I once scanned myself from internet, and 8010/tcp port was detected.
my PSI jabber file transfer service was exposed to internet.
Then I fuzz this service and found a nice DoS.
A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.
I have reported it to the coders, and then they give me the ok to launch the advisory:
advisory
exploit
Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)
code has bugs ;)
lunes, diciembre 29, 2008
lunes, diciembre 01, 2008
Ksec - my Linux Defense System
Kernel viruses/rootkits are dificult to detect, but admins change the kernel frequently and the attacker loose the rootkit.
People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.
A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:
Dec 1 13:44:51 hostname kernel: ls CONNECT(80.33.158.80:1337 fam:2)
If your ls Opening for writting:
Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)
try the Defense System here
People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.
A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:
Dec 1 13:44:51 hostname kernel: ls CONNECT(80.33.158.80:1337 fam:2)
If your ls Opening for writting:
Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)
try the Defense System here
viernes, octubre 03, 2008
Mirc 6.34(last) Remote Overflow
When a PRIVMSG arrives, the vulnerable function is called to copy the nickname to a buffer:
let's see the pseudocode of the call: (dest, bytes to copy, src)
Let's see the vulnerable memory zero fill:
ESI is the "bytes to copy", we dont jump becouse is greatter than 10, and then ...
the first rep start to copy 0x00 at [edi++] ecx times (309 times) then we write in other vars and out of the page.
Explotation vector: the nick, well, you must be the server becouse servers dont allow large nicknames. (a privmsg with a 315 bytes nick -> DoS)
let's see the pseudocode of the call: (dest, bytes to copy, src)
Let's see the vulnerable memory zero fill:
ESI is the "bytes to copy", we dont jump becouse is greatter than 10, and then ...
the first rep start to copy 0x00 at [edi++] ecx times (309 times) then we write in other vars and out of the page.
Explotation vector: the nick, well, you must be the server becouse servers dont allow large nicknames. (a privmsg with a 315 bytes nick -> DoS)
martes, julio 15, 2008
gdb seek macros
I have coded some basic but useful gdb macros for searching strings and addresses.
get it here:my .gdbinit
Here is a bzip2 compressed mpeg video: demo
Usage:
with this macros, $base in your gdb by default is 0x08048000
(gdb) gob --> execute step by step until get in a 0x0804**** addr (or other $base)
(gdb) seek $base "hello" --> seek hello from $base to $base+0xffff
$1 = "found:"
$2 = 0x8048480
$3 = "found:"
$4 = 0x8049480
$5 = "found:"
$6 = 0x804a008
^C
(gdb) seekRef $base 0x8048480 --> Seek addreses who point to 0x8048386 address
--> in this case ptrs that point to "hello" address
$7 = "found"
$8 = 0x80485a0
$9 = "found"
$10 = 0x80495a0
^C
(gdb) seekRef $base 0x80485a0 --> let's
(gdb) seekRef $base 0x80495a0
$11 = "found"
$12 = 0x8048386
$13 = "found"
$14 = 0x8049386
^C
NOTE: the macros can be stoped with ^C, they don't stop at first occurrence.
TODO: Identify sections (by now can be done manually with (gdb)main info sect)
get it here:my .gdbinit
Here is a bzip2 compressed mpeg video: demo
Usage:
with this macros, $base in your gdb by default is 0x08048000
(gdb) gob --> execute step by step until get in a 0x0804**** addr (or other $base)
(gdb) seek $base "hello" --> seek hello from $base to $base+0xffff
$1 = "found:"
$2 = 0x8048480
$3 = "found:"
$4 = 0x8049480
$5 = "found:"
$6 = 0x804a008
^C
(gdb) seekRef $base 0x8048480 --> Seek addreses who point to 0x8048386 address
--> in this case ptrs that point to "hello" address
$7 = "found"
$8 = 0x80485a0
$9 = "found"
$10 = 0x80495a0
^C
(gdb) seekRef $base 0x80485a0 --> let's
(gdb) seekRef $base 0x80495a0
$11 = "found"
$12 = 0x8048386
$13 = "found"
$14 = 0x8049386
^C
NOTE: the macros can be stoped with ^C, they don't stop at first occurrence.
TODO: Identify sections (by now can be done manually with (gdb)main info sect)
miércoles, junio 25, 2008
Erasing or Blocking logs remotelly
Monday I dreamt some new web-hacking techniques, now I only remember one:
If you write in the url an eicar, loveletter or any virus fingerprint, the antivirus blocks or deletes the log files, or also the logfile can be sended to the AV company if you write a suspicious pattern.
ex: http://web.com/index.php?<virus pattern>
What about inserting in BD this patterns? If you register in a web, and submit the pattern in de BD, maybe some BD files will be blocked or deleted by the antivirus.
This also can be a vector to exploit some local AV flaws.
