(muffled audio) these were not imagined patterns. The mind -- this was something real. Something alien in its simplicity. (muffled) were there others who observed this -- stickiness. Able to untangle this perplexity. Understood this cipher that -- was around this key. [indiscernible]. This must be some kind of ... >> Like I said. All right. ...(applause)... >> Good morning, everyone. Welcome to DEFCON 20, fucking 3. Really? That's it. In the interest of time I'm going to kick it off. That cut the presentations to 45 minutes now not an hour. When he is done, I'm going to escort him out. There are no Q and A rooms. With that, have a great presentation. >> Okay. Hi, everybody. I hope you enjoyed DEFCON. Okay. A question, do you play computer games? Yeah, okay. And there is a few who play computer games, have you ever thought about getting hacked by the games you play? I am to mas and I'm going to talk about that. There is a security camera here and if you don't want you face to show up on the screen, maybe you should sit back further or hide your face when the time comes. That's sad. Myself, my name is Tamas Szakaly. I'm from Hungry and I work for a security company called PR-Audit. I formed the European championship of global [indiscernible] and I'm not sure what is happening with the slides. They are ... Changing automatically. Okay. So what am I? My favorite quote from my favorite movie summarizes this quite well. I am not a computer nerd, I prefer to be called a hacker. And I do [indiscernible] executeables, I love tinkering with copy protection schemes. I just to -- but I just have to say this, I very, very much professor Q demon, half eaten fruits and places of glass in wooden frames. With that I have to make a confession. I'm sorry, guys. Slides are changing automatically. Something I fucked up with the PowerPoint, I think. Okay. So the confession, I was for years and I am in love with the -- API. It can be so disgustingly beautiful. [indiscernible] later on. Okay. So now they are not changing, wow. Okay. Games and game modeling. Since I'm talking to a room full of -- I'm sure I don't have to tell you about the urge to make things better, enhance your own ideas. And game modeling is the same principle. You have the framework, the game and you just have to create something of it. And you also have to share it with others. This is why -- will always play a big part in gaming. You can applaud your creation and others can download and play them. Game security. One important aspect of this is player gaming. Nobody likes to play alone. Nearly all games have some sort of multiplayer fashionability. What this means from a security standpoint? It means there is a constant exchange between the clients and the server and this data can be quite complex like whole maps. Also they often used -- protocols. And you should realize this is a [indiscernible]. It is indeed worth (audio blipped) games. They have talked about zero -- in game (audio blipped). But I'm in the going to talk about those games. I'm going to talk about scripting in games. There are lots and lots of games that incorporate scripting language or existing languages. Why do they do this? They do this because it makes creating dynamic content easier. The other part of this is these scripting -- are available to modelers. Could this be really dangerous? Stop right here for a moment and think about it. You as a game creator, create a mode or map and incorporate some scripts in it. The player downloads the map or joins a server and the map gets downloaded automatically to his machine. And eventually that script you put in there will be run on his machine. Okay? So most of the game developers realize this can be a trap. So they try to do something nasty, and try to restrict functionality and implement sandboxes. But often do this wrongly, they fail. Okay. If this kind of -- are done, I'm not the first one to realize this and I'm not. There are lots and lots of references on the internet involving exploiting scripting in games. In fact, in 2014 there were several exploits that got huge gaming media coverage. If this is this common, why am I talking about this? Why am I talking at DEFCON? Because these scripting -- are used to [indiscernible] but they can be used to access your computer and through your computer they can be used to access your entire home network. Like your security cameras, your smart house components and stuff like that. And nobody seems to talk about this kind of stuff. Okay. So what are some of the demons that are abusing scripting engines and games. My first [indiscernible] and the -- game. Remember when I said that most of the game developers realize that scripting can be a threat. Well Crytech isn't one of them. They seem to realize resistant since they didn't implement sandboxes (audio blipped). -- with the -- and I'm going to show you this using a crisis 2 (ph.) mode that I created. Just one moment. Okay. It's loading. And I'm sure that at least some of you have thought about