Blogroll
AMol NAik Andrew Case Andre M. DiMino Attila Axt Bruce Schneier Didier Stevens Eric Romang Francois Ropert Gal Badishi Gianluca Brindisi Haroon Meer Krzysztof Kotowicz Lvdeijk Michael Ligh Mila Parkour Miroslav Stampar Pedro Vilaca Rich Lundeen Rob Fuller
Best view with Chromium devel without JavaScript enabled
Post with 1 note
When Big Brother Meet Malware
tl;dr TELKOM security sucks
Last month i tweets about PT. Telekomunikasi Indonesia Tbk (TELKOM) big brother and was unable to access several websites because their networks listed in known bot database.Citizenlab said their serving FinFisher and of course TELKOM denies.
Actually it’s not FinFisher, try watching this http://cbl.abuseat.org/lookup.cgi?ip=118.97.95.19 every 6 hours changes…
Zeus,Kelihos,Cutwail,Pony blah blah blah.This happening because many TELKOM clients compromised.
I HATE BEHIND NAT
wait,it’s not over…doesn’t mean you are not watched.
bigbro panel by ARA Networks.
Ok to make us little bit warm,how about failover cluster infos ;)
snmpcheck.pl v1.8 - SNMP enumerator
Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
[*] System information
———————————————————————————————————————————————-
Hostname : REPORTER
Description : Linux REPORTER 2.6.18-274.3.1.el5.ara.6 #1 SMP Thu Dec 22 10:24:45 KST 2011 x86_64
Uptime system : 434 days, 12:44:43.27
Uptime SNMP daemon : 46 days, 21:20:17.02
Contact : Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
Location : Unknown (configure /etc/snmp/snmp.local.conf)
Motd : noSuchObject
[*] Devices information
———————————————————————————————————————————————-
Id Type Status Description
1025 Network Running network interface lo
1026 Network Running network interface eth0
1027 Network Running network interface eth1
1028 Network Down network interface sit0
1552 Disk Storage Unknown SCSI disk (/dev/sda)
1553 Disk Storage Unknown SCSI disk (/dev/sdb)
3072 Coprocessor Unknown Guessing that there’s a floating point co-processor
768 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
769 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
770 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
771 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
772 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
773 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
774 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
775 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
776 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
777 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
778 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
779 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
780 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
781 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
782 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
783 Processor Unknown GenuineIntel: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
[*] Storage information
———————————————————————————————————————————————-
Memory Buffers
Device id : 1
Device type : Other
Filesystem type : LinuxExt2
Device units : 1024
Memory size : 48G
Memory used : 219M
Memory free : 47G
Real Memory
Device id : 2
Device type : Ram
Filesystem type : Other
Device units : 1024
Memory size : 48G
Memory used : 48G
Memory free : 156M
Swap Space
Device id : 3
Device type : Virtual Memory
Filesystem type : LinuxExt2
Device units : 1024
Memory size : 47G
Memory used : 224K
Memory free : 47G
/
Device id : 4
Device type : Fixed Disk
Filesystem type : Other
Device units : 4096
Memory size : 142G
Memory used : 28G
Memory free : 115G
/sys
Device id : 5
Device type : Fixed Disk
Filesystem type : Other
Device units : 4096
/mnt/log
Device id : 6
Device type : Fixed Disk
Filesystem type : Unknown
Device units : 4096
Memory size : 4.8T
Memory used : 1.1T
Memory free : 3.8T
/proc/sys/fs/binfmt_misc
Device id : 7
Device type : Fixed Disk
Filesystem type : Unknown
Device units : 4096
/var/lib/nfs/rpc_pipefs
Device id : 8
Device type : Fixed Disk
Filesystem type : Unknown
Device units : 4096
[*] Processes
———————————————————————————————————————————————-
Total processes : 241
Process type : 1 unknown, 2 operating system, 3 device driver, 4 application
Process status : 1 running, 2 runnable, 3 not runnable, 4 invalid
Process id Process name Process type Process status Process path
