 Pathetic truth. Master coincidence, certainly, but it couldn't be. No, these were not imagined patterns. The mind seeking to connect accidents with lots of blurred lines. This was something real. Something elegant in its simplicity. Dangerous in its enigmatic complexity. Undeniable in all its obscured perfection. Everyone has to be so kind. There are others who observe this COVID conspicuousness. Able to untangle this perplexity. Understood this cypher that surrounds this key. This 23. Some kind of... Like I said, alright. Good morning everyone. Welcome to DEF CON 20 fucking 3. Really? That's it, huh? Alright, so in the interest of time, I'm going to kick it over to Omar real quick, but I just want to let everyone know, 45 minutes is here, not an hour. When he is done, I am going to escort him out. If you guys have questions, you can do it out in the hallway. Unfortunately, there's no Q&A rooms. So with that, have a great presentation. Okay, hi everybody. I hope you enjoyed DEF CON. Okay, a question. Do you play computer games? Yeah. Okay, and those of you who play computer games, have you ever thought about getting hacked via the games you play? Well, I'm Toma and I'm going to talk exactly about that. But first disclaimer, one of my demos will involve this security camera here. And if you don't want your face to show up on the screen, then maybe you should sit back further or just hide your face when the time comes. Okay. Wow. With that said, a few things about myself. My name is Toma Sokai. I'm from Hungary. And I work for a mighty security company called PR Audit as a pentester and developer. I have an OSCE and I was part of the team, Proditors that won the European Championship of Global Cyberlypex in 2012. And I'm not sure what's happening with these slides. Changing automatically. Okay, so what am I? My favorite quote from my favorite movie summarizes this quite well. I am not a computer nerd. I prefer to be called a hacker. Yeah. And I do love tinkering in binary for execute tables. I love crackmys and I love tinkering with the copy protection schemes. Okay, one more thing. And I don't want to start the flame war here. I don't know what. But I just have to tell you this. I very, very much prefer cute demons over flightless birds and half eaten fruits and pieces of glassy wooden frames. With that said, I have to make a confession. I'm sorry, guys. These slides are changing automatically. It's something I fucked up with PowerPoint, I think. Okay, so the confession, I was for years and I am in love with the Winters 2 API. It can be so disgustingly beautiful that you just gotta love it. Okay? And this will be relevant later on. Okay. So now they are not changing. Wow. Okay, games and game modding. Since I'm talking to a room full of hackers, I'm sure I don't have to tell you about that urge to make things better, to implement your own ideas. And frankly, game modding is the same principle. You've got that framework, the game, and you just have to create something of it. Okay? And you also have to share it with others. And this is why modding will always play the big part in gaming. There are huge sites where you can upload your creations and others can download and play them. So games and security. One important aspect of this is multiplayer gaming. Nobody likes to play alone, so nearly all games have some kind of multiplayer functionality. This means from a security standpoint. It means that there is a constant data exchange between the clients and the server. And this data can be quite complex, like whole maps or levels. And also they often use obscure protocols. And you should realize that this is a fuzzing heaven. And yeah, in 2013, Rivan showed us that it is indeed worth fuzzing games. They had to talk about zero days in game engines. But I'm not going to talk about those kind of games. I'm going to talk about scripting in games. There are lots and lots of games that incorporate some kind of scripting language, either something they created or they just embed some existing languages like Lua. Why do they do this? They do this because this makes creating dynamic content a lot, lot easier. And the important part of this is that these scripting engines are available to modders. Okay, but could this be really dangerous? Stop right here for a moment and think about it. You, as a game modder, create a mode or a map and incorporate some scripts in it. The player downloads the map or he joins a server and the map gets downloaded automatically to his machine and eventually that script you put in there will be run on his machine. Okay, so most of the game developers realize that this could be a threat. So they try to do something against it. They try to restrict functionality. They try to implement sandboxes. But they often do this wrongly. They fail. Okay, if these kind of bugs are there, then surely I'm not the first one to realize this. And yeah, I'm not. There are lots and lots of references on the Internet involving exploiting scripting in games. In fact, in 2014, there were several Garry's Mod exploits that got huge gaming media coverage. Okay, so if these things are this common, then why am I talking about this? Why am I talking about this at Defcon? Because these scripting abuses are used to cheat in games. But they can be used to access your computer and through your computer, they can be used to access your entire home network, like your security cameras, your smart house components, and stuff like that. And yeah, nobody seems to talk about this kind of stuff. Let's do this again. Okay, so I'm going to show you several demos where I abuse scripting engines in games. The first target is CryEngine 3 and the whole and the crisis to game. Remember when I said that most of the game developers realized that scripting can be a threat? Well, Crytek isn't one of them. Crytek seems to believe what