 This is Kevin Sheldrake. I've seen Kevin speak a bunch of times. An interesting guy has a lot of interesting security knowledge and practices and he's decided to apply that to some more accessible technology here and he's going to talk to you about taking over the world with scratch. So please welcome Kevin. Thank you very much. Wow, that's loud. Thank you very much. I have my slides appeared on the screen. It looks very blue from here. If it says taking over the world with scratch then we're good. Okay, that's almost. See, when they said draw first on I thought this is a great idea because I can't be drunk at this point of the day and therefore this talk will go... Excellent. Okay, so I am Kev and I'm talking about taking over the world with scratch. I've been asked if I can do this quickly so that they can gather some time back during the day so I'll talk fast but don't worry, come and ask me questions afterwards if you like. I work as a hacker for a company. I hack into things and I research hacking tools. That's my kind of job and in my spare time I build Lego. This is scratch and what I was interested in was can we connect it to say MIDI instruments or make it talk out loud or connect it to Lego or possibly even use it as a hacking tool so that we can hack into other people's computers on a network. What could you actually do with scratch was my kind of thought. So I got to work on the hacking bit because I thought that was the fun bit and managed to get it published in this article, Pockwell GTFO issue OX18. You can find my fun memory corruption exploits for kids with scratch actually made it into the journal. So I'm very proud and that gives it some validity but we'll talk about the other stuff first. So let's talk about scratch. This is scratchy or scratchcat. I'm sure a few views scratchy will be aware of the scratchcat or scratchy. He's going to peer all the way through. Scratch is developed by MIT. There's a couple of different versions so version 1.4 is still around and supported. Version 2 is the one that I use and you can get an offline version of that which is written in a different technology and version 3 is on the way. The last time I looked it still wasn't operational but when it comes it will be written in HTML5 and JavaScript and it will probably be more whiz banging and much better. It's taken a good 10 years to get from the first version to the second given some leeway to get to the next one but it's been around for a long time scratch. Normally you do it online so you use your web browser to go to the scratch website and then you can just start typing scratch. You can start scratching as the terminology is but when my son wanted a computer he wanted to upgrade from scratch junior on the iPad to scratch on a computer I decided that the internet wasn't quite ready for him and I should protect the world from my son so I didn't give him internet access but in order to give him scratch I found there's an offline version which will run on your computer and that has experimental HTTP extensions which always sounds anything experimental sounds exciting so I thought this has got to be something worth investigating. We'll talk a bit about what scratch looks like so I haven't got a laser pointer or anything so I'll describe things but on the left of the screen you've got the stage which is where your game or your application is kind of running down the middle you've got all your tools all your blocks organised into 10 categories here we're looking at motion blocks so you can move a sprite turn it around point it in particular directions etc etc and then on the right you've got the code behind that particular sprite so the sprite that's selected there is the turtle this is the code behind the turtle that makes the turtle work it's kind of object-orientated in the fact that every sprite and the stage itself all runs code concurrently and it's kind of event driven so you can see each section of code starts with an event most of those events are when I receive a particular message and so there's a message driven kind of system where different objects can send messages and different ones can receive them to know that stuff's happened. If we look at another look at the data section of that sprite you can see that there's blocks essentially for all the different variables defined for that sprite now two of them are ticked that means that they're visible on the screen on the stage so apple count and coin count are actually the two zeros underneath the star and the apple on the left and those variables can be local to the sprite or global to the whole application so if we move on to a different sprite the maze you can see that some of the variables stay the same if I flip between you can see only the apple count and coin count are common between them that's because they're global variables not because they're ticked tick just means that they're visible but they're global so every sprite can access them reading right to them otherwise your variables are local to the particular sprite or the stage and you can see that they have different code each sprite has its own set of code so what we can say about scratch is that we have variables which are either global to the entire app or they're local to a particular sprite and we have blocks which are basically procedures so they don't have any return values so everything you do is buy side effects so your modifying variables that are like global to the sprite or your modifying variables that are global to the whole application there's no kind of like I want to call something and get back an answer you kind of have to set a variable as a side effect and then read the read the variable which makes it a bit weird so I mentioned experimental HTTP extensions so don't worry about the word experimental it does actually work the way you get access to that on the offline version normally you would click file to get to the file menu if you shift click it you get this super secret file menu which includes among other things import experimental HTTP extension now it's not a widely documented API but it is documented you can get to it the way it works is you end up running a web server on your local machine on a particular port it has to be on your local machine it can't be across the network and that will generate a s2e a scratch to extension file