1 init 4 2 init [3]
10 watchdog/2 4 2 watchdog/2
11 migration/3 4 2 migration/3
1122 scsi_eh_0 4 2 scsi_eh_0
1123 megasas_ocr/0 4 2 megasas_ocr/0
1124 megasas_ocr/1 4 2 megasas_ocr/1
1125 megasas_ocr/2 4 2 megasas_ocr/2
1126 megasas_ocr/3 4 2 megasas_ocr/3
1127 megasas_ocr/4 4 2 megasas_ocr/4
1128 megasas_ocr/5 4 2 megasas_ocr/5
1129 megasas_ocr/6 4 2 megasas_ocr/6
1130 megasas_ocr/7 4 2 megasas_ocr/7
1131 megasas_ocr/8 4 2 megasas_ocr/8
1132 megasas_ocr/9 4 2 megasas_ocr/9
1133 megasas_ocr/10 4 2 megasas_ocr/10
1134 megasas_ocr/11 4 2 megasas_ocr/11
1135 megasas_ocr/12 4 2 megasas_ocr/12
1136 megasas_ocr/13 4 2 megasas_ocr/13
1137 megasas_ocr/14 4 2 megasas_ocr/14
1138 megasas_ocr/15 4 2 megasas_ocr/15
1159 kjournald 4 2 kjournald
11795 hald-addon-keyb 4 2 hald-addon-keyboard: listening on /dev/input/event0
1186 kauditd 4 2 kauditd
12 ksoftirqd/3 4 2 ksoftirqd/3
1220 udevd 4 2 /sbin/udevd
13 watchdog/3 4 2 watchdog/3
14 migration/4 4 2 migration/4
15 ksoftirqd/4 4 2 ksoftirqd/4
15577 AraReporter 4 2 AraReporter
16 watchdog/4 4 2 watchdog/4
17 migration/5 4 2 migration/5
18 ksoftirqd/5 4 2 ksoftirqd/5
18772 httpd 4 2 /usr/sbin/httpd
18780 httpd 4 2 /usr/sbin/httpd
18785 httpd 4 2 /usr/sbin/httpd
19 watchdog/5 4 2 watchdog/5
2 migration/0 4 2 migration/0
20 migration/6 4 2 migration/6
20615 snmpd 4 1 /usr/sbin/snmpd
20641 crond 4 2 sleep
20671 php 4 2 kedac
20672 sleep 4 2 ksoftirqd/6
20674 kedac 4 2 watchdog/6
20675 ksoftirqd/6 4 2 ntpd
2093 watchdog/6 4 2 /bin/bash
21 ntpd 4 2 /usr/local/bin/AraReporter
22 run_ar 4 2 pdflush
22369 AraReporter 4 2 migration/7
22613 pdflush 4 2 pdflush
22619 migration/7 4 2 proftpd: (accepting connections)
22957 pdflush 4 2 ksoftirqd/7
23 proftpd 4 2 watchdog/7
23007 ksoftirqd/7 4 2 migration/8
23674 watchdog/7 4 2 ksoftirqd/8
24 migration/8 4 2 /usr/sbin/httpd
25 ksoftirqd/8 4 2 /usr/sbin/httpd
26 httpd 4 2 /usr/sbin/httpd
27 httpd 4 2 /usr/sbin/httpd
27020 httpd 4 2 /usr/sbin/httpd
27021 httpd 4 2 /usr/sbin/httpd
27022 httpd 4 2 /usr/sbin/httpd
27023 httpd 4 2 /usr/sbin/httpd
27026 httpd 4 2 watchdog/8
27028 httpd 4 2 migration/9
27030 watchdog/8 4 2 ksoftirqd/0
27033 migration/9 4 2 ksoftirqd/9
28 ksoftirqd/0 4 2 kstriped
29 ksoftirqd/9 4 2 watchdog/9
3 kstriped 4 2 kmpathd/0
30 watchdog/9 4 2 kmpathd/1
3095 kmpathd/0 4 2 kmpathd/2
31 kmpathd/1 4 2 kmpathd/3
3137 kmpathd/2 4 2 kmpathd/4
3138 kmpathd/3 4 2 kmpathd/5
3139 kmpathd/4 4 2 kmpathd/6
3140 kmpathd/5 4 2 kmpathd/7
3141 kmpathd/6 4 2 kmpathd/8
3142 kmpathd/7 4 2 kmpathd/9
3143 kmpathd/8 4 2 kmpathd/10
3144 kmpathd/9 4 2 kmpathd/11
3145 kmpathd/10 4 2 kmpathd/12
3146 kmpathd/11 4 2 kmpathd/13
3147 kmpathd/12 4 2 kmpathd/14
3148 kmpathd/13 4 2 kmpathd/15
3149 kmpathd/14 4 2 kmpath_handlerd
3150 kmpathd/15 4 2 migration/10
3151 kmpath_handlerd 4 2 kjournald
3152 migration/10 4 2 ksoftirqd/10
3153 kjournald 4 2 watchdog/10
32 ksoftirqd/10 4 2 migration/11
3213 watchdog/10 4 2 ksoftirqd/11
33 migration/11 4 2 watchdog/11
34 ksoftirqd/11 4 2 auditd
35 watchdog/11 4 2 /sbin/audispd
36 auditd 4 2 migration/12
37 audispd 4 2 syslogd
3793 migration/12 4 2 klogd
3795 syslogd 4 2 irqbalance
38 klogd 4 2 portmap
3827 irqbalance 4 2 rpc.statd
3830 portmap 4 2 ksoftirqd/12
3846 rpc.statd 4 2 rpciod/0
3868 ksoftirqd/12 4 2 rpciod/1
3893 rpciod/0 4 2 rpciod/2
39 rpciod/1 4 2 rpciod/3
3946 rpciod/2 4 2 rpciod/4
3947 rpciod/3 4 2 rpciod/5
3948 rpciod/4 4 2 rpciod/6
3949 rpciod/5 4 2 rpciod/7
3950 rpciod/6 4 2 rpciod/8
3951 rpciod/7 4 2 rpciod/9
3952 rpciod/8 4 2 rpciod/10
3953 rpciod/9 4 2 rpciod/11
3954 rpciod/10 4 2 rpciod/12
3955 rpciod/11 4 2 rpciod/13
3956 rpciod/12 4 2 rpciod/14
3957 rpciod/13 4 2 rpciod/15
3958 rpciod/14 4 2 rpc.idmapd
3959 rpciod/15 4 2 squid
3960 rpc.idmapd 4 2 (squid)
3961 squid 4 2 (unlinkd)
3968 squid 4 2 dbus-daemon
3989 unlinkd 4 2 watchdog/0
3991 dbus-daemon 4 2 watchdog/12
3993 watchdog/0 4 2 pcscd
3995 watchdog/12 4 2 migration/13
4 pcscd 4 2 /usr/bin/hidd
40 migration/13 4 2 automount
4041 hidd 4 2 /usr/sbin/acpid
41 automount 4 2 ksoftirqd/13
4115 acpid 4 2 sendmail: accepting connections
4154 ksoftirqd/13 4 2 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
4178 sendmail 4 2 watchdog/13
42 sendmail 4 2 gpm
4277 watchdog/13 4 2 crond
4286 gpm 4 2 /usr/sbin/atd
43 crond 4 2 hald
4302 atd 4 2 hald-runner