hacking something by the push of a big red button. But we're going to do that now. And just put down the -- so we're here on this deserted island and we have a big red button. Wonder what it does. I'm just going to push it and yeah ... Thank you, guys. Okay. How did I do that? In CryEngine 3 every object that can be used -- I'm going to -- okay. So every object has a USB attached to it and here you can see the bigger buttons and this is -- handler and you can see that it's just an order to execute and blah, blah, blah things. I can't really see ... Sorry. Okay. So that's how you can executes via a crisis 2 map on a player's machine. One thing, what was that backslash backslash hashtag thing, that is one of the reasons I love the API. Every function that use (inaudible) can accept -- if your team can accept a windows [indiscernible] control, you have the chance to load DLS or load executable files from that remote share and you don't have to write share code. You just have to use the share. And this has one nice side effect, you can steal -- responses if you can load a file. If you can get to load a file. I'm going to show you this -- CryEngine 3SDK which is much newer version of CryEngine 3 than the one used in crisis 2. And I have this [indiscernible] server set up here. And this is the same button with different code. It just tries to access a file from the share. Okay. Jump into the game. And push button. Okay. Now I push button and you can see on the server that there is indeed my NTL (ph.) challenge response. It's a nice trick, I think. Okay. Moving on. But before moving on, we are at slide No. [indiscernible] and I am personally not a believer in the -- but maybe the daemon gods are. So this -- [indiscernible]. So my next game is Dota2. It uses a scripting engine but it has a sandbox. But that sandbox is leaky and it in fact has a huge leak. We can use the entire standard -- library. You can read files and write files. What this means? You can steal information, you can deploy stuff or just use the anti-stealing trick I just showed you. Or you can overwrite executeables and I'm going to show you this in a video because -- sorry -- because again, it's not working. It stopped working a few days ago. Okay. That's the video. Sorry. I can't really see that. Okay. In this video I'm going to show you a Dota2 mode where I attached a -- script to the NPCs (ph.) handler. So when the NPC is found my code will run and this code will decode a base 64 encoded executable and over-right the Dota2 main executable. The next time the gamer starts the game, it won't be the game that starts, but it will be our executable. Okay? So it's just loading the map. Takes a few seconds. I'm just ... Commands and you will see the game freezes a bit. It encodes the base 64 executable and shortly you will see that, yeah, it got overwritten. You can see the size difference there. And it will try to start the game, it will be the industry standard exploit -- tool. Thanks. I'm sorry. There's something wrong. PowerPoint. Okay. I will just do this this way. My next, surprise, surprise it's a script able game called digital combat simulator. A flight simulator. In fact this was the first game I found some script abuse in. I reported it to eagle dynamics and they fixed it and then I found another one that I am going to show you. Or rather I'm going to ask you if you can find the fault. On the screen you can see the entire sandbox implementation of DCS. Where is the leak? Where did the -- dynamics fuck up? You can win this fine bottle of Hungarian [indiscernible] if you know the answer. Nobody? Nobody speaks fluent? Then I'm just going to show you, it's on the 24th line. It's this line. They try to disable loading -- [indiscernible] it shouldn't be loading. It is nothing in itself. That was the fault. Now, if you could tell me the answer, I've prepared some back up questions. First one being the title of this talk is a quote. Who asked that question? I'm sure this is a right answer. But I was thinking about Joshua from War Games. That's embarrassing, you were right. I don't know whoever answered first, but yes, you should find me after the talk, okay? And have your [indiscernible]. I just skipped my second back up question which is what is my favorite movie. Jurassic Park that was a quote from it. -- lots of exploits start out as crashes. This one will be a different crash. I created a mission in this flight simulator where I attached a script to the plane crash. This script does one thing. It [indiscernible] from a remote share. Let's start the game. Okay. Sorry, it's loading. I couldn't load all my games because I have only 8 gigs of RAM. It's loading ... Yeah. Okay. I am going to jump into the cockpit of a ... That should be a [indiscernible] popping up. But yeah it's under the... Under everything. That was it. Sorry. I don't want to take any more time. But yes, that popped up. You should believe me. Okay. So my next is a bit different. It's different by two reasons. This one won't