 Well, hello DEF CON. My name is Paul Craig. I work for a company called securityassessment.com. I live in sunny Singapore, possibly the other place that's as hot as Vegas. I'm a pentester. And basically I hack stuff. This is my world. Okay, so today's overview. This is a hack conference, right? When I come to a hack conference, the last thing I want to fucking see is PowerPoint. Why do I not want to see PowerPoint? Because PowerPoint is not hacking. All right, so I do have a slide deck. I'm going to go through my slide deck, but I'm specifically designing this presentation so there's actually not a whole lot of slides. I don't really like slides. We're going to do lots of hacking. Specifically, we're going to be hacking kiosks, internet kiosks terminals. So I'm going to explain to you guys who I am, what my fetish with kiosks is about, how I break into kiosks. And then I'm just going to break into kiosks, all right? And yeah, we're going to have some fun. Okay, so what is an internet kiosk? An internet kiosk, well as you can see from the picture just there, that was taken in the Rio. It's basically that little computer sitting in the corner of a room that has internet access. So it's usually an X86 desktop running some breed of windows, sometimes Linux. It costs you four or five dollars and you can browse the internet and you can do something on it. You find them mostly hotels, motels, airports, all these crazy places. Okay, so I kind of call myself the subproclaimed king of kiosk hacking. So how did this come about? About five years ago I got a pentest engagement working for a bank in New Zealand. And the pentest engagement was to look at a kiosk that they were deploying in the foyer of the bank as kiosks was plugged directly into the corporate network. So I rocked up, I was like oh I've never seen one of these kiosks before, I'm sure I can probably do something with it. And I found pretty quickly that I could. I could actually bust through the kiosk, got access to the OS. And then from the OS I had full access to the bank's corporate network in the foyer. So I didn't even have to go through the security doors. And I think pretty much from that point on I was fucking hooked on these things. Because I realized that it's the attack avenue that people don't really know about. It's the thing that works as well. So I was hooked, fascinated, addicted, obsessed. And basically I spent all my time hacking these kiosks. My colleagues were saying like Paul why the fuck do you want to hack these things? But I knew right then and there that I just had to become the world's best person at hacking these damn kiosks. So my colleagues continued to call me over the years that crazy kiosk guy. All I did was hack kiosks. Whenever I saw them I had to get shell. And it actually became quite a problem for me. It became an addiction. It became something that really started my life. So I had to go see a psychiatrist. I found someone I had talked about someone and they said look man you have what's called an addictive personality. Essentially you can become addicted to things that aren't addictive. Fucking awesome. Excellent. Okay, all right. You need a distraction I was told. You need a distraction. So like okay, all right. Distraction number one. Nah, it didn't really work so well. Distraction number two. Nah, it didn't really work so well. Distraction, well three. Instead of kiosks they just, they won. So of the eight stages of grief, the seven stages of acceptance. I basically realized that there's got to be someone in the world who's hacking these kiosks. If I don't do it the vendor's going to fucking win. We can't have that. So I said screw it. Let's take ownership of my addiction. Let's embrace my passion. Let's fucking hack all of them. Every vendor, every product, every platform, systematically, methodotically create and publish everything I do. I basically be very open about this and try and just rape and pillage all the kiosks. Yeah, more. That's basically one guy from New Zealand versed the entire kiosk software industry. So I wrote a list of every kiosk vendor I could find. There's like 22, 23 of these guys. And for each vendor I tried to produce a series of repeatable steps. I wrote tools, scripts, add-ons, plugins, all these things that helped me compromise these kiosks. And then I tried to compile all of my research and all of my tools into one place. I wanted it to be easy for all of you guys to basically hack a kiosk as well. They have me in a box so to speak. And of course, the fruit of all my efforts became ICAT, the interactive kiosk attack tool. It's essentially a software as a service website that you visit from a kiosk, right? And this website owns the kiosk for you. You click, shelves appear is basically how it goes, right? You guys see where this is going. So DEF CON 16, I rocked up to Vegas. I was like, whoa, I got this thing called ICAT. Check it out. And it went well. It actually went really, really well too well. During my presentation I said, you guys know that you can hack all the kiosks in the RIV in about 10 seconds. And