Lil Stinkers Blog

Lil Stinkers Dayhome


Oceanhorn – Classic Adventure Game for you favorite platform

Android has been one of the most requested platforms from us and we are happy to announce that Oceanhorn's world domination continues and Oceanhorn is coming to Android! Same team that works on console versions are behind the quality Android port. We'll get back to you with a release date later on!

In other news, we have just released an update for Steam version. It will add a support for Steam Controller and Steam link, but most importantly you can now play Steam version on your Mac! Save games in Steam are cross platform compatible.

So, in 2016 you will be able to play Oceanhorn not just on iOS, Apple TV or PC – but on Mac, PS4, Xbox One and even on your Android devices and Android TV!

Oceanhorn is the classic adventure game for your favorite gaming platform!

I am eager to tell you all what we have been working on for the past year – but it will have to wait just a little bit longer. ^_^

Lil Stinkers Dayhome

Hello again! We continue on the path of adventure writing. If you're confused, start here.

The beauty, and perhaps frustration, is that there's no right answer as to where we go next. So many things may be clamoring for our attention. You just have to pick something and move forward in that direction.

Personally, I wanted to get a better handle on the look and feel of the dungeon. What is it? Where is it? Why is it? That sort of thing.

This is going to be some kind of extra-planar temple between dimensions. Therefore, it needs to have a special appearance. In my opinion, standard square and rectangular rooms separated by corridors just won't do.

Since this will relate to the scenario Dead God Excavation, why not the interior of a deceased Old One? I started sketching out the shell of a rather amorphous creature with tentacles. Eventually, I'll send this out to a professional cartographer as a reference so he knows the kind of thing I'm after. And one day, I hope, my original drawing inspiring the final version will be worth thousands of dollars in 20+ years. That means keep your originals!

I'm not the best cartographer, but there are literally dozens of useful map drawing tutorials all over the internet. Or just study the map makers you love. I've picked up a few tricks from my friend and former collaborator Glynn Seal of MonkeyBlood Design.

As I drew, I tried to think of a few adventure details. Such as, what was this particular dead god called? And how does any of what I'm drawing relate to the title which was my last piece of the puzzle?

In fact, that's a good way of looking at my process. I'm just putting puzzle pieces together until I have a whole. It's difficult at first, with so many blank spots needing to be filled in. It gets easier as the puzzle nears completion.

As you can see from the picture, the Old One is (or was) named Tsuma'al. That word Tsuma'al was just something I came up with. The root may have come from Tsalal from Thomas Ligotti's weird short stories.

So, is Tsuma'al just a dead shell and nothing more... still alive but asleep, waiting to rise? I'll have to think about it. At the end of the day, whatever makes the adventure more fun and interesting is the right answer.

The darker bits are obstructions, perhaps fossilized organs or skeletal fragments that haven't disintegrated yet. The last bits I added were zoth pools and streams that PCs will have to cross or wade through.

What is zoth? It's the blood of Great Old Ones. Zoth is a glowing chartreuse ichor that enhances sorcery, magic items, and can be used as alchemist's fire. It's powerful, but also hazardous to the touch. Yes, the Cha'alt connection grows...

Next, I'll probably detail what kind of encounters this dungeon will contain, what's currently going on in this weird planar temple and how will the PCs' involvement introduce complications. I shall let ideas from the title, Slime Green Concubines of the Blood-Splattered Queen, percolate.

Stay tuned for part 3 either tomorrow or the next day!

VS

Lil Stinkers Dayhome

Welcome back to the show! I hope you all enjoyed the holidays, now we're back to playing Atari 2600 games every two weeks until I screw something up. The first game of 2020 is the Activision Decathlon by the amazing David Crane. I hope you enjoy the show. Next up will be Moon Patrol by Atari, so if you have any feedback on that game, please send it to 2600gamebygame@gmail.com by the end of the day 26th January. Thanks so much for listening!