which describes the extension and that's the thing we're going to load when we import the experimental extension and then when you that will give you extra blocks in the more blocks section when you use those blocks it will make an HTTP request to that local host web server to say I want you to run this block with these parameters in order to access the variables that the extension offers up it polls it 30 times a second over this HTTP interface which is mad but it that's kind of the way it does it there's no other way of getting there because everything's a procedure there's no return value so it kind of just keeps on polling um the so it kind of like pictorial it kind of works like this um you could make scratch run a procedure that's in your extension that could modify a variable as a side effect and then it will poll those variables 30 times a second so the variable will have changed almost instantaneously in your scratch environment and then you can act upon the value that got changed you might have to have some state variables in order to know when something has changed in order to know to read the answer for example now the sort of thing this is useful for is robot arms I think that's what all scratch extension frameworks are kind of designed for and the idea there is that you're you're either moving the arm moving the motors that makes the arm move which have no return values it's just turn motor on turn motor off change speed et cetera change angle and then we have things like limit switches which are the reported variables and again you want to know when you hit a limit switch pretty soon hence the idea of polling 30 times a second so you can sort of see that that's what this is sort of built for but I thought what if I kind of plug in a MIDI instrument and I create blocks that turn on notes or turn off notes or send change events would that could you do that well we did and it's and it works and it's not the best sequencer in the world but you can write a sequencer in scratch and more interestingly if you're writing games in scratch you could plug in something like an MU 50 or some other kind of outboard module you can pick up on eBay and you can have really great sound effects for your games you might not be wanting to like program music but you might want a few bangs and zaps and helicopter noises and stuff equally could you make it talk that is another thing my laptop can talk why can't we have scratch actually speaking out loud another one was Lego so we have a lot of Lego me and my son and we have motors and infrared controllers and that was kind of one of the places where we started which was could we get scratch to control those motors because that would be like quite a lot of fun getting outside of scratch and actually making something in the real world happen and finally can we turn scratch into a hacking tool and break into somebody else's computer because why not you know if technology is there to be abused let's let's abuse it you know I mean of course the fun thing for that is that if you're writing data to a socket that could be a procedure if you're reading data from a socket you kind of do it as a procedure which means read from this socket and put the answer in a variable and then set a state variable to say you've done it and then check the state variable to see that your answer is in the buffer and then read the buffer to see what you got back pulse 30 times a second it's a perfectly sane framework so now writing these extensions is actually quite easy because someone wrote a Python module called block x and you can get that from a github it's the best way to install it I wouldn't install it from any operating system packages I would literally go to the github download that or clone that repository and run the setup.py and it will install and it's and it works perfectly any other way I've found doesn't work so well but and it says on the on their github that this is a band and where like no one is supporting this anymore but it actually works so honestly it's useful and they linked to a tutorial which will explain how to do everything which I'm going to touch on briefly as we go so this is kind of how an extension looks in python um so what at the top we're importing that extension block x the green bit is our class that we're going to define which is going to be all of our extensions program program essentially so variables that we're going to expose procedures that we're going to let scratch call the yellow line the descriptor that it describes the extension to scratch over the api and then the next bit of the bottom links the descriptor to the object and then runs it so that it appears as a web service so scratch can talk to it so I'll give you an example of why of how easy that actually is so that all looks a bit complicated but it's actually pretty straightforward and I'm going to use say so if you have a mac you'll know that if you type say and then a message it will speak it out loud if you don't know that you should definitely do it especially if you log into somebody else's mac remotely over a network when you're not physically there and you make their mac talk to them and whisper is one of the voices which is especially creepy um so the example my object my say object only has one procedure which is say because that's the only thing I'm going to do and it takes two basic arguments the statement you want it to say and the voice you want it to say with and if you haven't set the voice it will set it to Alex which is one of the default voices and then it literally calls out to the operating system and runs the say command minus v selects the voice and it literally says whatever you are to get to say so that's the whole of the object the descriptor is slightly longer the descriptor tells scratch what it's called what port it's running on what blocks it's offering which is essentially there's one block per procedure in your object um or exposed procedures in your object and then the dictionary it lets you create drop down boxes in your scratch command so in the block description it says say percent s with voice percent m dot voices so percent s means put a string in there so there'll be a box where someone can type in words which will be the message percent m dot voices means we'll have a drop down menu and it'll be called voices and the in the bit the