4317 hald 4 2 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
4360 hald-runner 4 2 migration/14
4383 hald-addon-acpi 4 2 ksoftirqd/14
4384 migration/14 4 2 /usr/sbin/smartd
4396 ksoftirqd/14 4 2 /sbin/mingetty
44 smartd 4 2 /sbin/mingetty
45 mingetty 4 2 /sbin/mingetty
4514 mingetty 4 2 /sbin/mingetty
4518 mingetty 4 2 /sbin/mingetty
4519 mingetty 4 2 /sbin/agetty
4520 mingetty 4 2 kthread
4521 agetty 4 2 watchdog/14
4522 kthread 4 2 /usr/sbin/snmptrapd
4524 watchdog/14 4 2 migration/15
457 snmptrapd 4 2 /sbin/mingetty
46 migration/15 4 2 kblockd/0
4645 mingetty 4 2 kblockd/1
47 kblockd/0 4 2 kblockd/2
4758 kblockd/1 4 2 ksoftirqd/15
477 kblockd/2 4 2 kblockd/3
478 ksoftirqd/15 4 2 kblockd/4
479 kblockd/3 4 2 kblockd/5
48 kblockd/4 4 2 kblockd/6
480 kblockd/5 4 2 kblockd/7
481 kblockd/6 4 2 kblockd/8
482 kblockd/7 4 2 kblockd/9
483 kblockd/8 4 2 kblockd/10
484 kblockd/9 4 2 kblockd/11
485 kblockd/10 4 2 kblockd/12
486 kblockd/11 4 2 watchdog/15
487 kblockd/12 4 2 kblockd/13
488 watchdog/15 4 2 kblockd/14
489 kblockd/13 4 2 kblockd/15
49 kblockd/14 4 2 kacpid
490 kblockd/15 4 2 migration/1
491 kacpid 4 2 events/0
492 migration/1 4 2 events/1
493 events/0 4 2 /bin/sh
5 events/1 4 2 events/2
50 mysqld_safe 4 2 /usr/sbin/sshd
51 events/2 4 2 /usr/libexec/mysqld
5129 sshd 4 2 events/3
52 mysqld 4 2 events/4
5255 events/3 4 2 /usr/sbin/httpd
5287 events/4 4 2 events/5
53 httpd 4 2 events/6
54 events/5 4 2 events/7
5449 events/6 4 2 events/8
55 events/7 4 2 events/9
56 events/8 4 2 cqueue/0
57 events/9 4 2 ksoftirqd/1
58 cqueue/0 4 2 events/10
59 ksoftirqd/1 4 2 cqueue/1
599 events/10 4 2 cqueue/2
6 cqueue/1 4 2 cqueue/3
60 cqueue/2 4 2 cqueue/4
600 cqueue/3 4 2 cqueue/5
601 cqueue/4 4 2 cqueue/6
602 cqueue/5 4 2 cqueue/7
603 cqueue/6 4 2 cqueue/8
604 cqueue/7 4 2 cqueue/9
605 cqueue/8 4 2 cqueue/10
606 cqueue/9 4 2 events/11
607 cqueue/10 4 2 cqueue/11
608 events/11 4 2 cqueue/12
609 cqueue/11 4 2 cqueue/13
61 cqueue/12 4 2 cqueue/14
610 cqueue/13 4 2 cqueue/15
611 cqueue/14 4 2 khubd
612 cqueue/15 4 2 kseriod
613 khubd 4 2 events/12
614 kseriod 4 2 events/13
617 events/12 4 2 events/14
619 events/13 4 2 events/15
62 events/14 4 2 khelper
63 events/15 4 2 watchdog/1
64 khelper 4 2 migration/2
65 watchdog/1 4 2 /usr/sbin/httpd
66 migration/2 4 2 /usr/sbin/httpd
7 httpd 4 2 khungtaskd
8 httpd 4 2 kswapd0
8044 khungtaskd 4 2 kswapd1
8049 kswapd0 4 2 aio/0
808 kswapd1 4 2 aio/1
811 aio/0 4 2 aio/2
812 aio/1 4 2 aio/3
813 aio/2 4 2 aio/4
814 aio/3 4 2 aio/5
815 aio/4 4 2 aio/6
816 aio/5 4 2 aio/7
817 aio/6 4 2 aio/8
818 aio/7 4 2 aio/9
819 aio/8 4 2 aio/10
820 aio/9 4 2 aio/11
821 aio/10 4 2 aio/12
822 aio/11 4 2 aio/13
823 aio/12 4 2 aio/14
824 aio/13 4 2 aio/15
825 aio/14 4 2 /usr/sbin/httpd
826 aio/15 4 2 ksoftirqd/2
827 httpd 4 2 kpsmoused
828 ksoftirqd/2 2
8724 kpsmoused 2
9 2
[*] Network information
———————————————————————————————————————————————-
IP forwarding enabled : 1
Default TTL : 64
TCP segments received : 2526544228
TCP segments sent : 3537046136
TCP segments retrans. : 26898095
Input datagrams : 3114688302
Delivered datagrams : 3061106682
Output datagrams : 3666779648
[*] Network interfaces
———————————————————————————————————————————————-
Interface : [ up ] lo
Interface Speed : 10 Mbps
IP Address : 1.1.1.1
Netmask : 255.0.0.0
MTU : 16436
Bytes In : 2393202308 (2.3G)
Bytes Out : 2393202308 (2.3G)
Interface : [ up ] eth0
Hardware Address : 78:2b:CE:NS:OR:ED
Interface Speed : 1000 Mbps
IP Address : 127.0.0.1
Netmask : 255.0.0.0
MTU : 1500
Bytes In : 2384379736 (2.3G)
Bytes Out : 523364965 (500M)
Interface : [ up ] eth1
Hardware Address : 78:2b:CE:NS:OR:ED
Interface Speed : 1000 Mbps
IP Address : 172.17.164.180
Netmask : 255.255.255.240
MTU : 1500
Bytes In : 2385355852 (2.3G)
Bytes Out : 3564 (3.5K)
Interface : [ up ] sit0
MTU : 1480
[*] Routing information
———————————————————————————————————————————————-
Destination Next Hop Mask Metric
0.0.0.0 172.17.164.177 - 1
1.0.0.0 0.0.0.0 - -
169.254.0.0 0.0.0.0 - -
[*] Listening TCP ports and connections
———————————————————————————————————————————————-
Local Address Port Remote Address Port State
0.0.0.0 111 0.0.0.0 - Listening
0.0.0.0 3306 0.0.0.0 - Listening
0.0.0.0 5301 0.0.0.0 - Listening
0.0.0.0 683 0.0.0.0 - Listening
0.0.0.0 9128 0.0.0.0 - Listening
127.0.0.1 199 0.0.0.0 - Listening