Brand new Discord server! Why
Decathlon on Random Terrain
David Crane article by Tony Tyler, Big K magazine April 1984
David Crane article by Colin Calvert, Hi-Res magazine January 1984
From the Digital Press Activision Patch page:
Decathlon Bronze patch
Letter with Bronze patch
Decathlon Silver patch
Letter with Silver patch
Decathlon Gold patch
Letter with Gold patch
Atari Age Decathlon with Driving controller thread
Atari Age Decathlon Training Suit thread
Decathlon glove on Atarimania
Bugler's Dream by Leo Arnaud

Lil Stinkers Dayhome

A year ago we brought SOMA to the Xbox One, and along with it the Safe Mode. The optional mode removed the hostility of enemies and let players explore Pathos-II in relative peace. Most players were pleased with it, and at best it meant that players that hadn't dared to traverse the Atlantic ocean floor before now had a chance to experience it.

Now finally releasing the Amnesia: Collection on Xbox One, and decided to also spice it up with a little treat. We bring you the polar opposite of the Safe Mode: the Hard Mode!

Amnesia: Collection will be released on Xbox One on the 28th of September, after which the mode will be available on Xbox and PC.

What is the Hard Mode?

It is really just as the title suggests: a mode that makes it harder to beat the game. You know, in case The Dark Descent wasn't stressful enough for you.
The Hard Mode has the following features:

- Autosaves are disabled, and manual saving costs 4 tinderboxes
- Sanity dropping to zero results in death
- Less oil and tinderboxes throughout the levels
- Monsters are faster, spot the player more easily, deal more damage and stay around for longer
- There is no danger music when the monsters are near.

So in summary: the environments are harsher, the monsters more unforgiving, insanity is deadly, and death is final – unless you pay a toll.

You can pick between normal mode and Hard Mode when starting a new game of Amnesia: The Dark Descent. The mode changes some fundamental elements of the game, and therefore can't be changed halfway through.

A Machine for Pigs and Justine do not feature this mode.

How does this affect achievements/trophies?

Beating the game on Hard Mode will earn you a new trophy called Masochist. Because, you know, you pretty much have to be one to complete the mode.

The mode affects the Illuminatus achievement, which you can't get during playing in Hard Mode as it reduces the amount of tinderboxes throughout the level.

The Masochist achievement.

Will it be on all platforms?

Yes! The Hard Mode will launch on Xbox and PC versions (Steam, GOG, Humble Bundle) simultaneously. We have started working on the PS4 version with our porting partner, and hope to have it out soon.

Extra

Want a Hard Mode wallpaper? Download a 4K version with and without the logo on our public Drive folder.

Lil Stinkers Dayhome

The end of an era is here. For 10 long years Frictional Games has used this blog for news about the games, hiring posts, and most importantly tips on tech and design.

After much consideration we have voted in favour of creating a more streamlined Frictional Games experience. In non-corporate talk that means that we have one website, and everything can easily be found on that one website.

Fear not, no information has been lost in the process! On the contrary, as the old posts have been transferred over, all the broken links and images have been fixed or removed.

Thank you Blogger – and thanks to every fan who has read, shared and commented. See you on our new website!

>>frictionalgames.com<<

For blog posts only: frictionalgames.com/category/feed/blog/

Lil Stinkers Dayhome

There are situations when c interacts with golang for example in a library, and its possible to exploit a golang function writing raw memory using an unsafe.Pointer() parameter.

When golang receive a null terminated string on a *C.Char parameter, can be converted to golang s tring with s2 := C.GoString(s1) we can do string operations with s2 safelly if the null byte is there.

When golang receives a pointer to a buffer on an unsafe.Pointer() and the length of the buffer on a C.int, if the length is not cheated can be converted to a []byte safelly with b := C.GoBytes(buf,sz)

Buuut what happens if golang receives a pointer to a buffer on an unsafe.Pointer() and is an OUT variable? the golang routine has to write on this pointer unsafelly for example we can create a golangs memcpy in the following way:

We convert to uintptr for indexing the pointer and then convert again to pointer casted to a byte pointer dereferenced and every byte is writed in this way.