they did. For anyone who was at the RIV, they actually had the security guards in and they had the police there and they've been guarding the kiosks. Because basically people were just popping shells, defacing them and having porn up on all the kiosks. And this really began the cat and mouse game of kiosk with me and particularly with kiosk vendors. So the majority of kiosk vendors found out about ICAT. They watched the presentation when the videos got released and they started fixing all of the stuff that I found, all of my bugs. They also blocked ICAT, the URL. It's all right, okay, all right. A year later, ICAT 2, I rolled around, I found new bugs. I found new exploits, new tricks, new technologies. I'm like, fuck you guys, I'm going to do it again. So I did it again. And it was awesome. I got lots of shells. Woohoo. And then a few months after release, same thing happened again. They fixed it all. So I was like, okay, all right. I'm a professional hacker. You can't stop me. I will win. I'll just keep going. I'm very persistent. So next year, rolled around, DEF CON 18, I released this, ICAT v3. It's actually the same deal, new O-Day, new tricks, new magic. And also trying to just expand everything that I could own. So I focused on Citrix terminals, touch screen kiosks, photo kiosks. Basically anything that you could interact with touch, you could pop shell on, all right. Yeah. The downside of this sort of approach is that I've actually single-handedly raised the security bar for internet kiosks terminals. Because every year these guys fix, like, vast quantities of bugs. Yeah. So it's good for you guys. It's also good for you guys to clap. This makes my job a hell of a lot harder. All right. So DEF CON 19. I came up with, well, I said screw it. Let's do it again. So ICAT 4, ICAT v the vengeance edition. Basically I'm making vengeance against the kiosk vendors. ICAT is now used by about 35 to 40 kiosks per day all around the world. I see airports, hotels, lots and lots of places, lots of casinos. It's now become basically the de facto standard for hacking a kiosk. And vengeance is by far the smoothest, easiest, mostly bug free kiosk hacking tool. It also features this very nice commission to artwork of the ICAT girl holding a bloody heart. Yeah. So this is what I'm going to be hacking some kiosk with today. Oh look, here's a kiosk we hacked earlier. This was actually in Vegas yesterday day before. So you can see just how well it works. Okay. So a little bit about how kiosk works, how the kiosk security model works. Kiosk vendors obviously take security very seriously. The reason they take security very seriously is that a secure kiosk product is not a cheap kiosk product. So you see lots of words about monitoring and protecting and blocking and restricting. Yeah. Use access system management, PC lockdown, access controls. Basically they try and stop me from doing stuff on the kiosk and stop you guys. Now how do they do this? They do this through four distinct methods. Firstly they have what's called user interface security. You find that on a kiosk you're missing all the buttons. You're missing maybe like the start bar, you're missing menus, toolbars. Yeah, you're missing the functionality you want. You're missing the way to get to explore a pop shell. Second thing you'll notice is that you have an activity blacklist. If you do pop shell, the kiosk will probably detect that you popped a shell and then try and close the shell. You're like oh no, you're running a tool which is prohibited. Thirdly the kiosk is usually running in a hardened kiosk environment. So you will find group policy, SRP and app blocker around the kiosk. So they try and restrict you and block you at every possible level. Okay, so this is an example of how a kiosk basically locks itself down. This is site kiosk. These guys really fucking hate me. We see that when we run site kiosk, just how much the XP desktop environment changes. So we have standard XP here. Run site kiosk, bang, the start bar disappears and it gets replaced with this one which is a kind of clone. It's kind of gummy, you know, like it's missing all the stuff. And we're now inside the jailed kiosk environment. Now inside their little shell. Alright, so these are the things I've learned about the kiosk security model. Firstly, blacklists don't work. In the security industry we know that blacklists do not work. If you stop me from doing one thing, I'll do it a different way. Because there's like 10 million ways of doing the exact same thing on any modern operating system. The second thing I found was that websites you visit from a kiosk terminal usually have more access controls or access rights than you as a person on the kiosk itself. Alright, so none of the vendors really took in consideration of the remote attack. They just didn't think someone would do it. Thirdly, the underlying browser libraries that these kiosks are based on, they're usually IE. Alright, so IE has this security model where it basically trusts the dual on the keyboard. It'll ask you, it'll say, do you want to run