Oleg Kupreev - A bar-cat writes shellcode or Funny Pictures

Transcript

1. None

2. .:[ barc0de 2 shellc0de ]:.

3. WHOAMI • @090h root@0x90.ru • Yet another security guy •

   Hardware addict • Co-founder: dc7499.ru 2600.ru hwv.su

4. Barcode scanner for kidz

5. WTF is barcode ? • Originally used 7 bit ASCII,

   except for Code 128 • Types: 1D/2D/clocked

6. Barcode scanner inside

7. Target Product: Honeywell Voyager 1450g Boot Revision: : 7350 Software

   Number: CP000030BAA Software Revision: 7731

8. Interfaces • USB • Keyboard Wedge • RS-232 • RS-485

9. Keyboard Wedge

10. RS-485

11. USB device modes • Keyboad • HID • Serial •

    xxxPOS* * Various POS systems supported: IBM, NCR, etc

12. One RJ41 to run’em all Pin Keyboard RS-232 USB RS-485

    1 Cable shield Cable shield Cable shield Cable shield 2 Cable select Cable select Cable select Cable select 3 GND GND GND GND 4 Terminal data TX TX* 5 Terminal clock RX RX* 6 Keyboard clock CTS 7 +5V +5V +5V +5V 8 Keyboard data RTS Transmit enable 9 Data + 10 Data - * RS-485 signal conversion is performed in the cable.

13. Barcode to code Honeywell scanners are programmed by scanning menu

    bar codes or by sending serial commands to the scanner. If you want to restrict the ability to scan menu codes, you can use the Menu Bar Code Security settings.

14. Programming Chart

15. Basic commands Description Command Add Code I.D. Prefix to All

    Symbologies (Temporary) PRECA2,BK2995C80! Show Decoder Revision REV_DR Show Scan Driver Revision REV_SD Show Software Revision REVINF Show Data Format DFMBK3? Remove Custom Defaults DEFOVR Activate Defaults DEFALT

16. Trigger Manual Trigger - Normal Mode (need to press the

    button to read) Presentation mode (the scanner is activated when it “sees” a bar code)

17. Terminals PnP PAP Interface Terminal ID Serial command Description USB

    124 PAP124 PC keyboard USB 125 PAP125 Mac Keyboard USB 134 TRMUSB134 PC Keyboard (Japanese) USB 130 TRMUSB130 Serial (COM driver required) USB 131 PAP131 HID USB 128 PAPSPH USB SurePOS Handheld USB 129 PAPSPT USB SurePOS Tabletop RS-232 000 PAP232 Serial RS232 TTL Keyboard 003 PAP_AT Keyboard PS2 compatibles

18. Keyboard settings • Country layout • Style • Conversion •

    Control character output • Modifiers

19. Keyboard country layout • US • RU

20. Keyboard style • Regular - Caps Lock key off. •

    Caps Lock - Caps Lock key on. • Shift Lock - Shift Lock key on (not common to U.S. keyboards). • Automatic Caps Lock • Autocaps via NumLock – Caps Lock key cannot be used to toggle Caps Lock. (Germany, France) • Emulate External Keyboard should be scanned if you do not have an external keyboard

21. Keyboard style

22. Keyboard conversion • Keyboard Conversion settings override any of the

    Keyboard Style settings. • Default = Keyboard Conversion Off.

23. Keyboard control character output • This selection sends a text

    string instead of a control character. When the control character for a carriage return is expected, the output would display [CR] instead of the ASCII code of 0D • Default = Off.

24. Keyboard modifiers

25. Keyboard configuration • Country layout • Style • Conversion •

    Control character output • Modifiers

26. Mobile phone read mode When this mode is selected, your

    scanner is optimized to read bar codes from mobile phone or other LED displays. Turbo Mode: The scanner sends characters to a terminal faster.

27. Input settings • Trigger mode • Beeper • LED illumination

    • Delays: hands free delay, reread delay • Character activation mode • Inverted barcodes • No read notification • Working Orientation

28. Generic attack scenario 1. Switch to presentation mode 2. Enable

    reading barcodes from the screen 3. Enable all symbologies 4. Turn on LED 5. Enable turbo mode 6. Switch scanner to keyboard mode 7. Execute something like RubberDucky..

29. I’ll be your keyboard

30. I’ll be your keyboard ASCII Conversion Chart (Code Page 1252)

    In keyboard applications, ASCII Control Characters can be represented in 3 different ways, as shown below. The CTRL+X func- tion is OS and application dependent. Enter what you want with folowing: • Control + X Mode Off (KBDCAS0) • Windows Mode Control + X Mode On (KBDCAS2) • Extended ASCII Characters

31. Surprise time

32. Data editing • Prefix and suffix are used to build

    the user-defined data into the message string. • Function code transmit • Intercharacter, Interfunction, and Intermessage Delays

33. Advanced data format • Create advanced data format • Search

    and replace are available Example: Remove zeroes at the beginning of bar code Command string: E630F10D E6 is the “Search forward for a non-matching character” command 30 is the hex value for 0 F1 is the “Send all characters” command 0D is the hex value for a CR

34. Advanced data format • Create advanced data format • Search

    and replace are available Example: Remove zeroes at the beginning of bar code Command string: E630F10D E6 is the “Search forward for a non-matching character” command 30 is the hex value for 0 F1 is the “Send all characters” command 0D is the hex value for a CR

35. Total Freedom SDK Development Platform for very advanced plugins: •

    Programming Languages: C/C++ arm-matrix-eabi • CPU: ARM • ROM: =< 2 MB • RAM: =< 4 MB

36. Total Freedom SDK ideas… • Do advanced data modification in

    MatrixPluginDataEdit() in your barcode scanner payload • Dump, reverse and crash other plugins • Take control of GPIO with plugin_io_init(unsigned int pins, unsigned int direction);

37. Qr code format example • ST00011|Name=ПАО "Мосэнергосбыт"|PersonalAcc=40702810738360027199|BankName=ОАО "Сбербанк России"|BIC=044525225|CorrespAcc=30101810400000000225|Purpose=Опла та

    электроэнергии|Sum=1000000|uin= 75да533315-01- 6101|persAcc=7544504360|paymPeriod=012016|TechCode=02|PayeeINN=773 6520080|KPP=997450001|lastName=Иванов|firstName=Иван|middleNam e=Иванович|payerAddress=115583, г.Москва, ул. Елецкая , д.1, кор.1, кв.1|addAmount=0 • Parse and spoof what you want!

38. GPIO

39. Barcode scanner security risks • Data input/output device • Works

    as keyboard in 75% of cases • Programmable with the help of barcodes • Provides configurable output editing/formatting capabilities • Output data are used for future manipulations. DB queries for example

40. RS-485 • IBM POS terminal interface • IBM ports: 5B,

    9B, 17 • Supports packet mode

41. RS-485 packets To break up large bar codes into small

    packets, scan the Packet Mode On bar code below. Scan the Packet Mode Off bar code if you want large bar code data to be sent to the host in a single chunk. Default = Packet Mode Off.

42. RS-485 packet length If you are using Packet mode, you

    can specify the size of the data “packet” that is sent to the host. Scan the Packet Length bar code, then then the packet size (from 20 - 256) from the Programming Chart inside the back cover of this manual, then Save. Default = 40.

43. Attack mitigations Windows 8.1 Embedded and Windows 10 IoT provide

    USB and keyboard filters.

44. Plans for the future research • Create barcode scanner malware

    demo • Create barcode printing keyboard • Research and pwn bluetooth scanner • Fuzz apps and plugins