bottom of the dictionary voices runs this crazy command which will go and collect me all the voices that say can say that are English so we'll have a drop down menu of voices and so that is the whole of the code for the say extension right and the white bits are pretty common to every extension we all have done is created an object and created a descriptor and join them together that's that's literally it so when you run it up you can then browse to the port it's running on so port 5000 in this case and it will give you the option to download the extension i don't know what a snap block is i don't really care but this scratch to extension file is one one that's the s2e file that's what we'll load into scratch under the experiment extension so let's do a demo here is scratch there is my scratchy scratch cat no from my mouse so in here if i run my extension which is that one there it's listing on port 5000 in scratch we can shift click file and import experimental ht3 extension and it's going to be that one there the s2e file i've already extracted it from the web server and now i'll just close him up a little bit in the more block section we've now got one extra block which is say a message with voice and then a voice so let's make that term and then we'll make an event when the space bar is pressed say that message with voice alex and so i can hit it oh i don't have any why don't i have any audio oh no since they plugged in the hgmi i've lost my audio right one second this is clearly um clearly a well tested setup as you can tell i guess you can still see the scratch stuff yeah okay i'm sure how we go for do that and go back to here how does this make you feel which is a joke obviously thank you very much if we change voice how does this make you feel how does this make you feel and we can select a different how does this make you feel so and there you go so from scratch we can now make my mac speak and on linux we can install speak libraries and we can do the same thing on linux on windows you can do the same thing if you install something that will make windows speak but as you can see the python extension was pretty trivial the actual amount of scratch we need really trivial but now you've got an extra element to your game or your application scratch is now talking to you so we cut back to the slides um i say we cut back to the slides right so now how do you lego lego power functions work lego power functions are the things with infrared controllers so there we've got a simple controller and a speed controller so a simple controller has forwards and backwards for the red channel and the blue channel the speed controller has rotary dials where you can dial up the speed or dial down the speed evening to reverse for the two different channels and they talk to that infrared receiver and that controls motors for example could be lights i believe there are other things that you might be able to control we want to control this from scratch so i'll try and go through this a bit faster than i have done so far because i'm probably running behind time now um i wanted to listen into that infrared communication between the controllers and lego in order to work out how it works so i could do it myself so i used this thing called an ir toy from dangerous prototypes it costs about 20 quid it's a kind of simple little tool you can use for listening into infrared um their software doesn't work very well on linux it's written for windows and it uses code blocks which is a horrible kind of environment to compile in but if you just write some python you can talk to the ir toy directly from linux so here the yellow bit is set in a basil report the green bit is initialising the ir toy and the red bit is just reading data that it's seeing and then point your control around it push a button and see what happens and what happens is you get a load of hex which on first view doesn't seem to make a lot of sense but i noticed that it's a lot of 32 bit words in fact it's a lot of 16 bit words but all of them in pairs so the upper byte of these 16 bit words being zero right so there's clearly timing dates of some sort and if you looked at the last byte of each four byte sort of like word that was the only byte that was really changing and you can see it changes from about zero e to about one b and so clearly that's going to be ones and zeros so i knocked up a bit of python to turn that into ones and zeros and you get this at which point we then do what we call byte staring or in this case bit staring um so here i've got red up channel one and red off channel one but in actual fact i would have had every different button combination i could think of so that i could see the binary and compare them and work out how it worked i won't go into the process of how it worked out how it works but i did work it out and we'll describe it very quickly so first of all it's there's four nibbles and you can see only a few of them changed depending on what you're doing the first nibble tells you the channel number and if a button is being pushed or if no button is being pushed or multiple buttons are being pushed if you push two buttons at once you get a zero zero who knows why but you do um and the channel number is 0 to 3 represents channel number one to four on the actual devices the second nibble didn't change the third nibble tells you the button state this is for the simple controller i might add where you've only got up down so each so you could theoretically send a message where the blue was up and down at the same time i don't know what would happen i haven't even tried it to find out but essentially it's a button mask that's pretty straightforward and the fourth nibble is just to check some so we xaw together the first three nibbles and invert it that gives us the fourth nibble and all that's doing is making sure that the data arrived correctly it's got some integrity so we know that there hasn't been a mistake in transmisional reception um so if we had the red off one you can sort of see that that fits that protocol the speed controller slightly different so so you've twisted around and you get these kind of patterns notice that for increasing we've got two different kind of patterns the first bit changes and i'll explain that um the first bit of the first nibble is a change indicator and so only when that change indicator