Sunday, February 5, 2012

My New N9. The Half-Cooked Distro


I like my N900 very much, I mean not many people can go around spawn a shell on their palms right?  Sadly althought in my humble opinion N900 is the best thing a phone can offer (fully total control on the phone, straight forward cross compiling like u did on your normal nix unlike the other linux


However it is regret to say that every  awesome stuff in the world have it's own Achilles Heel . (The memory is small, the stock speed of the CPU is only 600Mhz, and the usb female charger port is always on the loose).


So I decided to give myself an upgrade to N9. the Supposely to be the successor for N900. with 1Ghz Proc and 1 Gig Ram should have some deep impact right?

So here is the Pros and COns for N9.

  1. It`s Faster, Amoled
  2. Multitouch all u need is a swipe.
Now here`s the Bad thing ...

1. Half Ass Cooked OS
The moment u enabled Developer mode. U realise that the Phone is bundled with Half-Ass determination unlike the N900. Default repo is worst. U didn`t even have the basic unzip package is not available. CMS tool such as svn and git are borked . It's much better to compile everything  yourself rather then finding the correct Repo.

2. Limited root even in a developer mode. 

This is most likely due to Aegis Security Framework dat is similliar towards SE-Linux. But possess a lot of problem. Any unsigned binary dat did n `t registered with Aegis won`t be executed. Or any code-execution that required root privileged such as raw socket won`t be able to done. Ping is accepted since it's in the Aegis Whitelist. Luckily it was not dat much hassle . There are few tricks u can do ..

-  Using Taviso http://seclists.org/fulldisclosure/2010/Oct/257 (Find the allowed suid ) 
-  Flash the firmware back and then apply the open-mode patch. http://maemo.cloud-7.de/HARM/N9/openmode_kernel_PR1.1/

3. No external mmc slot and using microsim instead of normal sim.. (Defakkk?)

So there you go my review on N9. It's really a superb phone that will be abandoned by its maker but not it`s user.


Posted by at 3 comments:

Friday, December 2, 2011

"Yes 4G on Linux is not a dream .. Final Part"

Yeap it` s working since gctwimax code have been pushed to 0.3!!!

@yoonkit mention to me that Fikri have create the YES Installer  which include customization for the Wimax Connection specificly bind to Yes 4g Network.. You can visit his website for further details

http://fikri.my/blog/yes-installer


19 Nov 2010  and today is 02 Dec 201..


Well it`s just a year and we get ourself a fine working driver.. Kudoz to alll 


Posted by at No comments:
Labels: ,

Saturday, October 15, 2011

Twit2Bot via SMS

Say for example in an unforeseen event, You are in a DMZ one , and have an external IP but only allowed inbound traffic from a certain tcp port :). No outbound traffic is allowed.

And you only stuck with an old phone that can only call and sms? What would u do in order to get an Internet?

The presentation here display how twitter can be useful to bypass certain internet restriction .

TwiT2Bot

Link to download tools:
http://www.mediafire.com/?g7fuhmewszwf8bd
Posted by at 1 comment:
Labels: ,

Tuesday, May 17, 2011

lazy jumping techniques

Just woke up few minutes ago and came up with some lazy shellcode skeleton idea. Using inline asm instead of casting shellcode as a function and execute it .

#include
#include
char shellcode[] = "malsmalasmalmalsa";
int main(int argc, char **argv)
{
__asm__(
"mov %ebp, %eax;
"jmp %eax;
);
}




Posted by at No comments:

Saturday, May 14, 2011

Evading Antivirus Emulator using stealth meterpreter

Synopsis

I'm a metasploit dog . Yup for the past 3 years of my life as a pen-tester junkie . there's not been a project that i test without using the whole bunch of metasploit framework junkie. The juiciest thing bout metasploit is the meterpreter . A fine payload act as a badass backdoor for any platform be it windows/java/php/linux. A fine backdoor .

However antivirus is also getting much mature for the pass years . With the improvement of certain technology such as Antivirus Emulator, generating a meterpreter payload while evading the antivirus detection may be quite hard.

Known technique to evade antivirus

1. Use metasploit's msfencode to 'pack' the backdoor:
http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass

2. Use custom loader:

In this slides i`m presenting a new alternative way to evade antivirus emulator simply by passing an input or an argument . Our objective here is to create a backdoor that evades an antivirus detection .

Special thanks to sk, pokleyzz and the rest of the crew.





Posted by at 5 comments:
Labels: ,

Friday, April 29, 2011

Yes 4G on Linux is not a dream .. Part2

[Updates]
I was planning to write this post earlier but my workload piles up like a bad case (trainer/pentest/business proposal blax3) . But strange enough i have time to update myfacebook/twitter/kpop -addiciton instead of dwelling in codes. For that dear reader, i apologize. Disclaimer what i wrote is something I understand from base on my own observation it may be wrong or it may be right.


Remember previously I told that if we have the NSPID correctly the driver would work well? It turns out i`m wrong 720 degree . A fail is a fail but no doubt it helps me understand how wimax really work well. In brief if you really want to understand the whole procedure of a[ wimax network architecture read the tech spec from wimaxforum T31 , T32 , T33 .

In Brief


A Wimax Network Model Reference model courtesy of juniper

Let's move on to the technicality part of our Yes4g Dongle Specs:


now the driver for gctwimax 7205 is available on google codes. but the major problem is in the Wimax world every driver information is unique to it's NSP ... Any Wimax provider may use the same chipset but the logical information inside it for authentication may vary/diff from others.