If b is controlled, the memory can be written and the return pointer of main.main or whatever function can be modified.

https://play.golang.org/p/HppcVpLfuMf

The return addres can be pinpointed, for example 0x41 buffer 0x42 address:

We can reproduce it simulating the buffer from golang in this way:

we can dump the address of a function and redirect the execution to it:

https://play.golang.org/p/7htJHJp8gUJ

In this way it's possible to build a rop chain using golang runtime to unprotect a shellcode.

Let's get started

Luckily, you don't need any soldering skills for the first steps. Just connect the USB mini port to the bottom left connector on the badge, connect the other part of the USB cable to your computer, and within some seconds you will be able to see that the lights on your badge are blinking. So far so good.

Now, depending on which OS you use, you should choose your destiny here.

Linux

The best source of information about a new device being connected is

# dmesg

The tail of the output should look like

[267300.206966] usb 2-2.2: new full-speed USB device number 14 using uhci_hcd
[267300.326484] usb 2-2.2: New USB device found, idVendor=0403, idProduct=6001
[267300.326486] usb 2-2.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[267300.326487] usb 2-2.2: Product: FT232R USB UART
[267300.326488] usb 2-2.2: Manufacturer: FTDI
[267300.326489] usb 2-2.2: SerialNumber: AC01U4XN
[267300.558684] usbcore: registered new interface driver usbserial_generic
[267300.558692] usbserial: USB Serial support registered for generic
[267300.639673] usbcore: registered new interface driver ftdi_sio
[267300.639684] usbserial: USB Serial support registered for FTDI USB Serial Device
[267300.639713] ftdi_sio 2-2.2:1.0: FTDI USB Serial Device converter detected
[267300.639741] usb 2-2.2: Detected FT232RL
[267300.643235] usb 2-2.2: FTDI USB Serial Device converter now attached to ttyUSB0

Dmesg is pretty kind to us, as it even notifies us that the device is now attached to ttyUSB0.

From now on, connecting to the device is exactly the same as it is in the macOS section, so please find the "Linux users, read it from here" section below.

macOS

There are multiple commands you can type into Terminal to get an idea about what you are looking at. One command is:

# ioreg -p IOUSB -w0 -l

With this command, you should get output similar to this:

+-o FT232R USB UART@14100000  <class AppleUSBDevice, id 0x100005465, registered, matched, active, busy 0 (712 ms), retain 20>
    |   {
    |     "sessionID" = 71217335583342
    |     "iManufacturer" = 1
    |     "bNumConfigurations" = 1
    |     "idProduct" = 24577
    |     "bcdDevice" = 1536
    |     "Bus Power Available" = 250
    |     "USB Address" = 2
    |     "bMaxPacketSize0" = 8
    |     "iProduct" = 2
    |     "iSerialNumber" = 3
    |     "bDeviceClass" = 0
    |     "Built-In" = No
    |     "locationID" = 336592896
    |     "bDeviceSubClass" = 0
    |     "bcdUSB" = 512
    |     "USB Product Name" = "FT232R USB UART"
    |     "PortNum" = 1
    |     "non-removable" = "no"
    |     "IOCFPlugInTypes" = {"9dc7b780-9ec0-11d4-a54f-000a27052861"="IOUSBFamily.kext/Contents/PlugIns/IOUSBLib.bundle"}
    |     "bDeviceProtocol" = 0
    |     "IOUserClientClass" = "IOUSBDeviceUserClientV2"
    |     "IOPowerManagement" = {"DevicePowerState"=0,"CurrentPowerState"=3,"CapabilityFlags"=65536,"MaxPowerState"=4,"DriverPowerState"=3}
    |     "kUSBCurrentConfiguration" = 1
    |     "Device Speed" = 1
    |     "USB Vendor Name" = "FTDI"
    |     "idVendor" = 1027
    |     "IOGeneralInterest" = "IOCommand is not serializable"
    |     "USB Serial Number" = "AC01U4XN"
    |     "IOClassNameOverride" = "IOUSBDevice"
    |   }

The most important information you get is the USB serial number - AC01U4XN in my case.
Another way to get this information is

# system_profiler SPUSBDataType

which will give back something similar to:

FT232R USB UART:

          Product ID: 0x6001
          Vendor ID: 0x0403  (Future Technology Devices International Limited)
          Version: 6.00
          Serial Number: AC01U4XN
          Speed: Up to 12 Mb/sec
          Manufacturer: FTDI
          Location ID: 0x14100000 / 2
          Current Available (mA): 500
          Current Required (mA): 90
          Extra Operating Current (mA): 0

The serial number you got is the same.