127.0.0.1 25 0.0.0.0 - Listening
127.0.0.1 25 172.17.164.180 48920 Time wait
127.0.0.1 38583 127.0.0.1 5301 FIN wait1
127.0.0.1 38584 127.0.0.1 5301 FIN wait1
127.0.0.1 38587 127.0.0.1 5301 Established
127.0.0.1 38588 127.0.0.1 5301 Established
127.0.0.1 5301 172.17.164.180 38577 SYN received
127.0.0.1 5301 172.17.164.180 38580 SYN received
127.0.0.1 5301 172.17.164.180 38583 SYN received
127.0.0.1 5301 172.17.164.180 38584 SYN received
127.0.0.1 5301 172.17.164.180 38587 SYN received
127.0.0.1 5301 172.17.164.180 38588 SYN received
172.17.164.180 111 172.17.164.194 26504 Established
172.17.164.180 111 172.17.164.194 63993 Established
172.17.164.180 3306 172.17.164.194 19312 Time wait
172.17.164.180 3306 172.17.164.194 23636 SYN received
172.17.164.180 3306 172.17.164.194 27539 Time wait
172.17.164.180 3306 172.17.164.194 31725 Time wait
172.17.164.180 3306 172.17.164.194 35742 FIN wait2
172.17.164.180 3306 172.17.164.194 35812 Time wait
172.17.164.180 3306 172.17.164.194 35838 Time wait
172.17.164.180 3306 172.17.164.194 41583 SYN received
172.17.164.180 37535 87.106.211.191 80 Established
172.17.164.180 45670 37.252.230.18 80 Established
172.17.164.180 50217 176.10.101.69 443 Established
172.17.164.180 54873 176.223.198.114 443 Established
172.17.164.180 59848 87.106.211.172 443 Established
172.17.164.180 9128 10.178.41.8 2663 Established
172.17.164.180 9128 10.178.59.222 36386 Established
172.17.164.180 9128 10.178.59.222 37828 Established
172.17.164.180 9128 10.178.59.222 47794 Established
[*] Listening UDP ports
———————————————————————————————————————————————-
Local Address Port
0.0.0.0 111
0.0.0.0 123
0.0.0.0 161
0.0.0.0 162
0.0.0.0 33645
0.0.0.0 677
0.0.0.0 680
0.0.0.0 9130
127.0.0.1 123
[*] Software components
———————————————————————————————————————————————-
1. basesystem-8.0-5.1.1.el5.centos
10. gmp-4.1.4-10.el5
100. glibc-devel-2.5-81.el5_8.7
101. filesystem-2.4.0-1.el5.centos
102. tzdata-2007k-2.el5
103. zlib-1.2.3-3
104. glib2-2.12.3-2.fc6
105. audit-libs-1.6.5-9.el5
106. popt-1.10.2-48.el5
107. bzip2-libs-1.0.3-3
108. db4-4.3.29-10.el5
109. expat-1.95.8-8.2.1
11. libXau-1.0.1-3.1
110. cyrus-sasl-lib-2.1.22-4
111. libgcrypt-1.2.3-1
112. atk-1.12.2-1.fc6
113. elfutils-libelf-0.125-3.el5
114. libattr-2.4.32-1.1
115. libSM-1.0.1-3.1
116. file-4.17-13
117. libsysfs-2.0.0-6
118. gdbm-1.8.0-26.2.1
119. perl-Socket6-0.19-3.fc6
12. dosfstools-2.11-6.2.el5
120. cups-libs-1.2.4-11.18.el5
121. pcre-6.6-2.el5_1.7
122. dmidecode-2.7-1.28.2.el5
123. perl-String-CRC32-1.4-2.fc6
124. libart_lgpl-2.3.17-4
125. pax-3.4-1.2.2
126. libevent-1.1a-3.2.1
127. ethtool-5-1.el5
128. bluez-libs-3.7-1
129. pkgconfig-0.21-2.el5
13. libnl-1.0-0.10.pre5.5
130. libXdmcp-1.0.1-2.1
131. patch-2.5.4-29.2.2
132. perl-IO-stringy-2.110-5
133. cracklib-dicts-2.8.9-3.3
134. nash-5.1.19.6-28
135. centos-release-notes-5.2-2
136. libtermcap-2.0.8-46.1
137. info-4.8-14.el5
138. ncurses-5.5-24.20060715
139. libsepol-1.15.2-1.el5
14. mailx-8.1.1-44.2.2
140. shadow-utils-4.0.17-13.el5
141. device-mapper-1.02.24-1.el5
142. sed-4.1.5-5.fc6
143. freetype-2.2.1-19.el5
144. findutils-4.2.27-4.1
145. krb5-libs-1.6.1-25.el5
146. python-2.4.3-21.el5
147. fontconfig-2.4.1-7.el5
148. nspr-4.7.0.99.2-1.el5
149. mysqlclient15-5.0.67-1.el5.remi
15. libvolume_id-095-14.16.el5
150. net-snmp-libs-5.3.1-24.el5
151. mysql-5.1.42-1.el5.remi
152. libidn-0.6.5-1.1
153. libxml2-python-2.6.26-2.1.2.1
154. dbus-glib-0.70-5
155. psmisc-22.2-6
156. curl-7.15.5-2.el5
157. rhpl-0.194.1-1
158. libgssapi-0.10-2
159. apr-1.2.7-11.el5_3.1
16. perl-OLE-Storage_Lite-0.14-8
160. tar-1.15.1-23.0.1.el5
161. gzip-1.3.5-10.el5.centos
162. binutils-2.17.50.0.6-6.el5
163. lm_sensors-2.10.0-3.1
164. nfs-utils-lib-1.0.8-7.2.z2
165. iptables-ipv6-1.3.5-4.el5
166. dmraid-1.0.0.rc13-9.el5
167. dbus-python-0.70-7.el5
168. perl-DBD-MySQL-3.0007-2.el5
169. m2crypto-0.16-6.el5.2
17. mailcap-2.1.23-1.fc6
170. audit-libs-python-1.6.5-9.el5
171. python-sqlite-1.1.7-1.2.1
172. cracklib-2.8.9-3.3
173. SysVinit-2.86-14
174. passwd-0.73-1
175. authconfig-5.3.21-3.el5
176. gettext-0.14.6-4.el5
177. apr-util-1.2.7-7.el5_3.2
178. bind-libs-9.3.4-6.P1.el5
179. tcsh-6.14-12.el5
18. bash-3.2-21.el5
180. nscd-2.5-24
181. rrdtool-1.2.23-5
182. cryptsetup-luks-1.0.3-2.2.el5
183. lvm2-2.02.32-4.el5
184. MAKEDEV-3.23-1.2