Since the information that we have is just only the tech specs from wimaxforum and the current driver which is available at google code. So we dig inside our own Yes directory.




which actually contains a lot of useful information such as our NSPID , NAI, and everything else .

After we found our initial information , we try to understand how Yes4G Network Connectivity works by sniffing it. For this activity we were using Usblyzer to sniff it. A generic shortcut to usb sniffing ..

In: Data that the Device receive from buf
Out: Data that the Device send to buf

So we going to divide our sniffing from a working drivers into two segments . Initatializing Device, Network Authenthication.

Initialization Part1


So what actually happens when u lunch the Yes4G Connect Apps?
Attach here is the link a USB Sniffshot : http://www.mediafire.com/?vu2eae78lu4gaxy

In the buffer what happen initially .
The device will write to the buffer the code 03 12 00 06 01 01 00 00 . This is actually a code to call the device to start extracting the cert information into the device. Now the garbage data that u see that i have highlighted in red is actually the cert information to connect to the yes4G APN . the function call is define in protocol.c




But the actual extracting is being handle by wimax.c starting from line 773




After the certs have been extracted , now the buffer will be fill with 00 06 00 00 telling the device to turn on the RF Signal ON or in other words starts scanning this is define by protocol.c line 696..






After radio mode is turn on , config file will be read by nwsettings inside the Yes Application ( I think so) and the device will send a code into the buffer to search for the Yes Network.



Now that's number one issue overhere. If u refer to my previous post our Linux driver didn`t detected the Yes Network coverage. Now let's analyze why it cannot found in the first place.

What happens actually? http://www.mediafire.com/?qgduh3zmcwyco6a the gagal file..


Check at URB75 on both files we found out the buffer is slightly different


Notice the Sub1 string and the size of the buf is way too different between linux and win drivers.

to cut short the story What happen during the NAP Scanning is can be found in wimax.c line 815 the scan loop function




If u look at the code it try to fill the buffer with a function call fill_find_network_req which actually located at protocol.c line 755


SO u see the linux driver will fill the buffer wit this code

03 12 00 06 01 06 00 00 00 00


where the 4th byte is actually the size of the parameter which is 6

If we look ath windows driver the size of the parameter is slightly larger which is 0C (12 in Dec)

01 0D 00 0C 02 D2 03 00 00 40 D4 04 53 75 62 31


To proceed from here u have to options two hacks. Either wimax.c directly or fix the protocol.c . A quick non chalant hack is to fill the buffer value hardcodely inside wimax.c insitead of relying on protocol.c something like this.




We will continue with part 3 later on .. But for now the code will detect the network properly.
Posted by at 8 comments:
Labels: , ,

Yes 4G on Linux is not a dream .. Part1 [Updates]

Yes 4G have great speed and awesome performance . Ignoring the confusing pro/cons prices/coverage plan (According to my master semuanya sama aje) we would like to see this particualr Yes 4G works on Linux for various reason

  1. If it's work on Nix that means we can flash our DD-WRT with USB port to support the Yes 4G wimax dongle and have better speed.
  2. Because i haven't play and blog bout Linux and hacks for such a long time.


Yes 4G Spec ..

  1. It's using 802.16e Wimax technology
  2. Using the GCT Semiconductor GDM7205 Chip [Links]
  3. Pretty much the same as P1 tapi P1
Now the cool thing is someone already wrote a driver for GDM7205 for Linux. You can actually download the source code here and just follow the RTFM.. There's a little bit adjustment and patch u need to do (depends on what error u receive during make ) . But basic requirement is.
  • * Linux kernel with TUN/TAP support (simple check with /dev/net/tun)
  • * libusb-1.0-dev
  • * libssl-dev
  • * libglib2.0-dev
  • * dbus
  • * libdbus-glib-1-dev
  • * zlib
  • * libeap.so


I tested it under Ubuntu 10.04 LTE edition ..





So far everythings work until when it tries to find Network Connection






So it cannot find the correct Network so we run gctwimax with verbose log mode .






I put my bad the error is becoz the dialer doesn't know the correct NSPID for YEs 4G Network...







According to the gctwimax instruction we may need to set the nspid correctly and also the OuterNAI (most probably username@yes.com.my). But our objective here is to obtain the nspid.

To all .my hackers out there what can be done to solve this problem

  1. We can proceed with bruteforcing the nspid until it hits a network. (Hell slow but might work)
  2. Sniffing the odd traffic might work. using Microsft Network Monitor instead of winpcap . (No offense bizzare/propietery traffic are best viewed under MNM).Usbsnoop might work (if u run it under Windows VM)
  3. Reverse the Yes4G dialer App Windows. (Probably the coolest/fastest way to do.)
  4. Setup a Wimax Sniffer . Basicly built a 802.16e injector
In short i believe running Yes 4G in Linux won`t be dat long from now !! Lama


Credits:

Pokleyzz and kawanx2 .


[Updates]
Seems i make the wrong assumption. Those information can be obtain inside the Windows Connect.Exe software.



Going to continue after a few winks. Perhaps the wimax.h need a bit of twist yes/no ?
Posted by at 9 comments:
Labels: ,
Subscribe to: Posts (Atom)