abuse a scripting but it will abuse a dangerous and not without feature in a game and also this time the gamer will be the bad guy. So we will attack the server. The game is ARMA sword. It's a military game. You can set up your name and logo and website and so on. Every time you join the server, this information will get displayed not just for you but for everyone on that server. And how do this work? In your profile you can set up a -- that points to an XML file and every time you join the server it will look for the XML file and parse your information from there. When I first read about this, I was like, this is got to be an [indiscernible] I'm sure of it. And it wasn't. But not to worry. It's still an SRF (ph.) and I am going to show you this. This daemon was based on real life experiences that was -- on the server. And he also had a PHP charge server on the same machine, a PHP charge server that was only accessible from the local host. This is a PHP charge server. And PHP charge is vulnerable to RCE that can be triggered by a [indiscernible]. What I'm going to do is edit my ... Oh, jeez ... My profile. And set up a URL that triggers the PHP charge exploit. So when I join the server, okay, I can't really see it, sorry. Which one is multiplayer? This one? Okay. Thanks. Sorry. Okay. So just put a bit away because I will have ... [indiscernible] since the PHP charge will trigger a [indiscernible] as soon as I join the server. It's working. It's trying to join the server. It's a bit slow since there are several games running on the same machine. And yes, we've got a connection. And this is a shell, you can see ID, name, so, yes, we have just executed code on a server. And I will... This was a [indiscernible] that we didn't see the answer to. There are games where you can -- that you can see the answer to, too. And one of these games is Garry's Mod. You may remember that I talked about Garry's Mod. It had its share of related exploits in the past and this resulted in a pretty solid sandbox. Garry did fix a lot of things. But it has also a huge API. There are lots and lots of functions and yeah, there are some dangerous functions, too, like this one. There is an HTTP function and it uses this structure. As you can see this is a Screenshot from the documentation, you can see you can control every aspect of an HTTP. You can account for the metals and the headers and so on. What this means? If you create a map or mode or server in Garry's mod. You can have a full fledged HTTP proxy to the gamer's home network. Yeah, I'm going to show you that with a Garry's mod mode I created. I have implemented three [indiscernible] commands that only superadministrators can use. One of them is ACK scam players. I -- as a superadministrator will issue this command and it will -- all player's networks at home for [indiscernible] servers. And hopefully it will find this camera here. Yes, it did. You can see it's an authorized access on that IP address. I'm just going to switch to duplicate. Sorry about that. But I can't see anything. Okay. Now my -- command is used to brute force an HTTP basic authentication server. So we just are going to put the user ID and the HTTP server's address here as parameters and we can see that it tries a few user name/password combos and it finds that the user name and password are admin admin. We have the user name and password for this camera here, now we can steal images through the game. This is what my third consult command is used for. It also requires the user ID to know who to [indiscernible]. It requires a URL. This URL can be from the HTTP server response. It could be brute force but I didn't have the time for it. So when I issue the command, it should -- okay. It's working. Okay. It's received the image and yeah, here you are on the screen inside the game. Thanks. Okay. My final daemon, you should be afraid of mice. And we're not talking about those two guys although they can be dangerous, too. I'm talking about this one. I don't know if you can see this. This is a G whatever mouse and like all Logitech it's [indiscernible] by the software. This code runs in a very, very tight sandbox. But it still can be certain -- by a guy named Corsix (ph.) and his company of heros [indiscernible]. He abused -- to achieve two tricks. The first trick is to get any -- get the memory address of any variables. The second one being able to create variables that points to arbitrary memory locations. These two tricks combined leads to arbitrary -- that leads to code execution. How did he do these two tricks? The first trick, in lieu of every variable is a T value. T value is a -- that stores the actual value in its first 8 bytes. In case of a real number, that first 8 bytes is double and in case of any other variables it's pointed to a structure. For example for a -- string it's a T string pointer. If you can get [indiscernible] to for example a string as a number, then we can get that pointer with memory address. And of course it did exactly that. It