serbia and Stockholm, Sweden.
Page 13 contains our very own Pastor Manul Laphroaig’s sermon on Newton and Turing, in which we learn about the academics’ affection for Turing-completeness.
On page 20, Colby Moore provides all the details you’ll need to sniff simplex packets from the Globalstar satellite constellation.
Page 31 introduces some tips by Peter Hlavaty of the Keen Team on kernel pool spraying in Windows and Linux.
Page 43 presents the results of the second Underhanded Crypto Contest, held at the Crypto Village of Defcon 23.
On page 47, Sophia D’Antoine introduces some tricks for communicating between virtual machines co-located on the same physical host. In particular, the mf ence instruction can be used to force strict ordering, interfering with CPU instruction pipelining in another VM.
Eric Davisson, on page 57, presents a nifty little trick for causing quarantined malware to be re-detected by McAfee Enterprise VirusScan! This particular tumor is benign, but we bet a neighborly reader can write a malignant variant.
Ron Fabela of Binary Brew Works, on page 61, presents his recipe for TCP/IPA, a neighborly beer with which to warm our hearts and our spirits during the coming apocalypse.
Vogelfrei shares with us some tricks for APRS and AX.25 networking on page 71. APRS exists around much of the western world, and all sorts of mischief can be had through it. (But please don’t be a jerk on the airwaves.)
Much as some readers think of us as a security magazine, we are first and foremost a systems-internals journal with a bias toward the strange and the classic designs. Page 84 contains a reprint, translated from the original Serbian, of Voja Antonić’ article on the Galaksija, his Z80 home computer design, the very first in Yugoslavia.
fbz is a damned fine neighbor of ours, both a mathematician and a musician. On page 126 you’ll find her latest single, Root Rights are a Grrl’s Best Friend! If you’d rather listen to it than just read the lyrics, run vlc pocorgtfo09.pdf and jump to page 128, where Philippe Teuwen describes how he made this fine document a polyglot of PDF, ZIP, and WavPack.
On page 131, you will find Oona’s Puzzle Corner, with all sorts of nifty games for a child of five. If you aren’t clever enough to solve them, then ask for help from a child of five!
“Academics should just marry Turing Completeness already!”
—The Grugq
9:2 From Newton to Turing, a Happy Family
by Pastor Manul Laphroaig, D.D.
When engineers first gifted humanity with horseless carriages that moved on rails under their own power, this invention, for all its usefulness, turned out to have a big problem: occasional humans and animals on the rails. This problem motivated many inventors to look for solutions that would be both usable and effective.
Unfortunately, none worked. The reason for this is not so easy to explain—at least Aristotelian physics had no explanation, and few scientists till Galileo’s time were interested in one. On the one hand, motion had to brought on by some force and tended to kinda barrel about once it got going; on the other hand, it also tended to dissipate eventually. It took five hundred years from doubting the Aristotelian idea that motion ceased as soon as its impelling force ceased to the first clear pronouncement that motion in absence of external forces was a persistent rather than a temporary virtue; and another six hundred for the first correct formulation of exactly what quantities of motion were conserved. Even so, it took another century before the mechanical conservation laws and the actual names and formulas for momentum and energy were written down as we know them.
These days, “conservation of energy” is supposed to be one of those word combinations to check off on multiple-choice tests that make one eligible for college.1 Yet we should remember that the steam engine was invented well before these laws of classical mechanics were made comprehensible or even understood at all. Moreover, it wasn’t until nearly a century after Watt’s ten-horsepower steam engine patent that someone formulated the principles of thermodynamics that actually make a steam engine work—by which time it was chugging along at ten thousand horsepower, able to move not just massive amounts of machinery but also the engine’s own weight along the rails, plus a lot more.2
All of this is to say that if you hear scientists doubting that an engineer can accomplish things without their collective guidance, they have a lot of history to catch up with, starting with that thing called the Industrial Revolution. On the other hand, if you see engineers trying to build a thing that just doesn’t seem to work, you just might be able to point them to some formulas that suggest their energies are best applied elsewhere. Distinguishing between these two situations is known as magic, wisdom, extreme luck, or divine revelation; whoever claims to be able to do so unerringly is at best a priest, not a scientist.3
There is an old joke that whatever profession needs to add “science” to its name is not so sure it is one. Some computer scientists may not take too kindly to this joke, and point out that it’s actually the word “computer” that’s misleading, as their science transcends particular silicon-and-copper designs. It is undeniable, though, that hacking as we know it would not exist without actual physical computers.
As scientists, we like exhaustive arguments: either by full search of all finite combinatorial possibilities or by tricks such as induction that look
convincing enough as a means of exhausting infinite combinations. We value above all being able to say that a condition never takes place, or always holds. We dislike the possibility that there can be a situation or a solution we can overlook but someone may find through luck or cleverness; we want a yes to be a yes, a no to mean no way in Hell. But full search and induction only apply in the world of ideal models—call them combinatorial, logical, or mathematical—that exclude any kinds of unknown unknowns.
Hence we have many models of computation: substituting strings into other strings (Markov algorithms), rewriting formulas (lambda calculus), automata with finite and infinite numbers of states, and so on. The point is always to enumerate all finite possibilities or to convince ourselves that even an infinite number of them does not harbor the ones we wish to avoid. The idea is roughly the same as using algebra: we use formulas we trust to reason about any and all possible values at once, but to do so we must reduce reality to a set of formulas. These formulas come from a process that must prod and probe reality; we have no way of coming up with them without prodding, probing, and otherwise experimenting by hunch and blind groping—that is, by building things before we fully understand how they work. Without these, there can be no formulas, or they won’t be meaningful.
So here we go. Exploits establish the variable space; “science” searches it, to our satisfaction or otherwise, or—importantly to save us effort—asserts that a full and exhaustive search is infeasible. This may be the case of energy conservation vs. trying to construct a safer fender—or, perhaps, the case of us still trying to formulate what makes sense to attempt.
That which we call the “arms race” is a part of this process. With it, we continually update the variable spaces that we wish to exhaust; without it, none of our methods and formulas mean much. This brings us to the recent argument about exploits and Turing completeness.
Knowledge is power.4 In case of the steam engine, the power emerged before the kind of knowledge called “scientific” if one is in college or “basic” if one is a politician looking to hitch a ride—because actual science has a tradition of overturning its own basics as taught in schools for at least decades if not centuries. In any case, the knowledge of how to build these engines was there before the knowledge that actually explained how they worked, and would hardly have emerged if these things had not been built already.
PoC or GTFO, Volume 2 Page 1