185. util-linux-2.13-0.47.el5
186. logrotate-3.7.4-8
187. libcroco-0.6.1-2.1
188. php-cli-5.3.1-1.el5.remi
189. ed-0.2-38.2.2
19. libxml2-2.6.26-2.1.2.1
190. time-1.7-27.2.2
191. m4-1.4.5-3.el5.1
192. bzip2-1.0.3-3
193. arareporter-core-1.0.2.12010901-ara
194. php-xml-5.3.1-1.el5.remi
195. sudo-1.6.8p12-12.el5
196. krb5-workstation-1.6.1-25.el5
197. which-2.16-7
198. amtu-1.0.6-1.el5
199. bind-utils-9.3.4-6.P1.el5
2. mktemp-1.5-23.2.2
20. gawk-3.1.5-14.el5
200. proftpd-1.3.2-2.1.el5.kb
201. pam_ccreds-3-5
202. mysql-server-5.1.42-1.el5.remi
203. expect-5.43.0-5.1
204. php-soap-5.3.1-1.el5.remi
205. iptstate-1.4-1.1.2.2
206. jwhois-3.2.3-8.el5
207. autofs-5.0.1-0.rc2.88
208. libdbi-dbd-mysql-0.8.1a-1.2.2
209. pkinit-nss-0.7.3-1.el5
21. readline-5.1-1.1
210. PyXML-0.8.4-4
211. lftp-3.5.1-2.fc6
212. wget-1.10.2-7.el5
213. psacct-6.3.2-41.1
214. parted-1.8.1-17.el5
215. mlocate-0.15-1.el5
216. lsof-4.78-3
217. mtr-0.71-3.1
218. talk-0.17-29.2.2
219. mcelog-0.7-1.22.fc6
22. coreutils-5.97-14.el5
220. cpuspeed-1.2.1-3.el5
221. numactl-0.9.8-2.el5
222. sysfsutils-2.0.0-6
223. rsync-2.6.8-3.1
224. cyrus-sasl-plain-2.1.22-4
225. libhugetlbfs-1.2-5.el5
226. setserial-2.17-19.2.2
227. traceroute-2.0.1-3.el5
228. libaio-0.3.106-3.2
229. rdate-1.4-6
23. openldap-2.3.27-8.el5_1.3
230. pam_smb-1.1.7-7.2.1
231. zip-2.31-1.2.2
232. unix2dos-2.2-26.2.2
233. pam_passwdqc-1.0.2-1.2.2
234. rdist-6.1.5-44
235. eject-2.1.5-4.2.el5
236. hwdata-0.213.6-1.el5
237. syslinux-3.11-4
238. python-iniparse-0.2.3-4.el5
239. centos-release-5-2.el5.centos
24. nss-3.11.99.5-2.el5.centos
240. httpd-2.2.3-31.el5.centos.2
241. dhclient-3.0.5-13.el5
242. openssh-4.3p2-26.el5
243. dhcdbd-2.2-1.el5
244. vixie-cron-4.1-72.el5
245. cyrus-sasl-2.1.22-4
246. cups-1.2.4-11.18.el5
247. redhat-logos-4.9.99-8.el5.centos
248. xorg-x11-filesystem-7.1-2.fc6
249. libXext-1.0.1-2.1
25. mysql-libs-5.1.42-1.el5.remi
250. cairo-1.2.4-5.el5
251. libXpm-3.5.5-3
252. libXi-1.0.1-3.1
253. libXcursor-1.1.7-1.1
254. libXaw-1.0.2-8.1
255. libXrandr-1.1.1-3.1
256. pango-1.14.9-3.el5.centos
257. gtk2-2.10.4-20.el5
258. bluez-gnome-0.5-5.fc6
259. librsvg2-2.16.1-1.el5
26. diffutils-2.8.1-15.2.3.el5
260. mesa-libGL-6.5.1-7.5.el5
261. bluez-utils-3.7-2.el5.centos
262. gd-progs-2.0.33-9.4.el5_1.1
263. pcmciautils-014-5
264. sysstat-7.0.2-1.el5
265. openssh-clients-4.3p2-26.el5
266. nfs-utils-1.0.9-33.el5
267. mod_ssl-2.2.3-31.el5.centos
268. quota-3.13-1.2.3.2.el5
269. irqbalance-0.55-10.el5
27. kpartx-0.4.7-17.el5
270. ipsec-tools-0.6.5-9.el5
271. usbutils-0.71-2.1
272. grub-0.97-13.2
273. aspell-en-6.0-2.1
274. mysql-devel-5.1.42-1.el5.remi
275. logwatch-7.3-6.el5
276. pptm-plugin-nettag-1.0.0.09112601-ara
277. perl-Spreadsheet-WriteExcel-2.21-1.el5.rf
278. specspo-13-1.el5.centos
279. rootfiles-8.1-1.1.1
28. php-common-5.3.1-1.el5.remi
280. hal-0.5.8.1-35.el5
281. net-snmp-5.3.1-24.el5
282. pcsc-lite-1.4.4-0.1.el5
283. ifd-egate-0.05-15
284. kudzu-1.2.57.1.17-1
285. oddjob-libs-0.27-9.el5
286. pm-utils-0.99.3-6.el5.centos.19
287. setools-3.0-3.el5
288. net-snmp-perl-5.3.1-24.el5
289. net-snmp-utils-5.3.1-24.el5
29. e2fsprogs-1.39-15.el5
290. smartmontools-5.36-4.el5
291. selinux-policy-2.4.6-137.el5
292. libstdc++-4.1.2-52.el5_8.1
293. libstdc++-4.1.2-52.el5_8.1
294. yum-3.2.8-9.el5.centos.1
295. firstboot-tui-1.4.27.3-1
296. perl-URI-1.35-3
297. iptraf-3.0.0-5.el5
298. glibc-common-2.5-81.el5_8.7
299. glibc-2.5-81.el5_8.7
3. tcp_wrappers-7.6-40.4.el5
30. less-394-5.el5
300. cpp-4.1.2-52.el5_8.1
301. glibc-headers-2.5-81.el5_8.7
302. gcc-4.1.2-52.el5_8.1
303. compat-glibc-headers-2.3.4-2.26
304. setup-2.5.58-1.el5
305. chkconfig-1.3.30.1-2
306. libpng-1.2.10-7.1.el5_0.1
307. libusb-0.1.12-5.1
308. libtiff-3.8.2-7.el5
309. libcap-1.10-26
31. iproute-2.6.18-7.el5
310. beecrypt-4.1.2-10.1.1
311. keyutils-libs-1.2-1.el5
312. gnutls-1.4.1-2
313. hesiod-3.1.0-8
314. lcms-1.15-1.2.2
315. unixODBC-2.2.11-7.1
316. mingetty-1.07-5.2.2
317. checkpolicy-1.33.1-4.el5
318. perl-IO-Socket-INET6-2.51-2.fc6
319. rmt-0.4b41-2.fc6
32. php-pdo-5.3.1-1.el5.remi
320. termcap-5.5-1.20060701.1
321. grep-2.5.1-54.2.el5
322. libselinux-1.33.4-5.el5
323. e2fsprogs-libs-1.39-15.el5
324. sqlite-3.3.6-2
325. openssl-0.9.8e-12.el5
326. module-init-tools-3.3-0.pre3.1.37.el5
327. newt-0.52.2-10.el5
328. procps-3.2.7-9.el5
