Steamed rice. 2015/07/08 9:59

0 x00 sequence

Declare in advance that I am not a full stack security engineer, just a mobile security side dish, so the analysis of leakage data will inevitably have negligence or error, I hope you watch the heroes mercy.

Here’s what security veterans had to say about the Hacking Team:

@tombkeeper: Stuxnet let the public know: “It’s true”, Snowden let the public know: “It’s so much”, Hacking Team let the public know: “It’s really business”.

@zhao wu on the road: when HBGray was hacked in 2011, many people didn’t realize what it meant because it was related to national security. Hacking Team has been hacked for two days and no one has realized what it means. The customer list and 0day are included this time, but I pay more attention to the CODE of RCS. In the past, the industry was all rough demo, with little engineering and public disclosure. This time, the technology in the industry will be pushed forward for several years, especially the black industry.

It’s almost as big as the Snowden incident, but the HT hack didn’t just let the public know about it, it also brought 415 gigabytes of leaked data with it! There are Flash 0day, Windows font 0day, iOS Enterprise Backdoor app, Android Selinux exploit, WP8 Trojan and other nuclear grade vulnerabilities and tools. So without further ado, let’s begin our guided tour.

0 x01 overview

Because all the files add up to a whopping 415.77 gigabytes. It’s gonna take forever just to download. It’s a good thing someone posted a copy of the entire image online. Interested students can go directly to view: http://ht.transparencytoolkit.org/. They say it’s so big because there’s so much mail in it. But you don’t have to worry about your little hose, some good people have put together a 1.3-gigabyte version. Here I also offer a baidu network backup download: http://pan.baidu.com/s/1i3lHQRF. Until we download the full version, let’s try the lite version.

It looks something like this:

“HACKING TEAM PASSWORDS AND Twitters. PDF” mainly contains account numbers AND PASSWORDS of websites Christian Pozzi frequently visits, as well as screenshots of Twitter. It is estimated that he is the person whose computer was hacked, because his computer was hacked, and all the data of HT Intranet Git server, knowledge base and mail server were dumped.

Remote Control System (RCS) : Remote Control System (RCS) : Remote Control System (RCS) I have to say that the best thing about HT is their RCS system, they implemented a full platform RCS system (including Windows Phone). We can take a look at a screenshot of their system:

The surveillance information is mind-bogglingly detailed. I wonder how many people are being monitored like this.

Gitosis -admin-master.zip contains the public keys of the members on the Git server and the projects that each person is responsible for. Placidi, for example, works on Android projects. Naga, Daniele, Zeno, Diego and Ivan will make fuzzer. Matteo, Zeno and Daniele do virus detection.

Therefore, we will explain them separately according to their grouping in the following chapters.

0x02 Android

1 Core-Android-Audiocapture-master. zip hooks Mediaserver with Collin Mulliner’s hook framework for voice and call monitoring.” The “Pack” folder holds the program that was finally compiled. In the “references” folder are almost Collin Mulliner papers of the PPT, and the change of the whole project is on the https://github.com/crmulliner/adbi this project. The captured audio is not in WAV format, but also needs to be decrypted using the tool under the “decoder” folder. It seems that the author has successfully tested the voice interception of wechat, whatsapp, Skype and other applications in addition to phone monitoring.

2 Core-Android-market-master. zip should be used to upload monitoring apps to Google Play. The Google Play detection system has no effect on this malware for APT attacks. The user name and password of the HT developer account are also saved in \core-android-market-master\doc\readme. TXT. But when I tried to log in, I found that the password had been changed hours earlier.

3 Core-Android-master. zip is the HT RCS system source code. With the exception of compiling gradle files, all the source code is stored in the directory “\ core-Android-master \RCSAndroid”. With this RCS app, you can not only monitor basic information, but also obtain information about all major social applications.