changes does the message get processed by the receiver which means you can send the same message multiple times and only one of them will be um acted upon by the receiver so you've got message reliability that way so every time you click one of those rotary dials it sends the same message three or four times and the receiver only receives it once and then when you click it again it sends roughly the same message but the change indicator will flip from one to a zero or from a zero to a one it's quite clever i quite like it and then within there you've also got the channel number uh second nibble tells you if it's a speed message like you've changed the speed or or if it's a stop message as in you've pushed the red stop button and the fourth bit tells you which channel red or blue uh the third nibble again tells you if it's a speed change or a stop message i don't know why they doubled that up but they did um and the fourth bit tells you which direction that control is going in clockwise around the clockwise and then the last nibble is a checksum exactly the same as before so um so that's just kind of to clarify just to show it off so once we've got that can we transmit messages well i tried transmitting with the ir toy and it kept crashing i don't know if it is the way i was talking to it i don't know if i was talking too fast if i wasn't quite talking the right protocol um or whether the ir toy just didn't really like me or something was wrong with the code but ultimately i needed to find some other way of transmitting so i banged together um a circuit on an Arduino um and it's simply a high power infrared led with a transistor circuit to drive it coming off pin d3 which is important because i was using the serial control uh the the ir remote library sorry to actually transmit the um data and that always uses pin three on a nano or or pro mini um and i implemented a single byte protocol so their protocol was two bytes 16 bits and there's problems with multi byte protocols because you have to know whether you've got the start of yeah the right bytes you know any multi byte message system you need to have some kind of infrastructure around it to know when the messages start and end and and check that you've actually got a proper message and all those sort of things with a single byte protocol you get a byte at a time you can check if that byte makes sense and you can act upon it um now i could have and i've since been introduced to blue chip serial control library which if you're writing anything to do with arduino it lets you do multi byte messages in a really human readable form and uh lets you control your thing like it's a router or something it's much better protocol um you can get it uh it's a plug for his github um it's really good and it works and and it makes everything really simple but i didn't know about this at the time so i didn't use it um if you are thinking about implementing these kind of protocols here's a simple lookup chart to work out which kind of way you should be implementing your serial protocol to your arduino's clearly don't make a multi byte protocol yourself other than that either works fine so my single byte protocol kind of looks like this i actually only use seven bits out of an eight bit byte um bit six tells you which color which channel we're using red or blue uh the green bits four and five tell you which channel it is nought three essentially one to four on natural equipment um bits two and three tell you if it's the simple protocol that the button's being pushed up or down otherwise it's one one meaning it must be the speed protocol and the blue bits bits zero one tell you in the speed protocol whether it's going clockwise or anti-clockwise or it's one one to say that it's a simple protocol so basically i've squeezed the simple protocol and the speed protocol all into a single byte which i'll just send to my arduino then my arduino makes the right lego messages and sends them out so i have a demo i didn't bring any lego with me because all of our motors and infrared receivers are involved in a very complicated uh radio a remote control car at the moment that's not quite finished my son would have probably killed me if i'd brought the the lego with me so um but i do have some demos videos so this is um tom's um sea monster ride for a fairground using lego motors and um linear actuators to to make the thing go up and down we're programmed and running from scratch in fact there is the arduino and a serial converter and this one is there's a i've got multiple videos showing the same thing this is um tom's automatic crossbow so i particularly like this one because um when we first you know what happened was tom said can you make something so we can control our models and i was like yes and then six months later i finally did it and then he was too busy in minecraft at the time and it but some months after that he was like dad have you got that thing that should we control the motors and i was like yeah yeah yeah i think i was really excited took it round what have you built and it's like i've built a motorized crossbow and so he's put all this together by himself he's using the linear actuators again it's an amazing thing so from scratch it will elevate to a random elevation and then fire the bolt um that's kind of cool um so but i'm particularly proud of that we all like the fact it says police on the side like this is a this is the future of law enforcement you know robocop style but it's quite powerful and it's quite a good fun so these are the sort of crazy things we've actually made a lot of other weird wonderful things with lego but that's some examples so hacking with scratch we'll quickly talk about hacking with scratch i made a object an extension that lets me do things i open sockets read from sockets write to sockets bind to sockets um so that i can talk to the network from scratch which you not can't normally do and i'll build a descriptor that describes all those blocks so that we can talk to scratch and you get blocks that look kind of like this so you can sort of create a tcp connection to a particular host on a particular port for example and then send it some data um these are the where the more blocks these are the more blocks where they appear in scratch um you've got procedures predicates and values so values obviously give you back