certain cyborgs tell about the futility of resistance since they didn't bother to implement any kind of sandboxes. They use Lua and you can even call operating system comments with the OS.execute call. And I'm going to show you this using a crisis 2 mod I've created for a moment. Okay. It's loading. And I'm sure that at least some of you have dreamt about hacking something via the push of a big red button. Well, we are going to do that now. I'm just put down the... So we are here in this deserted island and we've got a big red button. Wonder what it does? I'm just going to push it. And yeah, a calculator-ish thing. Thank you guys. Okay. How did I do that? In CryEngine 3, every object that can be used... Yeah, I'm going to... Okay. So every object has a Lua script attached to it. And here you can see the big red buttons, Lua script. And this is the unused event handler. And you can see that it's just an OS.execute. So it's just one call. Okay. Oh, I can't really see. Sorry. Okay. So that's how you can execute code via a crisis 2 map on a player's machine. Well, but one thing, what was that backslash, backslash, evil hack sort thingy? Yeah, that was one of the reasons I do love the Winters 2 API. In Winters 2, every functions that use files can accept UNC pass. And yeah, load library and shell execute do too. So if your victim can access a windows share you control, then you have the chance to load DLS or load executable files from that remote share. And you don't have to write share code. You just have to use that share. And this has one nice side effect. You can steal NTLM challenge responses if you can load a file. If you can get the victim to load a file. And I am going to show you this with CryEngine 3 SDK, which is a much newer version of CryEngine 3 than the one used in crisis 2. And I have this impact it Samba server set up here. And this is the same button with different code. It just tries to access a file from that share. Okay, jump into the game. Go there and push the button. Okay. Okay, now I push the button. And you can see on the Samba server that there is indeed my NTLM challenge response. So it's a nice trick I think. Okay. Moving on. That was the demo. But before moving on, we are at slide number 23. And I am personally not a believer in the 23 anima, but maybe the demo gods are. And I'm sure as hell don't want to anger them. So this slide is blank, almost blank. Okay. So my next game, my next game is Dota 2. It also uses Lua as scripting engine. But it has a sandbox. But that sandbox is leaky. And it in fact has a huge leak. You can use the entire standard Lua IO library. So you can read files and you can write files. What this means? You can steal information. You can deploy auto run stuff. You can just use the NT stealing trick I just showed you. Or you can overwrite executables. And I'm going to show you this in a video because the game itself started not working. Stopped working a few days ago. So, okay. What's that? That's the video. Sorry, I can't really see that. Okay. In this video, I'm going to show you a Dota 2 mod where I attached a Lua script to the on NPC spawn even handler. So when an NPC gets spawned, my Lua code will run. And this Lua code will decode a base 64 encoded P executable and overwrite the main executable with it. Okay. So when the next time the game starts the game, it won't be the game that starts. But it will be our executable. Okay. So it's just loading the map. It takes a few seconds. Okay. I'm just going to create a code board, an NPC with console commands. And you will see that the game freezes a bit. It encodes the base 64 encoded P executable. And shortly you will see that, yeah, it got overwritten. You can see the size difference there. And when we try to start the game, it will be the industry standard exploit testing tool code calculator by the initiative. That's it. Thanks. Okay. I'm sorry. There's something wrong with PowerPoint. Okay. And just do this way. Okay. My next demo, it's a surprise, surprise. It's also a Lua scriptable game. It's called digital combat simulator. It's a flight simulator. And in fact this was the first game I found some script abusing. I reported it to Eagle Dynamics. They fixed it. And then I found another one that I am going to show you. Or rather I'm going to ask you if you can find the fault. On the screen you can see the entire sandbox implementation of DCS world. The question is simple. Where is the league? What did Eagle Dynamics fuck up? And you can win this fine bottle of Hungarian piling if you know the answer. Okay. Nobody speaks Lua? Okay. Then I'm just going to show you. It's on the 24 line. It's this line. They try to disable loading DLR files. But it shouldn't be loadlib. It should be package.loadlib. So loadlib is nothing in itself. So that was the fault. Okay. Since none of you could tell me the answer, I've prepared some backup questions. First one being the title of this talk is a quote. Who asked that question? Whoa. I'm sure this is a right answer. But I was thinking about Joshua from war games. Sorry? He's asked the question by Robin. Oh. That's embarrassing. You're right. Okay. Okay. So I don't know who ever answered first. But yeah, you should find me after the talk. Okay. And have your piling up. Okay. I just skipped my second backup question, which was what is my favorite movie? Jurassic Park. There was a quote from it. Quote from Lexi. Okay. So with this demo, I'm going to crash something. You know, lots and lots of exploit start out as crashes. Well, this one will be a different crash. I've just created a mission in this flight simulator where I've attached a Lua script to the on plane crash event. This Lua script does one thing. It loads the DLR from a remote shell. So, okay. Start the game real. Okay. Sorry. It's loading. I couldn't load all my games because I have only 8 gigs of RAM. It's