Chatsubo [(in)Security Dark] Labs

"... A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding into the distance... "
--
William Gibson.

martes, 26 de octubre de 2010

DotDotPwn v2.1 - The Traversal Directory Fuzzer

Dewds!! we've set up the official Website:
http://dotdotpwn.sectester.net/

These are the new features included in v2.1 (transcription of CHANGELOG.txt):
----------------
DotDotPwn v2.1
Release date: 29/Oct/2010 (PUBLIC Release at
BugCon Security Conferences 2010)
Release date: 14/Oct/2010 (NON-PUBLIC Version)

Changes / Enhancements / Features:

* STDOUT module implemented to be used as you wish (Read the EXAMPLES.txt to
see some examples)
* TFTP Module implemented
* -k switch for false positive avoidance making another verification once the
HTTP Status 200 is received. This option looks for the specified parameter
in the server's response.
(e.g. -k "root:" if trying with /etc/passwd file
or -k "localhost" in windows/system32/drivers/etc/hosts)
With this option enabled, the HTTP module will print the total of false
positives detected during the scan as long as there is more than one.
* -p switch for payload specification.
This option simply takes the text file passed as a parameter, replaces the
'TRAVERSAL' tokens and sends it to the target (-h switch) in the specified
port (-x switch)
(e.g. a file called request.txt that contains an HTTP request including
cookies, session ids, variables, etc. and the 'TRAVERSAL' tokens within the
request that would be fuzzed)
* For the impatient, when it's working in quiet mode (-q switch), it prints
dots each certain number of attempts to inform that it's still working ;).
* Prints the number of vulnerabilities found before exiting when an error
ocurrs (e.g. the Web server doesn't respond anymore because it has reached
the maximum number of clients/sockets/threads)
* Prints the time taken at the end of the testing
* A cleaner usage message (help message)

Supported modules:
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT
-------------

And again, I include some screensh0tz ... Enjoy them and stay tuned for the public release !!..

[ STDOUT Module + scripting ;) ] against Webmin 1.280



TFTP Module against TFTPDWin



Without False Positive detection


With False Positive detection



PAYLOAD Module against Webmin 1.280




Ch33333rz ! B-) c yaaa @ BugCon 2k10 !

jueves, 9 de septiembre de 2010

DotDotPwn - The Directory Traversal Fuzzer

"Welly, welly, welly, well." -- A Clockwork Orange (movie).

Hell Yes !!!! B-), a few weeks ago, my brother chr1x from CubilFelino Security Labs (published a tool to detect directory traversal vulnerabilities in FTP/HTTP servers. It only relied upon 2 .txt files (databases) with the payloads to be lauched to the target. Then, some cool ideas came into my mind, so, I wrote the c0de from the skratch and in a modular basis, as well as, I included a lot of features/enhacements, but the main change was the pass from being a Checker to a Fuzzer (I c0ded a Traversal Engine for it).

Well, Stay tuned for the public release ;) s00n !! (DotDotPwn v2.0)
Official Website: http://chr1x.sectester.net/toolz/ddpwn/

----------
Release date: 2/Sept/2010 (NON-PUBLIC Version)
Author: nitrØus (nitrousenador@gmail.com)

Changes / Enhancements / Features:
* From Checker to Fuzzer
* Rewritten from the scratch
* Modular architechture (DotDotPwn packages)
* Traversal Engine to automatically create the fuzzing patterns to be sent.
This engine makes all the permutations between the dots and slashes
encodings, iterates the number of deepness passed as argument and finally,
it concatenates the filenames intelligently according to the Operating System
detected (in case of -O switch enabled), otherwise, the engine includes all
the defined file sets (Windows, UNIX and Generic).
* -O switch for Operating System (nmap) and -s switch for service detection
* -f switch available to define a specific file name to retrive
* -U and -P switches to supply specific usernames/passwords
* -d switch to specify the desired deep of traversals
(e.g. deep 3 equals to ../../../)
* -t switch to specify the time in milliseconds between each attemp
* -x switch to specify a different TCP/UDP port than the defaults
* -b switch to break after the first vulnerability is found
* -q switch for quiet mode (doesn't print each attemp in STDOUT)
* Special treatment of Slash/Backslash in filenames in order to have a
correct semantic within each traversal string.
* Improvement in the FTP module to compare against the server's response code
instead of vendor-dependent response message (in compliance with RFC 959 FTP)
* Improvement in the parameter passing
* A cool banner was included ;)

Supported modules:
- HTTP
- HTTP Parameters (url)
- FTP

And as I said before, a picture is worth a thousand words, I post some screenshots ;) .. Enjoy them !