this? Are you sure you want to run this? This can potentially come from a malicious website. Well, if you're hacking the kiosk, you say, yes. This is a problem. And lastly, Microsoft has these 10 immutable laws of security. And basically law number three, if a bad guy has unrestricted physical access to your computer, it's not your computer anymore. It's fucking mine. Alright, so operating systems will trust the local users so kiosk is against the grain of the operating system. Essentially, the kiosk vendors have the hardest job in the world because the operating system is trying to contrast what the kiosk software is doing. And all you need is one instance. All you need is one instance where the kiosk platform will trust you and then bang, you got shell. And as you'll see, it's very easy to get shell. Okay, so hacking kiosk. The great thing about hacking kiosk is that it's really goddamn easy. It's like solving a puzzle. Essentially, the problem is how do you pop shell without a star bar? Alright, maybe you go like file, open, then find star, or find cmd.exe and run that. Maybe you find a creative or a different way of using windows in order to get what you want. It's very visual. It's very easy to follow. And I actually think it's very hackery, you know, like you can almost see this in hackers, the movie kind of thing. Alright, so this is my approach for breaking kiosk. This is a quick rundown on my methodology. First thing I do is I try and identify the platform and the vendor software in use. I figure out what my attack platform is. Alright, I'll show you guys ICAD and I'll run through how I do this using my tool. But essentially I have a button that says detect applications. And it goes around and it tells you what's on the kiosk, what's installed and what you have to fuck with. We can also visually tell quite a few things. So this is a Linux kiosk. I can tell it's a Linux kiosk because the mouse cursor isn't as well drawn as the windows one and it's got that funny little stock watch thing. The buttons have a different level of depth and a different amount of color but you can tell that this is Linux just visually by looking at it. On the other hand, this is windows. We can tell the mouse cursor is different. Alright, we can also tell because it's got all this fucking crap on the page. Yeah, we can visually really identify what our platform is. So the next thing I do is I try and enumerate all of the available windows. Alright, so what I'm looking for when I say enumerate windows is I'm looking for a common dialogue. I'm looking for an open file, print file save. The reason I want file open or file save is that these controls essentially use explorer and explorer is webdav enabled. Alright, so let me put this in a different way. If I can get notepad to spawn up on a kiosk, I can use notepad and go file open, htdp colon four slash four slash file and it will download that file and put it into notepad because the file open box is webdav enabled. It's essentially a web browser. So anything that has file open, we can retrieve files. Anything that has file save, we can actually save files remotely using webdav. So we find creditcars.txt, we can file save to another place. The third thing I do is I try and enumerate all of the applications that are installed. So I look to see if there's a pdf reader installed, is Office installed, Microsoft media player, is anything installed on the kiosk that I can potentially leverage to pop shell. So can I load a pdf file which will then load cmd.exe? Can I load an excel file which will have an embedded cmd.exe inside of it? In all these file format tricks, can I use another handling application to escape out of the kiosk gel? And we can also try different methods of trying to retrieve these files. We might find that a kiosk will restrict downloading XLS files, but if we download like file.xls question mark.txt, then the file gets retrieved. So these are standard vulnerabilities, typically web vulnerabilities that we see in kiosk software. So yeah, I had this email. I get a lot of fan email, I guess you'd say. And it's a dude from Egypt. And he was like, hey, Paul, I want to hack the Egyptian tax kiosk. I was like, holy shit, man, if you get caught, they will fucking kill you. So I was like, okay, all right. I think I can work with this. I've been talking to DiDler Stevens at the time. And DiDler come out with an Excel in-memory trick where he basically uses Excel to create a section of memory, marks it executable, and jumps into it. And that section of memory contains cmd.dll. So you get a command prompt loaded inside the context of Excel. So I basically took DiDler Stevens stuff. I have my own code signing certificate. I signed all his macros. And I created this tool called OfficeCat, which I gave to this Egyptian dude. It's the Excel file. It's the example of using Excel file to basically escape out of a kiosk environment. You just open it up, get an open command line, wait a few seconds, yeah, then a command prompt pops up. So this is an example of using a relatively innocent file type to