About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Applied Cash Eviction through ATM Exploitation- 231

Trey Keown and Brenda So - Red BalloonPosted 5 Years Ago
  • Who doesn't want to get all of the money off of an ATM!? Clearly, this is the hackers dream.
  • The most impressive part of this talk was the reverse engineering of the ATM and just getting the thing to work!
  • The first step to reversing is figuring out what is on the device. Originally, they desoldered the chip on the ATM but eventually broke it. However, they found out the firmware was publicly exposed and ready for download. Additionally, the device had an exposed JTAG interface which worked quite well. Moral of the story: try the easy stuff first!
  • Now that they know how the device works (after reversing the firmware) they wanted to be able to run their own custom code on it. So, they decided to alter the kernel DLL's so that the signature validation just returned true.
  • However, the ATM still did not work :( . They realized that the payment processor was not hooked up to the ATM. In order to get the ATM to work, they had to reverse engineer the Triton and write their own server to interpret to communicate.
  • What else can we do? They created a custom OS to put on the ATM and several things running, including their CTF and DOOM (of course).
  • The first thing an attacker should probably do is see what external services are exposed on it. They noticed a Remote Management Service (RMS).
  • They decided to fuzz this (via Boo Fuzz) and found a buffer overflow because of a static buffer. How did they know what had happened? They could see crashes occurring over the JTAG interface.
  • With NO ASLR or NX bit on Windows CE, it was easy to write shellcode to take control of the device over the RMS interface.
  • From reviewing the register keys, they found what the some of the other open ports actually did. They found an XFS (extensions for financial services) interface. They smelled money and decided to take on this interface!
  • In order to interface the communication (would be easy with Wireshark but NO Wireshark on Windows CE). So, they had to use JTAG to hook into the socket information in order to sniff the traffic. However, the traffic was not easy to see.
  • Good thing, it is trivial to replay packets! They eventually reversed the XFS interface and wrote Python scripts to communicate over XFS. You can run any XFS command on the device! :) This means you can dump out all of the money and the ATM!
  • Overall, amazing research and reverse engineering of the ATM. It was a crazy amount of effort to just get the thing working!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed