xchg eax, eax

Recent Posts


Security | 2009-09-22 20:10:55

So im currently studying for my Advanced Diploma of Network Security after completing my Diploma of Network Engineering about 12months ago. As part of my course I will be studying CEH, however I’ve decided to get a jump on things by integrating security into all my other subjects. I pulled out the long neglected EEEPC 701 that I was given as part of finishing my NE course and work on CCNA Security and CCNA Wireless.

Heres a pretty simple guide to getting the 701 up and running with a persistent Backtrack 3 on usb, fingerprinting with Kismet and cracking WEP with wesside-ng.

Firstly I followed the persistent usb details outlined at:

  • http://forums.remote-exploit.org/tutorials-guides/14486-bt3-usb-persistent-changes-using-linux.html

Secondly for each time you want to inject packets or use kismet run the following:

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

To run kismet, you will have to modify the following file. If you’re running BT3 live without persistence you will have to do this every time.

Edit /usr/local/etc/kismet.conf and change source to:

source=madwifi_g,wifi0,wifi0

Finally, I wont record another WEP video like every other person on the net – just run the following to find the bssid mac of the AP (from kismet):

wesside -i ath0 -v MAC

Next I plan on running easside-ng for those networks where something doesn’t go right (occasional). Ill throw the details up for that when I’ve done it.



Networking | 2009-04-10 19:59:55

Well, I’ve been having issues with my SIP registration from iiNet working within Cisco CME.

When doing a debug ccsip all, it appeared that I wasn’t receiveing a SIP INVITE, and that I would constantly throw out REGISTER’s but not hear anything back.

Yesterday I started thinking that maybe there was a something in my firewall ACL that was blocking the connection, but when I looked at it i couldn’t see anything wrong with it. I decided to add permit tcp any any eq 5060 just to make sure things were happening, and then I saw this response:

10 permit tcp any any eq 5060 (18 matches)

So things were happening but something still wasnt right.

I had spent most of the day looking over the config and trying different solutions around the net but nothing helped. This morning I decided to revisit the config and started with the ACL’s. Then I noticed this.

240 deny udp any any eq 1024 (128 matches)

I had borrowed an ACL from our work access layer switches, designed to filter out commonly used virus ports and this was one of the entries. It looked like the SIP response from iiNet was replying on udp port 1024 for the INVITE message which was of course blocked. As soon as I removed this registration went straight through and calls started routing.

Hope this helps saves the headaches that i had.



IT | 2009-01-22 04:22:22

Recently I purchased the Blackberry Storm which is exclusive to Vodafone here in Australia.

I have had some problems finding the initialisation commands for Vodafone in Australia.

Here is the process.

Installing the Blackberry Storm will install 3 modems:
– Standard 33600 bps Modem
– Standard 33600 bps Modem #2
– Standard Modem

Leave the first two alone, but under the standard modem in the advanced properties, enter:

+cgdcont=,,"vfinternet.au"

Next create a new manual internet connection and when it asks for a password enter *99# and do not enter any username or password

Open up the Blackberry Desktop Manager, connect to the new connection and away you go 🙂



Security | 2008-12-23 03:53:07

I found a great quote on the Ubuntu security forums today.

I have been toying with the idea of setting up SNORT and managed AV and found this at the beginning of the tutorial.

“Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia” ~ Pete Granger

This quote so easily spells out the best approach IT security.

Genius.



Networking | 2008-12-01 01:10:23

//EDIT
Fixed, see above posts.

//EDIT
it looks like something is wrong in this config. CME works perfectly however the SIP registration fails, for some reason I never receive a SIP INVITE. So be wary when using this config.

I have had my Cisco 2621XM working with Call Manager Express for some time now, and have had calls routing through iiNet’s SIP Servers, however recently I lost some configuration and had to rebuilt it again.

So I have decided to post it up here.

Note that this is only the SIP and CME configuration and heaps more is needed to actually run the router.