329. dbus-1.0.0-7.el5
33. device-mapper-multipath-0.4.7-17.el5
330. iptables-1.3.5-4.el5
331. libsemanage-1.9.1-3.el5
332. net-tools-1.60-78.el5
333. cpio-2.6-20
334. tcl-8.4.13-3.fc6
335. system-config-securitylevel-tui-1.6.29.1-2.1.el5
336. ntsysv-1.3.30.1-2
337. libselinux-python-1.33.4-5.el5
338. yum-metadata-parser-1.1.2-2.el5
339. libuser-0.54.7-2.el5.5
34. nss-tools-3.11.99.5-2.el5.centos
340. at-3.1.8-82.fc6
341. wpa_supplicant-0.4.8-10.2.el5
342. mtools-3.9.10-2.fc6
343. bc-1.06-21
344. vim-common-7.0.109-3.el5.3
345. vim-minimal-7.0.109-3.el5.3
346. libedit-2.11-2.20080712cvs.el5
347. gpm-1.20.1-74.1
348. iputils-20020927-43.el5
349. vim-enhanced-7.0.109-3.el5.3
35. python-elementtree-1.2.6-5
350. prelink-0.3.9-2.1
351. rrdtool-perl-1.2.23-5
352. setuptool-1.19.2-1.el5.centos
353. pam_krb5-2.2.14-1
354. crash-4.0-5.0.3.el5.centos
355. tmpwatch-2.9.7-1.1.el5.1
356. MySQL-python-1.2.1-1
357. irda-utils-0.9.17-2.fc6
358. stunnel-4.15-2
359. ksh-20060214-1.7
36. pam-0.99.6.2-3.27.el5
360. libutempter-1.1.4-3.fc6
361. telnet-0.17-39.el5
362. unzip-5.52-2.2.1
363. fbset-2.1-22
364. attr-2.4.32-1.1
365. hdparm-6.6-2
366. vconfig-1.9-2.1
367. symlinks-1.2-24.2.2
368. rsh-0.17-38.el5
369. glib-1.2.10-26
37. usermode-1.88-3.el5.1
370. strace-4.5.16-1.el5.1
371. python-urlgrabber-3.1.0-2
372. initscripts-8.45.19.EL-1.el5.centos.1
373. portmap-4.0-65.2.2.1
374. sysklogd-1.4.1-44.el5
375. sendmail-8.13.8-2.el5
376. crontabs-1.10-8
377. libXrender-0.9.1-3.1
378. gd-2.0.33-9.4.el5_1.1
379. libXmu-1.0.2-5
38. postgresql-libs-8.1.11-1.el5_1.1
380. libXft-2.1.10-1.1
381. GConf2-2.14.0-9.el5
382. libXxf86vm-1.0.1-3.1
383. php-gd-5.3.1-1.el5.remi
384. mdadm-2.6.4-1.el5
385. openssh-server-4.3p2-26.el5
386. mod_auth_mysql-3.0.0-3.2.el5_3
387. microcode_ctl-1.17-1.47.el5
388. mrtg-2.14.5-2
389. sos-1.7-9.2.el5
39. distcache-1.4.5-14.1
390. pptm-plugin-main-1.0.0.09112601-ara
391. perl-Parse-RecDescent-1.94-5.2.1
392. rpm-4.4.2-48.el5
393. policycoreutils-1.33.12-14.el5
394. ccid-1.0.1-6.el5
395. oddjob-0.27-9.el5
396. pptm-misc-1.0.0.09112601-ara
397. NetworkManager-0.6.4-8.el5
398. selinux-policy-targeted-2.4.6-137.el5
399. gpg-pubkey-e8562897-459f07a4
4. libjpeg-6b-37
40. audit-1.6.5-9.el5
400. libgcc-4.1.2-52.el5_8.1
401. libgomp-4.4.6-3.el5.1
402. glibc-devel-2.5-81.el5_8.7
403. libgcc-4.1.2-52.el5_8.1
404. yum-downloadonly-1.1.16-21.el5.centos
41. device-mapper-event-1.02.24-1.el5
42. udev-095-14.16.el5
43. libxslt-1.1.17-2.el5_2.2
44. aspell-0.60.3-7.1
45. groff-1.18.1.1-11.1
46. procmail-3.22-17.1.el5.centos
47. conman-0.1.9.2-8.el5
48. mc-4.6.1a-35.el5
49. nss_ldap-253-12.el5
5. libgpg-error-1.4-2
50. pam_pkcs11-0.5.3-23
51. php-mysql-5.3.1-1.el5.remi
52. gnupg-1.4.5-13
53. readahead-1.3-7.el5
54. mysql-connector-odbc-3.51.12-2.2
55. flow-tools-0.68-16
56. tcpdump-3.9.4-12.el5
57. ftp-0.17-33.fc6
58. nss_db-2.2-35.3
59. mgetty-1.1.33-9.fc6
6. libICE-1.0.1-2.1
60. nc-1.84-10.fc6
61. acl-2.2.39-3.el5
62. db4-utils-4.3.29-10.el5
63. finger-0.17-32.2.1.1
64. dos2unix-3.1-27.1
65. tree-1.5.0-4
66. setarch-2.0-1.1
67. pciutils-2.2.3-5
68. ntp-4.2.2p1-8.el5.centos.1
69. mkinitrd-5.1.19.6-28
7. libacl-2.2.39-3.el5
70. ypbind-1.19-8.el5
71. kbd-1.12-20.el5
72. kernel-2.6.18-274.3.1.el5.ara.6
73. libX11-1.0.3-9.el5
74. libXt-1.0.2-3.1.fc6
75. libXfixes-4.0.1-2.1
76. t1lib-5.1.1-7.el5
77. libXinerama-1.0.1-2.1
78. libgsf-1.14.1-6.1
79. ImageMagick-6.2.8.0-4.el5_1.1
8. slang-2.0.6-4.el5
80. anacron-2.3-45.el5.centos
81. yp-tools-2.9-0.1
82. php-5.3.1-1.el5.remi
83. acpid-1.0.4-5
84. rng-utils-2.0-1.14.1.fc6
85. mkbootdisk-1.5.3-2.1
86. mysql-bench-5.1.42-1.el5.remi
87. dump-0.4b41-2.fc6
88. man-pages-2.39-10.el5
89. rpm-libs-4.4.2-48.el5
9. perl-5.8.8-10.el5_0.2
90. rpm-python-4.4.2-48.el5
91. man-1.6d-1.1
92. coolkey-1.1.0-6.el5
93. php-snmp-5.3.1-1.el5.remi
94. system-config-network-tui-1.3.99.10-2.el5
95. redhat-lsb-3.1-12.3.EL.el5.centos
96. squid-2.6.STABLE21-6.el5
97. glibc-2.5-81.el5_8.7
98. kernel-headers-2.6.18-308.16.1.el5
[*] Mountpoints
———————————————————————————————————————————————-
/
/sys
/mnt/log
/proc/sys/fs/binfmt_misc
free proxy for everyone + vulnerable version = facepalm
according to surveys http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html there is 886 open resolvers which means if your hosts under DDoS you can blame TELKOM.