escape out of an environment. The fourth thing I do is I look for registered URI protocol handlers. So I look for things like mail to, call to, HCP shell. I try and install my own browser add-ons. My own browser plug-ins. So iCat has Java, ActiveX, Clikwans. Yeah, I got all sorts of things. And I also look for any internal URI handlers that the kiosk software might have. So is there an admin colon four slash four slash? Things like site kiosk have their own SK admin URI handler where you can access an administrative interface. Then I try and install my own browser add-ons. I got all sorts of all sorts of things. Now iCat 1 and 2 was full of all these add-ons. I had so many cool little nifty plug-ins. And all of them were unsigned because I don't have a code sign. And the vendors saw this as a great opportunity to fuck with me. So they basically blocked any unsigned plug-ins from being installed on any kiosk. Like clearly, this evil hacker can't afford to buy a code sign certificate. Turns out hackers are really fucking cheap because I got maybe about 12 dollars. Like, oh man, seriously. But it was actually a kiosk vendor who contacted me. And I said maybe we can do a partnership here and I'll tell you some problems wrong with your software and return you give me enough money to buy a code signing cert. So I helped them secure their software. I got a code sign. So now you'll see that all of my plug-ins, all of my tools, all of my files, absolutely everything I have have been signed by Shiny Soft Limiters. So this basically gives you the best possible chance of getting your add-on of your plug-in installed on the kiosk. The sixth thing I found was actually it's easy just to crash the fucking kiosk. Because when you crash the kiosk environment, guess what happens? You get to the desktop. Well, that is really damn trivial. It's very, very easy. So flash, PDF, I mean how many people have ever had a browser crash on them, right? I mean, it's not difficult. It's very, very easy to pop out of a kiosk using this trick. So I call this emo kiosking. Now the seventh trick I find, usually once I've popped shell on a kiosk, I try and hack the windshield itself. So windshield hacking is essentially trying to manipulate the gooey environment that's shown me. So when you are using a Windows desktop, obviously the windows you see are not all the windows that are available on the desktop. A lot of windows are marked WS visible equals false. And you might have some really interesting windows here. You might have admin windows. You might have backup software that's running. You might have tools running in the sys tray which you can't see but they're still there. So I've developed a whole lot of tools which basically allow you to make visible, right? Windspies. You click buttons, more windows appear, use those windows you escape. Alright, so what's new in iCat 4? So, firstly, I've been finding that a lot of kiosks these days are deploying more and more SRP. SRP, Group Policy and AppLocker. Really trying to restrict, like you cannot run CMD.exe or any binary signed by Microsoft. So I was like, okay, alright, how can I get around this? How can I defeat this? So what I did was I wrote a little tool which traversed the entire Windows file system and heuristically looked for any calls checking local group policy. Or checking SH is restricted. And if it finds that, it knocks it out. Or it patches it out, alright? So this basically gave me about 100 binaries out of Windows which do not validate local group policy. Which is really fucking handy, right? I then took all of these binaries and I relinked them, alright? So by way, the executable now looks noticeably different. Okay, so two down. Then I signed it with my own code signing certificate. So it's no longer signed by Microsoft. So if you have an SRP policy which says block Microsoft, it's not signed by Microsoft. The three down. And I'm basically left with a nice little executable that you can run that will just work. I won't validate anything, nothing blocks it and it just works. So iCAT's now full of this stuff. Yes, there you go. There's another example. Unlocked CMD to time by showing yourself. I discovered that sometimes there are files on Kiosk that you want to view. Sometimes you want to view like a credit card stock text. The only problem is they remove notepad. There's no text editor, you can't spawn notepad. So I thought well why don't you just upload the file to me and I'll reflect the contents back to you. So you select the file, say I want to view this file, use the file and it'll send you back the file contents so then you can look at it. So it's pretty handy for config files. Particularly Kiosk, Kiosk config.cfg kind of thing that contains admin password equals. Very easy way of retrieving information. Now registry files, system config files. Yeah, it's pretty handy trick. Then I decided it would actually be really handy just to wrap Metasploit around this entire thing. Like what the hey, I mean Metasploit can help me. So I set up an modification of browser auto pane, called icat auto