What you are trying to achieve here is to connect to the device, but in order to connect to it, you have to know where the device in the /dev folder is mapped to. A quick and dirty solution is to list all devices under /dev when the device is disconnected, once when it is connected, and diff the outputs. For example, the following should do the job:

ls -lha /dev/tty* > plugged.txt
ls -lha /dev/tty* > np.txt
vimdiff plugged.txt np.txt

The result should be obvious, /dev/tty.usbserial-AC01U4XN is the new device in case macOS. In the case of Linux, it was /dev/ttyUSB0.

Linux users, read it from here. macOS users, please continue reading

Now you can use either the built-in screen command or minicom to get data out from the badge. Usually, you need three information in order to communicate with a badge. Path on /dev (you already got that), speed in baud, and the async config parameters. Either you can guess the speed or you can Google that for the specific device. Standard baud rates include 110, 300, 600, 1200, 2400, 4800, 9600, 14400, 19200, 38400, 57600, 115200, 128000 and 256000 bits per second. I usually found 1200, 9600 and 115200 a common choice, but that is just me.
Regarding the async config parameters, the default is that 8 bits are used, there is no parity bit, and 1 stop bit is used. The short abbreviation for this is 8n1. In the next example, you will use the screen command. By default, it uses 8n1, but it is called cs8 to confuse the beginners.

If you type:
# screen /dev/tty.usbserial-AC01U4XN 9600
or
# screen /dev/ttyUSB0 9600
and wait for minutes and nothing happens, it is because the badge already tried to communicate via the USB port, but no-one was listening there. Disconnect the badge from the computer, connect again, and type the screen command above to connect. If you are quick enough you can see that the amber LED will stop blinking and your screen command is greeted with some interesting information. By quick enough I mean ˜90 seconds, as it takes the device 1.5 minutes to boot the OS and the CTF app.

Windows

When you connect the device to Windows, you will be greeted with a pop-up.

Just click on the popup and you will see the COM port number the device is connected to:

In this case, it is connected to COM3. So let's fire up our favorite putty.exe, select Serial, choose COM3, add speed 9600, and you are ready to go!

You might check the end of the macOS section in case you can't see anything. Timing is everything.

The CTF

Welcome to the Hacktivity 2018 badge challenge!

This challenge consists of several tasks with one or more levels of
difficulty. They are all connected in some way or another to HW RE
and there's no competition, the whole purpose is to learn things.

Note: we recommend turning on local echo in your terminal!
Also, feel free to ask for hints at the Hackcenter!

Choose your destiny below:

  1. Visual HW debugging
  2. Reverse engineering
  3. RF hacking
  4. Crypto protection

Enter the number of the challenge you're interested in and press [

Excellent, now you are ready to hack this! In case you are lost in controlling the screen command, go to https://linuxize.com/post/how-to-use-linux-screen/.

I will not spoil any fun in giving out the challenge solutions here. It is still your task to find solutions for these.

But here is a catch. You can get a root shell on the device. And it is pretty straightforward. Just carefully remove the Omega shield from the badge. Now you see two jumpers; by default, these are connected together as UART1. As seen below.

But what happens if you move these jumpers to UART0? Guess what, you can get a root shell! This is what I call privilege escalation on the HW level :) But first, let's connect the Omega shield back. Also, for added fun, this new interface speaks on 115200 baud, so you should change your screen parameters to 115200. Also, the new interface has a different ID under /dev, but I am sure you can figure this out from now on.

If you connect to the device during boot time, you can see a lot of exciting debug information about the device. And after it boots, you just get a root prompt. Woohoo!

But what can you do with this root access? Well, for starters, how about running

# strings hello | less

From now on, you are on your own to hack this badge. Happy hacking.