Enough for bad networks,back to malware…let’s choose one dns to test known Zeus domain
looks like TELKOM don’t care customers security!
neighbours worm intrusive mapping my host
i’m not running mysql,not even windows!
TELKOM bigbro so aggressive tampering my connections
i had to filter my outgoing packets.
Would love to hear if TELKOM give me permission follow-up this
i just can’t left my family computers become bot,can you?
Post with 1 note
Windows Exploit Mitigation
Exploiting real world software isn’t simple like software designed vulnerable, hardcoded address when doing ROP (remote)exploitation without own the system,bruteforcing it?
On Linux i love PIE,make exploitation real harder. what about windows ? Take sample Stephen Bradshaw’s Vulnserver
Go gadget *eh Go Hardened !
% wine ~/.wine/drive_c/MinGW/bin/gcc.exe -c essfunc.c
% wine ~/.wine/drive_c/MinGW/bin/gcc.exe -shared -o essfunc.dll -Wl,—out-implib=libessfunc.a -Wl,—image-base=0x62500000 -Wl,—dynamicbase -Wl,—nxcompat essfunc.o
% wine ~/.wine/drive_c/MinGW/bin/gcc.exe vulnserver.c -o vulnserver.exe -fstack-protector-all -Wl,—dynamicbase -Wl,—nxcompat -lws2_32 ./libessfunc.a
we give all security mechanism permanent from binary itself
% LD_PRELOAD=../lib/libpe/libpe.so ./pesec vulnserver.exe
ASLR: yes
DEP/NX: yes
SEH: yes
Stack cookies (EXPERIMENTAL): yes% LD_PRELOAD=../lib/libpe/libpe.so ./pesec essfunc.dll
ASLR: yes
DEP/NX: yes
SEH: yes
Stack cookies (EXPERIMENTAL): yes
flagged
% objdump -p vulnserver.exe
vulnserver.exe: file format pei-i386
Characteristics 0x307
relocations stripped
executable
line numbers stripped
32 bit words
debugging information removed
Time/Date Sun Mar 3 03:43:33 2013
Magic 010b (PE32)
MajorLinkerVersion 2
MinorLinkerVersion 23
SizeOfCode 00002200
SizeOfInitializedData 00003e00
SizeOfUninitializedData 00000200
AddressOfEntryPoint 00001280
BaseOfCode 00001000
BaseOfData 00004000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 1
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0000b000
SizeOfHeaders 00000400
CheckSum 00011ab7
Subsystem 00000003 (Windows CUI)
DllCharacteristics 00000140 <— this !
SizeOfStackReserve 00200000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00008000 00000680 Import Directory [parts of .idata]
Entry 2 00000000 00000000 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 0000a000 00000018 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 0000816c 000000f4 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .idata at 0x408000
The Import Tables (interpreted .idata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00008000 00008078 00000000 00000000 00008560 0000816c
DLL Name: essfunc.dll
vma: Hint/Ord Member-Name Bound-To
8260 0 EssentialFunc1
00008014 00008080 00000000 00000000 000085a0 00008174
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
8274 179 CreateThread
8284 207 DeleteCriticalSection
829c 236 EnterCriticalSection
82b4 279 ExitProcess
82c2 510 GetLastError
82d2 529 GetModuleHandleA
82e6 577 GetProcAddress
82f8 734 InitializeCriticalSection
8314 814 LeaveCriticalSection
832c 1140 SetUnhandledExceptionFilter
834a 1173 TlsGetValue
8358 1213 VirtualProtect
836a 1215 VirtualQuery
00008028 000080b8 00000000 00000000 00008618 000081ac
DLL Name: msvcrt.dll
vma: Hint/Ord Member-Name Bound-To
837a 55 __getmainargs
838a 77 __p__environ
839a 79 __p__fmode
83a8 99 __set_app_type
83ba 147 _cexit
83c4 266 _iob
83cc 383 _onexit
83d6 426 _setmode
83e2 583 abort
83ea 590 atexit
83f4 592 atoi
83fc 595 calloc
8406 625 free
840e 633 fwrite
8418 676 malloc
8422 682 memcpy
842c 684 memset
8436 689 printf
8440 692 puts
8448 706 signal
8452 717 strcpy
845c 721 strlen
8466 723 strncmp
8470 724 strncpy
847a 732 strtoul
8484 748 vfprintf
0000803c 00008124 00000000 00000000 0000865c 00008218
DLL Name: WS2_32.dll
vma: Hint/Ord Member-Name Bound-To
8490 26 WSACleanup
849e 43 WSAGetLastError
84b0 84 WSAStartup
84be 132 accept
84c8 133 bind
84d0 134 closesocket
84de 136 freeaddrinfo
84ee 137 getaddrinfo
84fc 150 htons
8504 152 inet_ntoa
8510 156 listen
851a 159 recv
8522 162 send
852a 166 socket
00008050 00008160 00000000 00000000 00008670 00008254
DLL Name: libssp-0.dll <— and this !
vma: Hint/Ord Member-Name Bound-To
8534 7 __stack_chk_fail
8548 8 __stack_chk_guard
00008064 00000000 00000000 00000000 00000000 00000000
ok now go to windows
make sure libssp in your env and
DEP always on
> bcdedit.exe /set {current} nx AlwaysOn
System got EMET
> EMET_Conf.exe —system —force DEP=AlwaysOn SEHOP=Application
OptOut ASLR=ApplicationOptIn
Vulnserver too
> EMET_Conf.exe —set —force C:\path\to\vulnserver.e
xe +DEP +SEHOP +NullPage +EAF +MandatoryASLR +BottomUpASLR
reboot ‘n smashed
(gdb) r
Starting program: C:\path\to\vulnserver.exe
[New Thread 3980.0xe9c]
[New Thread 3980.0x938]
Starting vulnserver version 1.00
Called essential function dll version 1.00
This is vulnerable software!