 

aaa authentication login LOCAL_AUTH local
aaa session-id common
!
ip dhcp pool p900
network 10.5.0.0 255.255.0.0
dns-server 203.0.178.191
default-router 10.5.0.1
option 150 ip 10.5.0.1
domain-name cme
!
voice service voip
sip
localhost dns:iinetphone.iinet.net.au
!
!
voice class codec 1
codec preference 1 g729br8
voice translation-rule 1
rule 1 /02XXXXXXXX/ /02XXXXXXXX/
rule 2 /XXXXXXXX/ /02XXXXXXXXX/
!
voice translation-rule 2
rule 1 /02XXXXXXXX/ /XXXXXXXX/
!
!
voice translation-profile Incoming_Number
translate called 2
!
voice translation-profile Outgoing_Number
translate calling 1
!
tftp-server flash:P00308000400.bin
tftp-server flash:P00308000400.loads
tftp-server flash:P00308000400.sb2
tftp-server flash:P00308000400.sbn
!
sccp ccm 10.5.0.1 identifier 1
!
sccp ccm group 1
associate ccm 1 priority 1
!
!
dial-peer voice 1 voip
description STD Calls
translation-profile incoming Incoming_Number
translation-profile outgoing Outgoing_Number
destination-pattern .T
voice-class codec 1
session protocol sipv2
session target dns:sip.nsw.iinet.net.au
dtmf-relay sip-notify rtp-nte
no vad
!
!
sip-ua
authentication username 02XXXXXXXX password XXXX realm iinetphone.iinet.net.au
no remote-party-id
retry invite 4
retry response 3
retry bye 2
retry cancel 2
retry register 5
timers register 300
mwi-server dns:sip.nsw.iinet.net.au expires 3600 port 5060 transport udp unsolicited
registrar dns:sip.nsw.iinet.net.au expires 3600
sip-server dns:sip.nsw.iinet.net.au
!
!
telephony-service
load 7960-7940 P00308000400
max-ephones 5
max-dn 5
ip source-address 10.5.0.1 port 2000
system message CCM4
time-format 24
date-format dd-mm-yy
voicemail 9999
mwi relay
max-conferences 4 gain -6
moh flash:music-on-hold.au
web admin system name XXXX XXXX
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern ....
directory entry 1 0001 name XXXX
create cnf-files version-stamp 7960 Oct 14 2008 07:28:46
!
!
ephone-dn  1  dual-line
number 02XXXXXXXX
label Main Phone
description Main Phone
name Main Phone
no huntstop
!
!
ephone  1
description Home 7940
mac-address 0011.93B6.CE9C
speed-dial 1 04XXXXXXXX label XXXX
type 7940
button  1:1


Networking | 2008-10-12 21:04:20

As part of my current job, I manage IP telephony for a building with about ~600 endpoints.

In .AU we go from +10GMT to +11GMT for daylight savings which come into effect the first Sunday of October. When we swapped over the times for daylight savings we noticed that some of the phones pull time from different sources. I searched for a definitive answer but couldnt find one in time.

Here is what we experienced. We run Cisco Call Manager 4.2(3)sr3a. The 7970 and 7975’s pull time directly from the windows taskbar time. So whatever time is showing on the taskbar is the time that will be shown on the 70 and 75’s. The 7906, 7940 and 7960 are a bit different. They seemed to pull the time from the CCM Date/Time group. The DT group is influenced by the Windows time, however the DTG will apply DST automatically.

This is what we experienced. If Windows was set at +10GMT and the DTG was also set at +10GMT (both in the sydney tz) and the time was 1PM, the 7X’s would show 1PM but all other phones would show 2PM. This is because the DT group thinks hey, Windows is +10GMT but I know were in DST so i will apply another 1 hour.

We were worried about placing either the Windows or CCM time in different TZ’s for logging reasons. If something was to happen down the track, the logs still need to reflect the right time.

I believe that these inconsistencies may have been caused by a number of factors inclusive of old firmware versions and windows patches not being applied. However due to this being a production network, upgrades on the fly are risky to do.

