DC9723 October 30 Meeting

DC9723 October 30 2018 Meeting
When: Tuesday 30 of October, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)


Brief Introduction
Digital Whisper
Reversing SR-IOV For Fun and Profit – Adir Abraham
BITSInject – Control your BITS, get SYSTEM – Dor Azouri

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Reversing SR-IOV For Fun and Profit – Adir Abraham
We are surrounded with PCIe devices everywhere. They are in charge of interconnecting extremely important and exciting functionalities inside and outside our systems.
Have you ever been wondering how to explore and reverse engineer those devices and their functionalities? SR-IOV (Single-Root I/O Virtualization) is a peripheral component interconnect (PCI) standard for sharing PCIe devices within a single computer.
In this talk, I will provide thorough background of PCIe devices and the standard. Afterwards, I will share my research experience and explain how SR-IOV PCIe devices can be reverse engineered using radare2, how to look for vulnerabilities, what information we can get and what we can learn from those findings.

BITSInject – Control your BITS, get SYSTEM – Dor Azouri
Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file.
Comprehending this file’s binary structure allowed us to change a job’s properties (such as RemoteURL, Destination Path…) in runtime and even inject our own custom job, using none of BITS’ public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.
Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow;
We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer – a pythonic BITS server; A struct definition file, to use for parsing your BITS state file.

Leave a Reply