loading. Yeah. Okay. So I'm going to jump into the cockpit of a tier. There should be a paint popping up. But yeah, it's under the... Oh, sorry. Under everything. That was it. Sorry. I don't want to take any more time. But yeah, that popped up, if you believe me. Okay. So my next demo, it's a bit different. It's different by two reasons. This one won't abuse a scripting, but it will abuse a dangerous and naturally without feature in a game. And also, this time, the gamer will be the bad guy. So we will attack the server. The game is armed assault. This is a military combat simulator game where you can have your own squadrons. And you can set up your squadron information, your squadron's name, logo, website, and so on. And every time you join the server, these information will get displayed, not just for you, but for everyone on that server. And how do this work? On your profile, you can set up a squadron URL that points to an XML file. And every time you join the server, the server will fetch that XML file and parse your squadron information from there. When I first read about this, I was like, this has got to be an XXC. I'm sure of it. And yeah, it wasn't. But not to worry, it's still an SSRF. And I am going to show you this. This demo is based on real-life experiences. That was described with an armed assault server. And he also had a PHP chart server on the same machine, a PHP chart server that was only accessible from local hosts. So this is the armed assault server. Here is running a PHP chart server. And the PHP chart is vulnerable to an RCE that can be triggered by a gut request. So what I'm going to do is edit my, oh, geez, my profile and set up URL, local host, that triggers the PHP chart exploit. So when I join the server, okay, I can't really see it, sorry. Which one is multiplayer? This one. Okay, thanks. Sorry. Okay. So just put it a bit away because I will have a not-cat listener here since the PHP chart exploit will trigger a connect back shell as soon as I join the server. Yeah, it's working. It's trying to join the server. It's a bit slow since there are several games running on the same machine. We've got a connection and this is a shell. You can see ID, your name. So yeah, we have just executed code on the server by just joining it. And I've been kicked out of the server. Okay. So this was a gut request. A gut request that we didn't see the answer to. But there are games when you can issue a gut request that you can see the answer to too. And one of these games is Garry's Mod. You may remember that I talked about Garry's Mod. It had its shares of Lua related exploits in the past and this resulted in a pretty solid Lua sandbox. So Garry did fix a lot of things. But it has also a huge API. There are lots and lots of functions and yeah, there are some dangerous functions too. Like this one, there is an HTTP function and it uses this structure. As you can see, this is a screenshot from the documentation. As you can see, you can control every aspect of an HTTP request. You can control the method, the headers and so on. What this means? So if you create a map or a mode or server in Garry's Mod, then you can have a full-fledged HTTP proxy to the gamers home network. Okay. And yeah, I'm going to show you that with a Garry's Mod, I've created, I have implemented free console commands that only super administrators can use. One of them is ACK scan players. So it will, I as a super administrator will issue this command and it will scan all connected players home network for HTTP servers. And hopefully it will find this camera here. And yeah, it did. We can see that it's an authorized access on that IP address. Yeah, I'm just going to switch to duplicate. Sorry about that, but I can't see anything. Okay. So now my second console command is used to brute force a HTTP basic authentication server. So we're just going to put the user ID and the HTTP servers address here as parameters. And we can see that it tries a few username, password combos and it finds that the username and password are admin, admin. Okay. So we have the username and the password for this camera here. Now we can steal images through the game. And this is what my third console command is used for. It also requires the user ID to know who to send it. It requires a, oh, a URL. This URL can be accessed from the HTTP server response and it could also be brute force but I didn't have the time for it. So when I issued the command, it should, okay. It's working. Okay. It received an image and yeah, here you are on the screen inside the game. Thanks. Okay. Okay. My final demo. You should be afraid of mice and I'm not talking about those two guys there although they can be dangerous too, but I'm talking about this one. I don't know if you can see it. This is a Logitech G whatever mouse and like all Logitech G series peripheral, it can be scripted with Lua via the Logitech gaming software. And this Lua code runs in a very, very, very tight sandbox. But it still can be circumvented by a method first shown by a guy named Corsix in his company of heroes to exploit back in 2014. He abused handcrafted Lua byte code to achieve two tricks. The first trick is to get the memory address of any Lua variables S double. And the second one being able to create Lua variables that points to arbitrary memory locations. These two tricks combined leads to arbitrary memory read write which eventually leads to code execution. Okay. How did he do these tricks? The first trick in Lua every variable is a T value. T value is a struct that stores the actual value in its first eight bytes. Okay. In case of a Lua number that first eight bytes is double and in case of any other Lua variables it's a pointer to a structure. So for example for a Lua string it's a T string pointer. So if we could get Lua to interpret for example a string SA number then we can get that pointer