used a four loop and up code is responsible for every parameter of the for loop is a number. We know the second code just assumed they are numbers. So they get [indiscernible] numbers and that's how you get memory addresses as doubles. Okay? So the second trick, it's a bit trickier. And it's done basically in these two lines. And I'm going to go through it line by line. Okay. [indiscernible] are entities that belong to functions and they represent function parameters or variables that are declared outside of the scope of the function. So we create a stream that looks like -- a value. We have a chunk of memory that can be -- of that value. An up value that points to the memory location, this end thing here. Second line. We want the address of that memory chunk. So we get the address of the string but because the [indiscernible] string is a T string structure, we're going to need to add 24 bytes to it. Because the first 24 bytes of the T string structure is just mass data. So now we get the memory -- address in PTR. So next step. We modify the byte code by hand. So that the variable magic will point to -- will be -- ...(foreign word)... representing LUA functions (ph.). We set up magic's value by concatenating the PTR string three times. So magic is a string. When it gets - as a closure, you can see on the bottom part of the slide, corrector 16 to 24 will be the closures up fast. It's an array of pointers. Since those correctors are indeed -- we set the outer functions. First up value to point to our memory address. The memory address you want to read or write. And because the first [indiscernible] value of that function is magic, we can access that memory address via magic. Okay? So how did Codex exploit this? It creates a C closure on the LUA. C closure is a LUA representation of a function pointer [indiscernible]. He then replaced this function pointer with a pointer to -- load which is also C closure function. And it's basically a wrap-around load library. So after that, when he code the core routine of the [indiscernible] as a parameter. He can load that -- [indiscernible] space of the game. What did I do differently? Keep in mind it's a 64 byte exploits and his was 32. What this means? It means that the layouts and -- packing is different. The coding conversions are different. So we can't modify function parameters as they are not -- in memory, they are not on the stack. They are passed as registers. The most important difference of this -- the most important thing of this 64 byte difference is that size of a double equals the size of a pointer. This makes this exploit a lot easier. Since you don't have to worry about the size difference by using the first trick. Okay? And I also couldn't call [indiscernible] since LL load lib is just the start when you have LUA as the start code. I have to -- functions directly. I have to find a useful native function that accepts one parameter that is a pointer. Load library is a good candidate since it accepts a string and -- execute would be, too. So we have to get load library's address. We have to replace -- with load library 8 and override the [indiscernible] with the LUA8. This is because we can't modify the parameter itself, we have to modify the data that it points to. The pointer points to the LUA state so we have to over-right that. And we have to decode [indiscernible] and execute the load library. How to get the address of the [indiscernible]. It gives you back the state so that is easy. There were some -- I had to stop the garbage collector and I had to restore the UL state. And one of the questions remains how to get load library's address? The simple solution is to use the memory difference in the PD executable to calculate the load library address. There is much more generic solution, you can get and read the address of the empty header. From that you can have the import directories, you can search for -- [indiscernible] and you can have mode library's address from the import address table. All this with these two tricks. This is much much more generic and something like that can be used on other operating systems. With this approach there is a restriction, you can only overwrite 16 bytes of the LUA state. This is not really a problem since we can omit the DLL and load library will still find the DLL. If you use UNC pass, we have 9 characters for an IP address or a domain name. So it's not really a problem. Okay. I'm running out of time I think. So I'm just going to show you this -- here is the profile with the script. This is the script and it's attached to the middle mouse button. When I press the little mouse button, a cat appears. So we are at the end of my talk. One question, should we listen to Joshua and just stick to a nice game of chess? Of course. We should play computer games but we should be aware of these traps. And [indiscernible] those interlopers should pay more attention to this kind of stuff. Okay. This concludes my talk. Thank you very much for listening and have a good DEFCON.