Big thanks to Attila Marosi-Bauer and Hackerspace Budapest for developing this badge and the contests.

PS: In case you want to use the radio functionality of the badge, see below how you should solder the parts to it. By default, you can process slow speed radio frequency signals on GPIO19. But for higher transfer speeds, you should wire the RF module DATA OUT pin with the RX1 free together.

More info

In this post, we show a proof-of-concept attack that gives us root access to a victim's VM in the Cloud Management Platform OpenNebula, which means that we can read and write all its data, install software, etc. The interesting thing about the attack is, that it allows an attacker to bridge the gap between the cloud's high-level web interface and the low-level shell-access to a virtual machine.

Like the latest blogpost of this series, this is a post about an old CSRF- and XSS-vulnerability that dates back to 2014. However, the interesting part is not the vulnerability itself but rather the exploit that we were able to develop for it.

An attacker needs the following information for a successful attack.

ID of the VM to attack
OpenNebula's VM ID is a simple global integer that is increased whenever a VM is instantiated. The attacker may simply guess the ID. Once the attacker can execute JavaScript code in the scope of Sunstone, it is possible to use OpenNebula's API and data structures to retrieve this ID based on the name of the desired VM or its IP address.
Operating system & bootloader
There are various ways to get to know a VMs OS, apart from simply guessing. For example, if the VM runs a publicly accessible web server, the OS of the VM could be leaked in the HTTP-Header Server (see RFC 2616). Another option would be to check the images or the template the VM was created from. Usually, the name and description of an image contains information about the installed OS, especially if the image was imported from a marketplace.
Since most operating systems are shipped with a default bootloader, making a correct guess about a VMs bootloader is feasible. Even if this is not possible, other approaches can be used (see below).
Keyboard layout of the VM's operating system
As with the VMs bootloader, making an educated guess about a VM's keyboard layout is not difficult. For example, it is highly likely that VMs in a company's cloud will use the keyboard layout of the country the company is located in.

Overview of the Attack

The key idea of this attack is that neither Sunstone nor noVNC check whether keyboard related events were caused by human input or if they were generated by a script. This can be exploited so that gaining root access to a VM in OpenNebula requires five steps:

Using CSRF, a persistent XSS payload is deployed.
The XSS payload controls Sunstone's API.
The noVNC window of the VM to attack is loaded into an iFrame.
The VM is restarted using Sunstone's API.
Keystroke-events are simulated in the iFrame to let the bootloader open a root shell.

Figure 1: OpenNebula's Sunstone Interface displaying the terminal of a VM in a noVNC window.

The following sections give detailed information about each step.

Executing Remote Code in Sunstone

In Sunstone, every account can choose a display language. This choice is stored as an account parameter (e.g. for English LANG=en_US). In Sunstone, the value of the LANG parameter is used to construct a <script> tag that loads the corresponding localization script. For English, this creates the following tag:

<script src="locale/en_US/en_US.js?v=4.6.1" type="text/javascript"></script>

Setting the LANG parameter to a different string directly manipulates the path in the script tag. This poses an XSS vulnerability. By setting the LANG parameter to LANG="onerror=alert(1)//, the resulting script tag looks as follows:

<script src="locale/"onerror=alert(1)///"onerror=alert(1)//.js?v=4.6.1" type="text/javascript"></script>

For the web browser, this is a command to fetch the script locale/ from the server. However, this URL points to a folder, not a script. Therefore, what the server returns is no JavaScript. For the browser, this is an error, so the browser executes the JavaScript in the onerror statement: alert(1). The rest of the line (including the second alert(1)) is treated as comment due to the forward slashes.

When a user updates the language setting, the browser sends an XMLHttpRequest of the form

{ "action" : { "perform" : "update", "params" : { "template_raw" : "LANG=\"en_US\"" } }}

to the server (The original request contains more parameters. Since these parameters are irrelevant for the technique, we omitted them for readability.). Forging a request to Sunstone from some other web page via the victim's browser requires a trick since one cannot use an XMLHttpRequest due to restrictions enforced by the browser's Same-Origin-Policy. Nevertheless, using a self-submitting HTML form, the attacker can let the victim's browser issue a POST request that is similar enough to an XMLHttpRequest so that the server accepts it.