Do not allow access from untrusted systems or networks!
Waiting for client connections…
Received a client connection from 192.168.56.1:42809
Waiting for client connections…
[New Thread 3980.0x668]
*** stack smashing detected ***: terminated
Program received signal SIGILL, Illegal instruction.
[Switching to Thread 3980.0x668]
0x68ac1310 in ?? () from C:\mingw\bin\libssp-0.dll
(gdb) i f
Stack level 0, frame at 0x1d1f200:
eip = 0x68ac1310; saved eip 0x68ac136a
called by frame at 0x1d1f210
Arglist at 0x1d1f1f8, args:
Locals at 0x1d1f1f8, Previous frame’s sp is 0x1d1f200
Saved registers:
ebx at 0x1d1f1ec, ebp at 0x1d1f1f8, esi at 0x1d1f1f0, edi at 0x1d1f1f4,
eip at 0x1d1f1fc
(gdb) x/i 0x68ac1310
=> 0x68ac1310: ud2
ud2 is not ilegal instruction, it’s special stuff when length argument evil
0xF 0xB a.k.a raise invalid opcode exception
0:000> g
ModLoad: 75330000 7537c000 C:\Windows\system32\apphelp.dll
ModLoad: 69550000 69567000 C:\Windows\AppPatch\emet.dll
ModLoad: 767f0000 768b9000 C:\Windows\system32\USER32.dll
ModLoad: 75690000 756de000 C:\Windows\system32\GDI32.dll
ModLoad: 77360000 7736a000 C:\Windows\system32\LPK.dll
ModLoad: 77370000 7740d000 C:\Windows\system32\USP10.dll
ModLoad: 77340000 7735f000 C:\Windows\system32\IMM32.DLL
ModLoad: 76ea0000 76f6c000 C:\Windows\system32\MSCTF.dll
ModLoad: 74dc0000 74dfc000 C:\Windows\system32\mswsock.dll
ModLoad: 74910000 74915000 C:\Windows\System32\wshtcpip.dll
(cf4.d28): Illegal instruction - code c000001d (first chance)
(cf4.d28): Illegal instruction - code c000001d (!!! second chance !!!)
eax=00000000 ebx=01a6f1ae ecx=76d73b76 edx=77247094 esi=68ac8079 edi=00000000
eip=68ac1310 esp=01a6f170 ebp=01a6f1f8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\mingw\bin\libssp-0.dll -
libssp_0+0x1310:
68ac1310 0f0b ud2
0:002> .load pykd.pyd
0:002> !py mona pattern_offset 0x68ac1310
Hold on…
Looking for …h in pattern of 500000 bytes
Looking for h… in pattern of 500000 bytes
- Pattern h… not found in cyclic pattern
Looking for …h in pattern of 500000 bytes
Looking for h… in pattern of 500000 bytes
- Pattern h… not found in cyclic pattern (uppercase)
Looking for …h in pattern of 500000 bytes
Looking for h… in pattern of 500000 bytes
- Pattern h… not found in cyclic pattern (lowercase)
[+] This mona.py action took 0:00:00.468000
not sure ? ok increase buffer length
% ./pattern_offset.rb 0x68ac1310 99999999
[*] No exact matches, looking for likely candidates…
>=(
seems SSP on windows quietly interesting
The end.
guess what happen next
Safe String Function Comparison
In my PIE previous post
it show us security and performance won’t work together
so choose good lib is important
let’s compare!
String copy from Internet Systems Consortium
#include <isc/string.h>
int main(int argv,char **argc)
{
char buf[256];
strlcpy(buf,argc[1],sizeof(buf));
}
aarrgghh this is not
null terminated we are looking for
% gcc -lisc isc.c -o isc
% LD_DEBUG=statistics ./isc $(perl -e ‘print “A”x(3**37)’)
Out of memory!
Out of memory!
4596:
4596: runtime linker statistics:
4596: total startup time in dynamic loader: 3627250 clock cycles
4596: time needed for relocation: 1811777 clock cycles (49.9%)
4596: number of relocations: 321
4596: number of relocations from cache: 10
4596: number of relative relocations: 4720
4596: time needed to load objects: 1463066 clock cycles (40.3%)
[1] 4596 segmentation fault (core dumped) LD_DEBUG=statistics ./isc $(perl -e ‘print “A”x(3**37)’)
GLib for the rescue!
int main(int argv,char **argc)
{
char buf[256];
g_strlcpy(buf,argc[1],sizeof(buf));
}
sooooooo clear
% gcc -I`pkg-config —cflags glib-2.0` `pkg-config —libs glib-2.0` glib.c -o glib
% LD_DEBUG=statistics ./glib $(perl -e ‘print “A”x(3**37)’)
Out of memory!
Out of memory!
7067:
7067: runtime linker statistics:
7067: total startup time in dynamic loader: 1756755 clock cycles
7067: time needed for relocation: 744337 clock cycles (42.3%)
7067: number of relocations: 124
7067: number of relocations from cache: 4
7067: number of relative relocations: 1456
7067: time needed to load objects: 678392 clock cycles (38.6%)
(process:7067): GLib-CRITICAL **: g_strlcpy: assertion `src != NULL’ failed
7067:
7067: runtime linker statistics:
7067: final number of relocations: 173
7067: final number of relocations from cache: 4
im kinda confuse software world
multiple buffer overflow UPnP library courtesy of @meikk
thereis safe function and compiler security feature
why developers still not use it?
Page 1 of 9