The fix here was to apply +10GMT(Syd) to Windows, set at the right time, and also +10GMT to CCM, but place it in the Brisbane TZ. This removed the errors as Brisbane does not participate in DST, but also kept both times at +10 to satisfy the logs.

Hope this helps some one.



Security | 2008-02-03 23:20:04

The other day whilst browsing OC I came across a readable code of the PHP/Obfu.A IRC bot. I’m not sure whether the user contributed the actual readable code or had edited one of the obfuscated versions, but I decided to take a look at it.

It seems that PHP/Obfu.A was detected on the 30h of Jan 08 by two sources:

  • http://www.f-secure.com/weblog/archives/00001371.html
  • http://www.teamfurry.com/wordpress/2008/01/30/php-based-IRC-botnet-fast-flux-of-course/

Obfu.A is a RFI IRC bot that uses vulnerabilities in PHP code to execute remote PHP scripts. It uses the compromised site to load the remote script, join an IRC server (or in this case a number of IRC servers), and is then controllable by the bot-master. It is heavily obfuscated including the variables and server settings.

For more information on RFI exploits, see:

  • http://www.offensivecomputing.net/?q=node/624
  • http://en.wikipedia.org/wiki/Remote_File_Inclusion

I was about to test the usability of the code, but found that all settings, server details, passwords etc, were encrypted so as to further obfuscate the code. The script included a decrypting function using a cipher-key type of encryption, but had no function to encrypt. I set about analysing the decryption process and reversed it to create an encryption code so it would be usable in my tests.

Heres the original decrypt code:

function decrypt_settings($input)
 {
 $output = '';
 $input = base64_decode($input);
 for ($i = 0; $i < strlen($input); $i++) {
 $character = substr($input, $i, 1);
 $offset_character = substr(
 decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUj" .
 "JCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="),
 ($i % strlen(decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQ" .
 "hQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="))) - 1,
 1
 );
 $character = chr(ord($character) - ord($offset_character));
 $output .= $character;
 }
 return $output;
 }
function decode($input)
 {
 $input = base64_decode(remove_spaces($input));
 return $input;
 }
function remove_spaces($input)
 {
 $input = str_replace(" ", "", $input);
 return $input;
 }

Those functions are called by something like decrypt_settings($settings[‘mo’]). In this case mo from the array had the value of cqtrig==

Let’s take a look at what its doing. First the function is called, and $input receives the value of an encrypted string. $input is then base64 decoded. Base64 is a type of encryption which PHP has functions for both encryption and decryption. We will work with the encrypted string cqtrig==.

The base64 decoded value is r«kŠ, which means nothing to us so far.

Next is the for loop, which basically says, increment $i whilst the value of $i is still less than the length of the $input string, which in this case is 4 characters, so run the loop 4 times.

$character gains the value of each letter, so on the first pass though the for loop, it will contain r, second «, etc etc

Then we find the $offset_character. At this point it is easiest for reading if we base64 decode the M0Ah…..
3@!#!@$^&*^&@#$!@#!@#!$#%#$%#$%e32@34@hTh4@we5635^!@#*^7FHGE$
@%@#@#$@#!@#$!@#@!#$#%#$%^%&^%&%^&*SDF#@$!FAW$FAASDE
is the resulted value.

Now the substr function will return a portion of the string which is defined by where the starting point is, and how many characters to take. substr ( string $string , int $start [, int $length ] )
3@!#!….. is our string.

The starting point is found by using another equation, $i % strlen(decode(“M0Ah……) -1. This piece of code finds the remainder value of $i divided by the string length value of 3@!#!…. So in essence it takes $i divided by 113 and the result is the remainder minus 1.

From tests that i did, the result of the equation is always one value less than $i. Then it takes one character after its pointer. So if $i is character number 26 in our encrypted string, substr will take the 26th character from the cipher text of 3@!#!….