a a string or a number predicates for a true false value and they have different shapes so obviously fit into the right places in scratch and the procedures are the things we're instruct scratch to do stuff like create a socket or write to a socket or something and so the way i've got it set up is the web server on localhost running block ext is the extension exactly the same as that say demo or the lego demo it's literally plug in the python and run the thing up and then you've got these extra blocks you can use and then that's going to connect onwards to a virtual machine running tiny sploit which is produced by sawmill char of net square um under the exploit lab um workshops and uh i've got sawmill's permission to use it for the for these kind of demos and so on there is a vulnerable web server um which we could possibly attack so i did now should we quickly do the demo because why not um so if we kill off the say extension and we run up the socket extension becoming here um now i won't go through the entire work of how you find a bug and then start exploiting it but if you read the paper in poc or gtfo it's all in there to explain how to do this sort of stuff um but what i'll quickly do is load in some stuff so scratch demo we need to do that as you can see um it's quite a bit of scratch in in this particular one what i'm doing is sending a uh a buffer of changing values to a web server to see where it crashes when it crashes i'll be able to find it um in gdb so there's my there's my actual machine hello right we'll quickly connect to the web server with a debugger and then we'll quickly send this so we need to fill in the oh have i got an ip address that was a good point if i don't have an ip address we might have to skip this ah okay tell you what because i want to speed things up i'll skip that and we'll go back to the um so what you're seeing on the screen here is the exploit itself um as i say i'll can do a demo and if you come and hassle me later if you want to see it i'll can show you it live how to do this but from scratch we did all the work of crashing the service on that virtual machine and then crashing the service with a pattern buffer so that we can see where it crashed what the instruction point was pointing out at the time what was on the stack at the time take those values and plug them into an exploit and got shell code simply off exploit db and chucked it into a variable in scratch had to modify the shell code because all the shell code and exploit db expects bash to be or shell and in my virtual machine it was busybox that needs to ever so slightly different type of shell code but you know bung it all together and put in the right values and um before we run it you can see this is the virtual machines um network services um so we can see that we've got two services echo one and echo two and we've got a web server on port 80 and an ssh dm on port 22 nothing else running when we run it this is all the um exploit going through the python uh that bit is a whole load of knobs to fill up the buffer to get to the point where we can overflow the buffer um that bit there is the return address and a whole load of shell code and underneath it's a you know a load more knobs just to sort of make sure the thing definitely crashes um and then we go back and look at the network services listening on the box again there's one extra service there on port 1337 which is the elite port clearly this is my exploit running and that's the shell code running so of course then what you would do as a hacker is you'd connect to that port using netcat or telnet or something and interact with it but of course we're in the world of scratch you know we don't have netcat because we're not touching the operating system so we write our own netcat and that and that is the whole of the scratch you need in order to transmit and receive from sockets all right so that that runs in a loop you type a command it brings back the resultant spits in so if I just make this screen a bit bigger so you can see this is me logged into tiny exploit over port 1337 um you can see what kind of linux it's running you can see it's got busybox you i've catted the password file and so that is actually an exploit running from scratch in uh in tiny split so um to wrap up basically scratch is really interesting as a language it's really interesting because you don't think it can do very much until you start playing with it and then you realise that if you extend it you can make it do pretty much anything that you can make python do so there's actually quite a lot of cool stuff you could do with scratch but the fact it doesn't have any functions means it's a really bad programming language it's like learning basic on a spectrum back in the day you know you learn a lot of bad practices because you're not thinking functionally but being you know it just makes it quirky and interesting obviously we will use bad programming languages i guess um you write the extensions in python but really trivial python like you saw in that say example not a lot of python to actually write which can be a gateway for kids getting from scratch into other programming languages because once you start writing extensions you get used to writing python maybe you'll start writing stuff in python perhaps add gtk to it you can write philapse and if you want to do the whole hacking thing maybe you start learning some x86 machine code i mean i went from basic on a spectrum straight to z80 machine code as a kid and then to 8086 machine code i don't see why anyone couldn't go from scratch to machine code why why not so it's a lot of fun and i definitely recommend that you have a look um my github has uh the scratch code on there and the slides and that's my email address i'll be around all weekend come and find me if you want more of a demo thank you very much thanks so much kev for such a fascinating talk and i've been using scratch with kids and yeah the possibilities are obviously endless right so um unfortunately i don't think we're gonna have time for questions right away because we need to get to our next talk but if you want to come and talk to kev where can we find you uh around and about just look for me all right in the bar straight after this okay that sounds like a good place all right thank you so much please give another round of applause to kev