An HTML form field like

<input name='deliver' value='attacker' />

is translated to a request in the form of deliver=attacker. To create a request changing the user's language setting to en_US, the HTML form has to look like

<input name='{"action":{"perform":"update","params":{"template_raw":"LANG' value='\"en_US\""}}}' />

Notice that the equals sign in LANG=\"en_US\" is inserted by the browser because of the name=value format.

Figure 2: OpenNebula's Sunstone Interface displaying a user's attributes with the malicious payload in the LANG attribute.

Using this trick, the attacker sets the LANG parameter for the victim's account to "onerror=[remote code]//, where [remote code] is the attacker's exploit code. The attacker can either insert the complete exploit code into this parameter (there is no length limitation) or include code from a server under the attacker's control. Once the user reloads Sunstone, the server delivers HTML code to the client that executes the attacker's exploit.

Prepare Attack on VM

Due to the overwritten language parameter, the victim's browser does not load the localization script that is required for Sunstone to work. Therefore, the attacker achieved code execution, but Sunstone breaks and does not work anymore. For this reason, the attacker needs to set the language back to a working value (e.g. en_US) and reload the page in an iFrame. This way Sunstone is working again in the iFrame, but the attacker can control the iFrame from the outside. In addition, the attack code needs to disable a watchdog timer outside the iFrame that checks whether Sunstone is correctly initialized.

From this point on, the attacker can use the Sunstone API with the privileges of the victim. This way, the attacker can gather all required information like OpenNebula's internal VM ID and the keyboard layout of the VM's operating system from Sunstone's data-structures based on the name or the IP address of the desired VM.

Compromising a VM

Using the Sunstone API the attacker can issue a command to open a VNC connection. However, this command calls window.open, which opens a new browser window that the attacker cannot control. To circumvent this restriction, the attacker can overwrite window.open with a function that creates an iFrame under the attacker's control.

Once the noVNC-iFrame has loaded, the attacker can send keystrokes to the VM using the dispatchEvent function. Keystrokes on character keys can be simulated using keypress events. Keystrokes on special keys (Enter, Tab, etc.) have to be simulated using pairs of keydown and keyup events since noVNC filters keypress events on special keys.

Getting Root Access to VM

To get root access to a VM the attacker can reboot a victim's VM using the Sunstone API and then control the VM's bootloader by interrupting it with keystrokes. Once the attacker can inject commands into the bootloader, it is possible to use recovery options or the single user mode of Linux based operating systems to get a shell with root privileges. The hardest part with this attack is to get the timing right. Usually, one only has a few seconds to interrupt a bootloader. However, if the attacker uses the hard reboot feature, which instantly resets the VM without shutting it down gracefully, the time between the reboot command and the interrupting keystroke can be roughly estimated.

Even if the bootloader is unknown, it is possible to use a try-and-error approach. Since the variety of bootloaders is small, one can try for one particular bootloader and reset the machine if the attack was unsuccessful. Alternatively, one can capture a screenshot of the noVNC canvas of the VM a few seconds after resetting the VM and determine the bootloader.

A video of the attack can be seen here. The browser on the right hand side shows the victim's actions. A second browser on the left hand side shows what is happening in OpenNebula. The console window on the bottom right shows that there is no user-made keyboard input while the attack is happening.

Lil Stinkers Blog

Tuesday, September 22, 2020

Oceanhorn Is Coming To Android - Steam Mac Version Out Now!

Monday, September 21, 2020

Welcome To My Process (Part 2)

Saturday, September 12, 2020

AZ 030, The Activision Decathlon!

What Is Amnesia’s Hard Mode?

Friday, September 4, 2020

We Are Moving!

Monday, August 31, 2020

Exploiting Golang Unsafe Pointers

Related articles

Sunday, August 30, 2020

Hacktivity 2018 Badge - Quick Start Guide For Beginners