For example on the first pass through the for loop, $i = 0, which means that substr’s result will be $offset_character = substr(3@!#!…. , -1, 1), so move the pointer one character from the end of the string, then let $offset_character equal that value. So therefore the first run through the for loop, $offset_character will equal E (from the end of 3@!#!….), the second run through $offset_character will equal 3, third @, etc etc.

So back to our example of r«kŠ,
Pass one through the for loop:
$character = r
$offset_character = E
Pass two through the for loop:
$character = «
$offset_character = 3
Pass three through the for loop:
$character = k
$offset_character = @
Pass four through the for loop:
$character = Š
$offset_character = !

Now after we have our $character and $offset_character vars filled, they are put through this: $character = chr(ord($character) – ord($offset_character))

Lets simplify it, ord($character) – ord($offset_character). ord is a built in PHP function which finds the ASCII value of a character. I found a decent ASCII table site here:

  • http://pages.videotron.com/cdao/ASCII.htm

So for r and E in our example, r = 114, E = 69, so 114 – 69 = 45. So now in our function $character = chr(45). chr is a built in PHP function which returns the character value of an ASCII value. In this case 45 = –

So at the end of the for loop for the first pass $character equals -, which is the appended to $output by $output .= $character;

After we run through the four passes of the four loop, we should get -x+i, which is our decrypted setting!
In PHP/Obfu.A -x+i is used as the channel mode. However this process can be applied to all settings.

Now we know it decrypts the settings, how about encrypt?

This is what we have so far, r – E = – or 114 – 69 = 45.
So to encrypt we have r as our unknown (x) so x – E = – or x – 69 = 45.
Using maths (:o!) we can find x by, x = – + E and then rearranging to get x = 45 + 69, therefore x = 114

Now the fun part, rearranging the PHP to encrypt. We will reuse the decryption function and just move some things, as most of it stays the same.

Seeing as were starting off with what we want to encrypt, we don’t need to base64 decode it, so we can remove $input = base64_decode($input). The for loop stays the same, as were using the same principles of the cipher text.
Although when it comes to $character = chr(ord($character) – ord($offset_character)), we now want to add the ASCII values to gain our encrypted value, so it becomes $character = chr(ord($character) + ord($offset_character));

Finally we want to base64 encode the entire string, not just the individual characters. This is because the first thing when decrypting, is the string is base64 decoded, so we want to base64 encode. To do this to the entire string it needs to be outside the for loop.

The final encrypt function should look like this:

function encrypt_settings($input)
 {
 $output = '';
for ($i = 0; $i < strlen($input); $i++) {
 $character = substr($input, $i, 1);
 $offset_character = substr(
 decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUj" .
 "JCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="),
 ($i % strlen(decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQ" .
 "hQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="))) - 1,
 1
 );
 $character = chr(ord($character) + ord($offset_character));
 $output .= $character;
 }
 return base64_encode($output);
 }

You can call this function using something similar to this:

$encrypted_settings = encrypt_settings("yoursettings");
 echo($encrypted_settings);

So then you should have your encrypted string!

Hopefully this week ill be able to analyse the rest of the bot, but now most of the hard work is done by figuring out the encryption.

Hope this helps, have fun 🙂



Security | 2007-12-12 06:03:34

An exploit exists in Media Player Classic when processing a crafted MP4 file. The file causes a stack overflow which can be used to execute shellcode.

Source code available at: http://milw0rm.com/exploits/4701

Movie of compiling and exploiting:

http://www.ecks90.com/files/mplayer.exploit.movie.rar


Security | 2007-12-12 05:40:09

An exploit exists in Windows Explorer when processing a crafted GIF file. When read from disk, the file will cause a Denial of Service for explorer.exe

Source code available at: http://milw0rm.com/exploits/4215

Movie of compiling and exploiting:

http://www.ecks90.com/files/explorer.gif.dos.movie.rar


IT | 2007-12-12 02:42:56

Well as of Friday 7th December I am now RHCT certified (Red Hat Certified Technician)

I managed to pass with 100% which was awesome, now bring on the RHCE!