In terms of application hardening, this RCS app uses DexGuard for obfuscation as well as virtual machine detection. According to the development log, the project also seems to use a lot of 0day tricks to obfuscate the application. It’s worth investigating later. The main code is in the directory “core-Android-master-rcsandroidjni” and exploit_list.c, which allows you to use various exp calls to gain root permissions:

In addition, there are core-Android-master RCSAndroid jni selinux_exploits that bypass the Selinux enforcing mode.

4 Core-Android-native-master. zip has more detailed root project code and instructions, in the “legacy_native” folder: Suidext contains all shells. Root exp <=4.1 is included in Local2root. In the “selinux_native” folder, “Put_user_exploit” : contains exp for put_user calls. Kernel_waiter_exploit “contains the exp of towelroot. Suidext includes the new shell. Exps compiled with “build.sh” are in the “bin” directory (these exps can kill Android 5.0 selinux). For other files, please refer to readme.txt in the directory. As it is in Italian, please translate it yourself using Google.

0x03 iOS & Mac OS

1 “core” folder in “core-ios-master.zip” saves the main code of RCS. Dylib injection is mainly used to monitor user input, GPS, screen and other information.

The “ios-Newsstand-app” folder should be the source for another ios app. Look at the code is probably to replace the ios system input method, and then keylogging, probably used to attack the machine that did not jailbreak.” The “Keybreak” folder was used to crack the phone lock screen password and contained the source code for lockdownd Remote Exploits.” Ios-install-win32 and ios-install-osx folders contain tools for installing Windows and MAC OS apps for iPhone or iPad. HT also has an iOS Enterprise account that can be used to publish enpublic apps: “UID=DE9J4B8GTF, CN=iPhone Distribution: HT SRL, OU=DE9J4B8GTF, O=HT SRL, C=IT “. For the harm of ENpublic App, please refer to my previous article or paper.

2 “vector-ipa-master.zip” should contain the source code of another ios Trojan. This Trojan is not an application, but seems to be a low-level network agent, which can be used to monitor or control the network traffic of the system.

3 “core-macos-master. Zip” “core-macos-master\core” folder save MAC OS RCS source, in fact, MAC OS Trojan horse, very similar to Windows Trojan horse.

0x04 Windows Phone & symbian & blackberry

1 Core-Winphone-master. zip is the RCS Trojan of Windows Phone. The implementation of “activation tracking” on WP devices is said to take advantage of a “0day” in the system that allows third-party code programs to execute as trusted programs. The RCS can also retrieve contact, calendar, call, location, SMS, sensor status and other information. The program ID is: 11B69356-6C6D-475D-8655-D29B240D96C8.

2 Core-Blackberry-master. zip and core-symbian-master.zip are RCS systems for blackberry and Symbian respectively.

0x05 Fuzzer

  1. Fuzzer-windows-master. zip mainly saves fuzzer source code in Windows. There is Fuzzer test system for IE and fonts.

  2. Fuzzer-android-master. zip mainly saves fuzzer source code under Android. There are Fuzzer test systems for JPG, SMS and System call. Trinity is primarily used for system call fuzzers, such as the ioctl() system calls used by Binder.

0x06 Virus Detection

Test-av-master. zip is a first-generation product. Test-av2-master. zip is the second generation product. HT named them AVMonitor. This system is mainly used to do detection, to ensure that their products can pass detection. Test-av2-master.zip \test-av2-master\doc\AVTEST box.xlsx keeps a list and serial numbers of the anti-virus software they use.

There are even whiteboard photos of their meetings in the “test-av2-master\doc\whiteboard” folder.

0x07 Exploit & 0day

The vector-exploit-master.zip file is the start of the second wave. First you can find two Flash exp’s in it: one is flash’s 0day: ActionScript ByteArray Buffer Use After Free, another is CVE-2015-0349 used by Nicolas Joly in Pwn2Own 2015 contest. To bypass its sandbox mechanism for full control of user systems on Internet Explorer and Chrome, Hacking Team also exploits a Font 0day vulnerability in Adobe Font Driver(atMDF.dll), a kernel Driver in Windows, to boost permissions and bypass the sandbox mechanism. The 0day vulnerability can be used on WindowsXP to Windows 8.1 and affects both X86 and X64 platforms. Digital seed company has a lot of people wrote when I was still haven’t finished the analysis report: http://drops.wooyun.org/papers/6968, interested readers can go and watch.