pane. Which basically, you know, one click and it uses a download and exact payload and that download and exact payload. We'll then try and spawn shells and privask and spawn shells. So basically you click and then a whole lot of fucking shells appear, is what spawns down to it. But it's fully Metasploit on the back end. Now this is handy when you have commercial Kiosk shipping with flash six, which came before. This was like an up to date Kiosk product that I found. So I mean shit like this, it's incredibly easy to Metasploit. Now I was out drinking with some of my buddies, some of my colleagues and they said, Paul, icat's really fucking awesome. However, there's way too much clicking. I have to do too much work. You know what you need? You need one fucking button. And that button is Pone. You know what man, you're right. You're really right. I kind of scripted and automated everything. So I've got this little page that will basically detect what the Kiosk is, finds what's installed and it says okay, well you want the .NET exploits, you have Java, so I'll give you Java and I'll throw you Metasploit for good luck. So it's even more like one click and a million fucking shells appear. It tries absolutely everything. Yeah, my best ideas always come after drinking. Okay. So enough talking, right? This is a hacker conference so we are going to be hacking four different Kiosks. These are the latest versions of these Kiosks. These Kiosks vendors, they've patched their stuff, they've fixed their stuff. We're going to be hacking Kiosks Netstop, which is very common in Vegas. Not that I promote Kiosk hacking. Web Converger, which is a Linux based open source Kiosk, just so I can show you guys that Linux products are not more secure than Windows and that you can still see. We're going to hack My Cafe Cup, which is one of the most popular in Europe. If you guys ever visit European internet cafes, then finally we're going to hack Morphix, which is another open source Linux Kiosk. And of course we're going to do this all live, unrehearsed. There's no videos. We're just going to fucking hack some stuff. So security cons have always been told that before you do a live demo you have to sacrifice a version. This luckily is very easy at a glance. Alrighty. So this is my standard XP desktop environment. I'm going to run up the Kiosk program. Anyone here recognize this UI? You've seen this around maybe? Right. I'll get my $5 per inch of the machine. I'm going to surf the internet. Fire up the web. Cool. Now I heard about this cool site. ICANN.HA.CKD.NET. Sorry, this site's not allowed. So this was the first thing that this vendor did. He was like, well, you know, screw Paul Craig. I'm just going to block ICANN.HA.CKD.NET. So well, I said I'll screw you. I'm going to set up a DNS wild card. So basically anything .HA.CKD.NET goes to ICANN. Woo! Simple stuff. Simple stuff. Okay. Here we are at ICANN. This is it. So the first thing I really want to see is what's installed, so I'll detect all my applications. So this uses a bunch of different tricks to basically figure out what's installed. Okay, it's told me I have net.pro kiosk. I have ActiveX, Java. The .NET CLR is installed and I have click one support. Click once is kind of a funny thing. Most people don't really know what click once is. Essentially click once is being able to deploy .NET application through a .application file, if you have the CLR, if you have the .NET framework or the CLR installed on your computer, you can run click once applications. I also have Windows media player, net meeting, yeah, detected Microsoft .NET framework, one and two, MSN messenger and movie maker. Okay, all right. Let's start from the top. Common dialogues. Okay, so can I get to a file open dialogue? Okay, it's function not supported, security reasons. Can I get to a file print dialogue? Okay, I can get to a file print dialogue. And a printer. Okay, so I'm starting to like try to enumerate all my windows, I can add a network printer. I need to get to a, you know, like print to file would be the best way, but you can see it's been great out. They've tried to disable this. So actually the print dialogue here, we can't get to any common or good common dialogues. File save as dialogue? No, can't do that. All right, can I, can I get an UI handle popup? Can I use call to? Okay, so I can get net meetings the spawn, okay? That's handy. What about HCP? A E E, HCP spawns? Well that makes it too easy we're not using command prompt. So really the only thing Kiosk Vendor did here is they blocked the ICAD.HACKG on it. But no no no, this isn't share! As we can see the command prompt has been disabled by our administrator. So they're using disabled CMD, which is the local group policy to block me. So we haven't won yet, don't get too excited. But we're getting close. Okay. Can I download a tool? Because, you know, I've got my own command prompt, and I download CMD to like, oh, for fuck's sake. Yeah. So unfortunately, they're not nice enough to give me commercial versions of their software. Okay. We can't download things either. Okay. All