DotDotPwn (Usage)


Traversal Engine (Description)


Traversal Engine (Resources)


Traversal Engine (Working [internals])


OS and Service detection (taken into account in the Traversal Engine for intelligent fuzzing)


HTTP-Params Module (Description)


HTTP-Params Module (Usage)


HTTP-Params Module (Vulnerabilities found)


FTP Module (Vulnerabilities found, quiet mode and retrieved files)


HTTP Module (Vulnerabilities found)


Well, stay tuned on http://chr1x.sectester.net/toolz/ddpwn/ for the public release ;).

Keep Fuzz1ng !!!!!! B-/
nitrØus

jueves, 26 de agosto de 2010

Chatsubo [(in)Security Dark] Labs say Hi !

Well, before I go to bed, I'd like to present my workplace, the :

Chatsubo [(in)Security Dark] Labs.
Here, cool stuff happens, insanity crossing the wires, sparks emerging from the keyboards and damn g00d music resounding the walls. Nowadays, distributed in 3 different geographic locations in Mexico, The Chatsubo Labs is armed with laptops, servers, desktops, one firewall, one access point, switches and routers. In there, resides research projects, tons and tons of lines of c0de developed by me (nitrØus), a variety of Operating Systems (Solaris, OpenBSD, NetBSD, Minix, Gentoo, Debian, CentOS, n00buntu, RedHat, IOS and probably others) and many virtual machines to have fun as well.

By now, you may be wondering where the hell the name came from? Well, It's inpired in the bar described early in the Cyberpunk novell Neuromancer (William Gibson), The Chat (short of Chatsubo), exists in some particularly dingy corner of Night City, in Chiba, Japan. Then, that's why I liked the name, a concensual hallucination, my meeting place for cyberspace c0wboys and hackers (friends of mine) eager to do interesting stuff.

Now, lexicographically speaking, the [] and the () represents nested options, what I mean is that I can call my labs as any of the following ways (which helps me in different situations depending on the context;)):
- Chatsubo Labs
- Chatsubo inSecurity Dark Labs
- Chatsubo Security Dark Labs

Wanna see?... A picture is worth a thousand words, so, this is it !, a picture of the Chat that I took a few years ago in one of the currently 3 different geographic locations:


The next is a picture of an old laptop where I learned some of Operating Systems Development and learned how to build my 0wn boot loader in ASM in a floppy disk (3.5") jeje. With this toy, I used to have fun with my first OpenBSD 3.4 and Red Hat Linux 7.3


What about decoration???... Well, a jellyfish thank and lavalamp helps to make the Chatsubo Labs a nice place to work:



Video of the Jellyfish Tank:


Finally, if u want 2 add teh labs on ur 0wn website/bl0g, these are the *official* banners (note my highly specialized graphic design sk1lls in MS Paint jaja):




Keep r0cking !!!!! Ch33rz !
- nitrØus

martes, 24 de agosto de 2010

Advanced Persistent Threat

I was reordering and deleting some old bookmarks, and I found a good article I read the past month about APT.

For those who haven't heard about it, I suggest u to read this good article...

Understanding the advanced persistent threat
by: Richard Bejtlich
Issue: Jul 2010
http://searchsecurity.techtarget.com/magazinePrintFriendly/0,296905,sid14_gci1516312,00.html

l8 chr33z !!

domingo, 8 de agosto de 2010

John the Ripper benchmark

These are the results of a little benchmark that I performed a couple of months ago.