In addition to flash’s two exp and font 0day, there is an Android Browser exploit in the vector-exploit-master\ SRC \ hT-webkit-android4-src directory. After viewing a web page using Android Brower, the target APK can be installed on the target machine. The vulnerability affects phones with Android versions 4.0 through 4.3. After a cursory look at the source code, the utilization process is very complex. There are at least four stages in the utilization of EXP, and information leak, Heap spray and other technologies are also used. PS: In vector-exploit-master\ SRC \ hT-webkit-Android4-src \docs there is exp illustration taken during the company meeting.

0 x08 other

  1. GeoTrust-master Signing Keys.zipHT GeoTrust certificate is saved.
  2. http://ht.transparencytoolkit.org/audio/There are a lot of recordings in it.
  3. HT left SQL backdoor in their home products, convenient for them to query at any time.http://ht.transparencytoolkit.org/rcs-dev%5cshare/HOME/ALoR/htdocs/conf.php

  4. Many genuine keys of VMProtect Professional are leaked

    https://ht.transparencytoolkit.org/rcs-dev%5cshare/HOME/ALoR/VMProtect.key https://ht.transparencytoolkit.org/rcs-dev%5cshare/HOME/Ivan/vmprotect/

0 x09 gossip

Phineas Fisher claims to have hacked Gamma and HT. HT’s Twitter also retweeted the message…

2 HT password is very simple, can not be hacked.

3 http://ht.transparencytoolkit.org/c.pozzi/Desktop/you.txt you know… (from @youstar)

0x0a Unfinished to be continued

Due to the huge amount of information leaked, there is still a lot of content not covered in this article. So we’ll be following up on this story and updating our post in the coming days. Please come back and read on.

0 update 2015.7.10 x0b

One of the biggest concerns in the HT leak is Flash 0Day, which allows users to be remotely controlled by hackers after browsing a web page. Here we present a POC (proof of concept) web pages for your testing: http://zhengmin1989.com/HT/index.htm this page does not install malware to your computer, but performs calc. Exe command to arouse the calculator program. Of course, a hacker could replace the calculator program with another malicious program or simply execute del. Wait for malicious instructions, so if you pop up your calculator, go install a patch! And don’t assume that your non-mainstream browsers won’t fall for it. The kernel of these non-mainstream browsers is an open source framework directly used by the mainstream browsers, just in a shell. This 115 browser, for example, plays just as well.

2 In addition Windows kernel Driver Adobe Font Driver(atmdF.dll) exists in the Font 0day vulnerability also demo. Can be downloaded at http://zhengmin1989.com/HT/32bitwin81.zip, I have been doing on the test was successful.

In order to facilitate the analysis of HT project source code, someone uploaded the HT git server to Github and made some simple explanations for each project, and is still updating: https://github.com/hackedteam?tab=repositories but instructions are in English, if you want to see Chinese version published in drops can refer to the green unita, the brief analysis of the Hacking Team remote control system: http://drops.wooyun.org/papers/7025

As mentioned above, the vast majority of the leaked data are emails. Wikileaks has placed all leaked emails in their online database, making them easily searchable. The address is: https://wikileaks.org/hackingteam/emails/ can search a lot of awesome mail inside, such as the back door of the HT in the NSA.

5. You can find HT’s client list in the leaked information, even including the FBI of the United States, with a total of 41,871,712 euros of business: https://ht.transparencytoolkit.org/Amministrazione/01%20-%20CLIENTI/5%20-%20Analisi%20Fatturato/2015/02%20-%20Client%20 Overview%202015/Client%20Overview_list_20150603.xlsx