right. So I know I had .NET installed. Let's just try and run my sign. Click once to talk. Can I do this? Tick, tick, tick, tick. Launching application. The second I see launching application, I have one. Okay. We wait. This downloads about 10 turn-and-a-half meg of binaries, tools. It basically downloads all of the ICAP suite, everything inside of it, directly into the kiosk. And then we're going to see if we can bypass the local group policy so we can get that command prompt up. Okay. Are you sure you want to install this? Yes. Installing. Okay. Awesome. Now I have ICAP click once. Okay. I want user shells. Okay. All right. So this tried to do Mike Rusnovich's SRP bypass. So we might have bypassed SRP, but local group policy stopped us. Okay. This tried to spawn local CMD. That didn't work. This tried to spawn different versions of CMD. It didn't work. And this one, well, that worked. Okay. So now I have shell. Awesome. Okay. But you know, I'm Paul Craig. I don't want fucking user land shell. I can't do anything in this. What I want is system. So I just clicked spawn system shell. Okay. Let's try that again as we get to doing live demos. So that was using Tavis' NTVDM allowed trick to spawn a local shell. That actually usually works. That's the first time that's blue screened. If you guys are interested, I can show you this again. See, since I've run it, it's actually now installed it. So I can just run this. We'll just try one more time. Task manager process. And we should see, ICAP.exe is now running a system. Okay. So I imagine we're still in the kiosk environment. I know a system. Yay. Yay. Okay. Now, let me show you guys another trick I found recently. So I showed you the command prompt was disabled, right? We type cmd.exe. We get this. You know, the command prompt is disabled by your administrator. You guys remember command.com? Type command.com. We get this, all right? But we type dir and it says this command prompt is disabled by your administrator. So I was actually sitting at a client site recently and I was thinking, there's got to be a fucking way around this. Because inside command.com, I can do stuff like this. Do C and D. I can't do that in cmd.exe. But if I type dir, it doesn't work. Okay. So what about if I typed C colon pipe 2 dir? Oh, that works. Oh. So that's actually a little Microsoft Ode there. That's a little trick. So we can use C colon, 4 slash, pipe 2, notepad and notepad spawns, even when the command prompt has been disabled by my administrator. Thanks, administrator. Okay. So now we're going to hack a Linux kiosk. It was actually really funny. When I released the first version of iCat, there was a bit of press about it, like, oh, this Kiwi guy found all these ways to hack internet kiosks. Then this other guy in New Zealand, living in the middle of fuck knows nowhere, came out and said, well, the only reason he can do that is because Windows is really insecure and Linux is way more secure. I'm like, man, fuck you. So I went out to basically hack all of the Linux kiosks because I don't buy that they're more secure. I paused all my VMs. Hang on. I have to just start this up again. I didn't sacrifice enough versions this morning. Yeah, so I went out to basically hack all of the Linux kiosks, but the trick for hacking Linux kiosks is completely different. You can try and do something completely different. For starters, you're not trying to pop CMD.exe. This is the first thing I learned as I'm really a Windows guy. We're trying to pop USR-BEN X term. That's the goal, right? The platforms obviously are not IE based at all. We don't have any of the standard Windows tricks. We have to do everything in a relatively Linuxy way. The kiosks used in Linux are primarily Firefox based, okay? So we just got to think about Firefox tricks, Firefox plugins, Firefox add-ons. I wrote my own Firefox extension, which will try and hack Linux kiosks based on Firefox or Windows kiosks based on Firefox. And, yeah, I actually had a lot of success. All right, let's go now on my computer, response, 1, 2, 1, 6, 8, 1, 1, 2, 8. Okay. So it's detected a non-Linux Windows kiosk, which I kept. Okay. Let's, first of all, what can I do here? Can I download a file? Can I download? Shit. Can I download? I've got some shells. Okay. I can download files. Okay. But if I download the file, how do I spawn it? Well, Linux users, how do I spawn a file without a start bar? I'm in this restricted jailed environment. So my first idea was I should reconfigure the kiosk. I should actually reconfigure the whole thing. It's using about, colon, config. All right? You go to about, colon, config, and you get to the whole config of the kiosk. I'm like, okay. Maybe I can hijack something. I can hijack something to sort of detour and run USR bin next time. It's a really simple trick. So let's say, like, I'm going to look for the printer. We'll go for the printer. I'll look for LPR. Okay. So we can see the printer here is LPR, MOS, print name, MOS. The printer is USR bin, next term, printer is USR bin, next term, look it back, common dialogues, file