NOTE: only Panda detects eicars that are not at the beginning of the file, must use other patterns.
If you write in the url an eicar, loveletter or any virus fingerprint, the antivirus blocks or deletes the log files, or also the logfile can be sended to the AV company if you write a suspicious pattern.
ex: http://web.com/index.php?<virus pattern>
What about inserting in BD this patterns? If you register in a web, and submit the pattern in de BD, maybe some BD files will be blocked or deleted by the antivirus.
This also can be a vector to exploit some local AV flaws.
NOTE: only Panda detects eicars that are not at the beginning of the file, must use other patterns.
lunes, junio 16, 2008
Linux remote null pointer derreference (CVE-2007-2876)
The linux netfilter connection tracking new_state() function has a vulnerability exploitable remotelly.
sctp_new();
newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}
Max is not allowed, conntrack_none shouldn't be allowed too.
conntrack->proto.sctp.state = newconntrack;
State will be zero.
sctp_packet() for returning the veredict of the packet, take the state 0:
oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);
And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);
becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:
static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}
To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.
Becouse of this option is read only, you will need to construct the raw sctp packet :)
The victym must have a SCTP service, and the oops probably doensnt crash the system.
sctp_new();
newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}
Max is not allowed, conntrack_none shouldn't be allowed too.
conntrack->proto.sctp.state = newconntrack;
State will be zero.
sctp_packet() for returning the veredict of the packet, take the state 0:
oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);
And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);
becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:
static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}
To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.
Becouse of this option is read only, you will need to construct the raw sctp packet :)
The victym must have a SCTP service, and the oops probably doensnt crash the system.
domingo, junio 08, 2008
kernel hacking
[will be translated]
He no he probado todos los kernel debuggers para linux, pero lo mas decente que he encontrado para representar las estructuras es ddd conectado por tap0 al qemu en modo -s.
1. Bajar fuentes del kernel a depurar
En el kernel activaremos la compatibilidad .config
Como que depuraremos ese kernel bajo qemu, podemos tener todas las opciones de debug activadas, princincipalmente estas.
.config
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_PAGEALLOC=y
compilaremos con make
2. Necesitamos generar un image.img con dd, formateamos (por ej ext2) y creamos un subsitema linux por ej con un debian debootstrap :)
la montamos:
modprobe loop
mount image.img img/ -o loop
si no carga el driver loop fijo k lo tienes, buscalo ;)
3. qemu
Tenemos la imagen de disco image.img, el kernel comprimido bzImage y sin comprimir vmlinux
Botamos qemu con la imagen de disco y el bzImage
qemu -boot c -kernel linux-2.6.*.*/arch/i386/boot/bzImage -hda ./image.img -append "root=/dev/hda clock=pit" -s
el -s es el modo kernel debug por el puerto 1234
4. ddd o gdb
ddd tiene la ventaja que podremos dibujar las estructuras.
Arrancamos el ddd con el vmlinux recien compilado. (no sirve bzImage)
ddd vmlinux
(gdb) target remote localhost:1234
vamos a chequearlo:
(gdb) b sys_open
(gdb) c
probamos por ej un simple ls que invocara la syscall open
Ahora con el ddd podremos displayar cualquier estructura por ej:
kernel developer sha0wiki
He no he probado todos los kernel debuggers para linux, pero lo mas decente que he encontrado para representar las estructuras es ddd conectado por tap0 al qemu en modo -s.
1. Bajar fuentes del kernel a depurar
En el kernel activaremos la compatibilidad .config
Como que depuraremos ese kernel bajo qemu, podemos tener todas las opciones de debug activadas, princincipalmente estas.
.config
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_PAGEALLOC=y
compilaremos con make
2. Necesitamos generar un image.img con dd, formateamos (por ej ext2) y creamos un subsitema linux por ej con un debian debootstrap :)
la montamos:
modprobe loop
mount image.img img/ -o loop
si no carga el driver loop fijo k lo tienes, buscalo ;)
3. qemu
Tenemos la imagen de disco image.img, el kernel comprimido bzImage y sin comprimir vmlinux
Botamos qemu con la imagen de disco y el bzImage
qemu -boot c -kernel linux-2.6.*.*/arch/i386/boot/bzImage -hda ./image.img -append "root=/dev/hda clock=pit" -s
el -s es el modo kernel debug por el puerto 1234
4. ddd o gdb
ddd tiene la ventaja que podremos dibujar las estructuras.
Arrancamos el ddd con el vmlinux recien compilado. (no sirve bzImage)
ddd vmlinux
(gdb) target remote localhost:1234
vamos a chequearlo:
(gdb) b sys_open
(gdb) c
probamos por ej un simple ls que invocara la syscall open
Ahora con el ddd podremos displayar cualquier estructura por ej:
kernel developer sha0wiki
Suscribirse a:
Entradas (Atom)