that memory address SA double. Okay. And yeah, of course he did exactly that. He used the for loop and he noped out the op for prep code. Op for prep is responsible for checking if every parameter for the for loop is actually a number. So he noped that out and the second op code just assumed that they are numbers. So they get interpreted as numbers and that's how you get memory addresses as doubles. Okay. So the second trick it's a bit trickier. And it's done basically in these few lines and I'm going to go through it line by line. Okay. In Lua op values are entities that belong to functions and they represent function parameters or variables that are declared outside of the scope of the function. So we create a string, a Lua string that looks like an op value. So we will have a chunk of memory that can be interpreted as an op value. An op value that points to the memory location we want to read or write this end here. Okay. Second line. We want the address of that memory chunk. So we get the address of the Lua string. But because the Lua string actually is a T string structure, we will need to add 24 bytes to it because the first 24 bytes of the T string structure is just metadata. Okay. So now we get the memory chunks address in op file PTR. So next step. We modify the byte code by hand in so that the variable magic will point to, will be interpreted as an air closure. Air closures are representing Lua functions in Lua. So we set up magic's value by concatenating the op file PTR string three times. Okay. So magic is a string. When it gets interpreted as an air closure, as you can see on the bottom part of the slide, characters 16 to 24 will be the air closure's op files field. Op files is an array of op file pointers. And since those characters are indeed an op file pointer, we just set our outer functions first op file to point to our memory address. The memory address we want to read or write. And because the first op file to that function is magic, we can access that memory address via magic. Okay. So how did Korsyx exploit this? He created a coroutine with coroutine.wrap. It creates a C closure on the Lua stack. C closure is just a Lua representation of a native function pointer. The native function being Lua b aux wrap in this case. Okay. He then replaced this function pointer with a pointer to LL loadlib, which is also C closure function. And it's basically a wrapper around load library. So after that, when he called the coroutine as the DLL name of a parameter, he could load that DLL into the address space of the game. So what did I do differently? First of all mine is a 64-bit exploit. It was 32. What this means? It means that the memory layout and the struct packing is different. The calling conventions are different. So we can't modify function parameters since they are not on memory, they are not on the stack. They are passed as registers. The most important difference of this, the most important thing of this 64-bit difference is that the size of a double equals the size of a pointer. This actually makes this exploit a lot easier. Since you don't have to worry about the size difference when using the first trick. So I also couldn't call LLL loadlib since LLL loadlib is just a stub when you compile Lua as an answer code. It does nothing. So I had to call native functions directly. I have to find useful native functions that accept one parameter that is a pointer. Load library is a good candidate since it's accept a string and also shall execute would be two. Okay, so we have to get load libraries address. We have to replace Lua BIOS wrap with load library A. And we have to override the Lua state with the DLL name. This is because we can't modify the parameter itself. We have to modify the data at points two. And the pointer points to the actual Lua state so we have to override that. So after that we can call the core routine and execute load library. So there are some difficulties how to get the address of the Lua state struct. When your code runs in a core routine, core routine dot running gives you back the Lua state. So that's easy. Okay, there were some crashes. I had to uninstall the back hooks. I had to stop the garbage collector. And I also had to restore the Lua state. And one other question remains how to get load libraries address. That's a simple solution. What Corsix used, he used the memory difference in the P execute table to calculate the load library address. But there's a much more generic solution you can get and read the address of the anti-header. From that you can have the import directories address. You can search for kernel 32 DLL in it. And you can have load libraries address from the kernel 32's import address table. All these two tricks. This is much, much more generic and something like that can be used on other operating systems. For example parsing the F header. Okay, with this approach there is a restriction. You can only override 16 bytes of the Lua state. But this is not really a problem since we can omit the .DLL and load library will still find the DLL. So if we use you and C pass, then we have nine characters for an IP or a domain name. So it's not really a problem. Well, okay, I'm running out of time I think. So I'm just going to show you this. Here is the profile with the script. This is the script and it's attached to the middle mouse button. So when I press the middle mouse button a calculator appears. Thanks guys. Okay. So we are at the end of my talk. One question. Should we listen to Joshua and just stick to a nice game of chess? Of course we shouldn't. We should play computer games but we should be aware of these threats and we should treat our games like we treat all of our other softwares. And also game developers should pay more attention to these kind of stuff. Okay, this concludes my talk. Thank you very much for listening and have a good