open, file print dialogue, yeah, print that, very, print it. All right. So once again, though, we have shell and we're basically a non-preview user. I can't do shit with this. This isn't enough for me. So because we can download files, let's get root. Okay. So I have this thing called get root. Let's download this, save this to disk. And then we'll go back and print the page again, put another shell. Where would it download to? I'll just download it again. This can be faster. So now we've got root on the kiosk and it's zero. But it was actually particularly easy because this kiosk is still shipping with 2.6.1.5. So yeah, not very up to date. All right. Let's hack another Windows kiosk. Let's hope for some better results this time. Okay. So this is this kiosk. We've got to log in to the kiosk, log in. Okay. All right. And now we see we've got this timer down the bottom. It's like, yeah, you've got $990 left. This is your environment. We'll basically get Windows environment. Okay. We try and pop the shell. Okay. It's been disabled by our administrator again. Okay. Sweet as. So let's run up a browser. We get standard IE. We'll get a icat. Let's see. Let's see. Do you down there? Let's see. I cat. All right. So the trick here is what have they stopped or what haven't they stopped? So can I download files? Can I download this file? I can download files. So you know, I think they're actually thinking that since they block cmd.exe or disable cmd, that you can't pop shell because cmd validates disabled cmd. But my cmd.exe doesn't validate disabled cmd. No, I have shell. That's too easy. That's way too easy. What I want to try here is that I actually want to get someone else's account. I want money. You see the logon thing at the beginning? Yeah. I'm going to go for that. So what I'm going to try and do is I'm going to try and hack the UI shell. I'm going to use this make visible tool. I'm going to look at all the Windows that are currently on screen, whether they're visible or not, and see if I can make them visible, fuck with them at all. Now the reason I want to do this is because of this thing sitting in the corner. This tells me that there's actually a whole lot of interesting process. There's a lot of stuff running here that I probably can't see. So this shows me all the Windows and obviously all the ones that are highlighted are currently visible. Scroll down. Scroll down. What's on here? Okay. Logon. Use a code password. Oh. Sorry. Sorry. What's this? User rates. Users. Oh. Right. Okay. Let's add a user. Defcon 2. So basically how the application works is that when you log on to the application, use the correct username and password, it makes this window visible. Well, that's fine. I'll just run my little tool which makes the window visible. I don't need to log on to the application. Yeah. We basically have, yeah, we have full access to this. And try for good measure. Can we get system? Yes. Thank you. It's better. Well, it works with system. Task manager doesn't, no, task manager doesn't want to come up. But anyway, we have system. So that's another kiosk done. Then we got all the username and some passwords and we can add ourselves another account. Let's do another one. This one's a Linux one. So we've got a bit of a problem with this one. To be honest with you, I had hacked all the earlier versions of Web Converger. And I quite enjoyed hacking Web Converger. Then I read their website one day and in one of the support KBs, there was this guy who posted, like, oh, I found all these security issues with Web Converger. And he basically listed all of my tricks, everything that I had been doing. And asked the developers very kindly if they could fix it all. So they went out and they fixed absolutely everything. He's like, man, fuck you. So I downloaded the new version. I sat down and sat down with a coffee and I was like, I'm going to get this. I'm going to totally, totally get it. So, okay, what can I do? How I'd hacked this originally was that I was using my iCat Firefox extension. I'll basically say install extension. The software installation has been disabled by your system's administrator. Okay. Or I would just download files. So I'll download like this. It doesn't fucking work anymore. I can't download shit. All right, okay. Can I disable this thing? Yeah, I'll be careful, I promise. Can I disable XP install? XP install enabled Boolean false. Status locked. So basically they have a file set which says you can't modify this and you can't install software. Awesome. Okay, so I can't really, I can't do anything with this. I'll say, what do I do? What do I do? So I think what are the Chrome resources do I have that I can potentially mess with? So these are all the internal zulls for Chrome. So you access like this page. Chrome global content config is about config. We can access the plugin install wizard. We can access tools options. I didn't really find much until I got to this. Safe mode. It's like, okay, I ideally want to get rid of Web Converger. I have to disable this crap because I can't download any files. So I'm going to safe mode. Okay, disable add-ons. Reset toolbars. Yeah, reset. Disable, disable, disable. Let me change this restart. Okay, and now it's disabled. Web Converger. So now, well now I can download files to begin with. And there's no more Web Converger. So this is a good start. But I don't have shell. I don't have shell. I'm without shell. I mean really, what the fuck do I got? It's okay. I need to pop X term. All right. So I went about like, can I pop X term? So USR, Ben, X, TR, they deleted X term. Like, ah, dude, how else do I do this? They break my balls, man. So okay. All right. Now I can download files. I'll just download X term. I'll save download X term. Okay. And then I need to download a loader. Because of course files I download will be marked non-executable. So I've got to download a loader as well. So download X term loader. Okay. Of course we need. Okay. Now I need to find a way of getting home, WebC, X term, loader or SH to run. Okay. So I go back to about config. Now because I have disabled Web Converger, I have my right click context menu. One of the best things in my right click context menu is you page source. So I'm going to hijack the page source viewer. Yeah, I'll be careful. All right. Source. Okay. So my editor is external, true. So they didn't lock any of these settings. And my editor's path is home, WebC, X term, loader dot SH. Go back and see if that works. Page source. Now that didn't work. Okay. Let's, of course, I can't just run the SH. I've got to have a, so my view source editor is binSH, which is going to run home, WebC, X term, loader dot SH. That's better. Sure. Fuck you. So there you go. As you can see, it's pretty goddamn easy to hack kiosks. And I hack four of them right in front of you. Okay. So collaborations and donations. iCat is obviously a very open source project. It's free to you guys, but sadly it's not free to me. My code signing certificate will need renewing. My hosting is not free. My domain names are not free. I openly ask for donations. A little PayPal donate link. Please don't be cheap. If you like iCat, if you've ever popped a shell with iCat, give me five bucks. Okay. So some other goodies. I mentioned that I've been working on photo kiosks. I came up with this thing called iCat Photo, which is basically you can stick on a little memory stick, a little flash card, stick it into a photo kiosk. And it exploits orderon.m, all the L and K vulnerabilities. It has all the tools on the USB. So basically you put it in, you try and browse the device and it'll either crash and give you the desktop or give you a shell or the on-screen keyboard. So it's pretty handy. Pretty handy to keep on you. I also have iCat portable, so you can download the entire thing of iCat. If you want your own version of iCat, if you're doing a pen test internally and you want to have your own server running, you can download it. One big archive, it's all there. Okay. I've been working on something quite interesting at the moment. I've been working on a 10C++ iCat dongle, the USB dongle. This sort of, I was inspired by the PS3 USB malloc exploit, which basically uses the same piece of hardware. The idea is that can I attack a kiosk using the USB plug? Can I attack it using the one thing I haven't tried? So, the trick with the USB dongle is that I can simulate any other USB device. Okay. So the first thing that comes to mind is that I can simulate a keyboard. Yep. So I can send the keystrokes to pop up notepad, type out the contents of an exploit, save the exploit and then run the exploit. I can do this from my USB dongle. But that's not actually that cool. The thing I've been looking for is a way to get free internet access. I don't want, actually, I'm sick of paying $5 to pop a shell on a kiosk. So, I can simulate any USB device. Keep that in mind, any USB device. Okay. Meet the microcoin, QL coin and note validator. This is based on a TL4 USB serial chip set. Basically, this is a USB device. You put money into it and it sends a USB signal. Serial basically says, dude inserted $10. The iCAP dongle, yep, you guessed it, goes through cycles and simulates all of these things. It tries like, on this one, now this one, now this one. So the idea is that if you have a USB interface exposed, you can plug it in and hopefully it'll say, user just inserted a million dollars. And then you have all the insnets you ever wanted. So hopefully I'm going to be releasing this towards the end of the year. My problem is that I need to collect all of these coin and note validators. Which are actually quite tricky to find. And the vendors are not so keen on sending them to me. That's it. I mean, in conclusion, I am totally fucking addicted to hacking kiosks. This is something that really, yeah, really consumes me. If you're interested in either donating to the iCAP project or you have an idea or a concept, you think you know something that's cool about hacking kiosks, come up afterwards, chat to me, tell me your stuff, give me your stuff. Yeah, otherwise you can buy me a beer. I'll give you around here. Thank you very much, Defconn.