Versions that I compiled and tested:
- ANY
- SSE2
- MMX
- NTLM (source code patched to crack NTLM hashes)

BENCHMARKING
ANY
Benchmarking: Traditional DES [24/32 4K]... DONE
Many salts: 278297 c/s real, 347004 c/s virtual
Only one salt: 268979 c/s real, 334551 c/s virtual

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts: 9484 c/s real, 11738 c/s virtual
Only one salt: 9288 c/s real, 11552 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6795 c/s real, 8472 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 409 c/s real, 496 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short: 266547 c/s real, 331526 c/s virtual
Long: 772505 c/s real, 960827 c/s virtual

Benchmarking: NT LM DES [32/32 BS]... DONE
Raw: 4773K c/s real, 5951K c/s virtual


MMX
Benchmarking: Traditional DES [64/64 BS MMX]... DONE
Many salts: 1041K c/s real, 1301K c/s virtual
Only one salt: 936512 c/s real, 1150K c/s virtual

Benchmarking: BSDI DES (x725) [64/64 BS MMX]... DONE
Many salts: 34188 c/s real, 42417 c/s virtual
Only one salt: 33753 c/s real, 41982 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6794 c/s real, 8425 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 417 c/s real, 520 c/s virtual

Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE
Short: 339046 c/s real, 422751 c/s virtual
Long: 1031K c/s real, 1276K c/s virtual

Benchmarking: NT LM DES [64/64 BS MMX]... DONE
Raw: 8434K c/s real, 10516K c/s virtual


SSE2
Benchmarking: Traditional DES [128/128 BS SSE2]... DONE
Many salts: 2050K c/s real, 2543K c/s virtual
Only one salt: 1760K c/s real, 2194K c/s virtual

Benchmarking: BSDI DES (x725) [128/128 BS SSE2]... DONE
Many salts: 68352 c/s real, 85014 c/s virtual
Only one salt: 66560 c/s real, 82376 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6819 c/s real, 8465 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 417 c/s real, 520 c/s virtual

Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE
Short: 339814 c/s real, 420562 c/s virtual
Long: 1025K c/s real, 1279K c/s virtual

Benchmarking: NT LM DES [128/128 BS SSE2]... DONE
Raw: 9648K c/s real, 11912K c/s virtual


NTLM Patch
Benchmarking: Traditional DES [24/32 4K]... DONE
Many salts: 280217 c/s real, 348529 c/s virtual
Only one salt: 269644 c/s real, 333718 c/s virtual

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts: 9659 c/s real, 12013 c/s virtual
Only one salt: 8982 c/s real, 10980 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6806 c/s real, 8402 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 417 c/s real, 520 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short: 265574 c/s real, 331140 c/s virtual
Long: 741427 c/s real, 901979 c/s virtual

Benchmarking: NT LM DES [32/32 BS]... DONE
Raw: 4750K c/s real, 5836K c/s virtual

Benchmarking: NT MD4 [Generic 1x]... DONE
Raw: 9549K c/s real, 11906K c/s virtual



CRACKING
[nitr0us@nectar run]$ ./unshadow ~/passwd ~/shadow > ~/passshad

ANY
[nitr0us@nectar run]$ time ./john ~/passshad
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
eilrahc (charlie)
newpass (ted)
Bond007 (jim)
virginia (monk)
guesses: 4 time: 0:00:00:01 100% (2) c/s: 5654 trying: virginia

real 0m1.016s
user 0m0.730s
sys 0m0.022s

MMX
[nitr0us@nectar run]$ time ./john ~/passshad
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
eilrahc (charlie)
newpass (ted)
Bond007 (jim)
virginia (monk)
guesses: 4 time: 0:00:00:00 100% (2) c/s: 5768 trying: virginia

real 0m1.008s
user 0m0.695s
sys 0m0.025s



SSE2
[nitr0us@nectar run]$ time ./john ~/passshad
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
eilrahc (charlie)
newpass (ted)
Bond007 (jim)
virginia (monk)
guesses: 4 time: 0:00:00:00 100% (2) c/s: 5827 trying: virginia

real 0m0.984s
user 0m0.734s
sys 0m0.016s


NTLM-Patch
ANY
[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt
Loaded 7 password hashes with no different salts (NT LM DES [32/32 BS])
PASSWOR (susan:1)
JOSHUA (falken)
A (monk:2)
MASTER1 (george)
VIRGINI (monk:1)
8 (susan:2)
POOR (mike)
guesses: 7 time: 0:00:00:01 (3) c/s: 1560K trying: 4OUH - POOR

real 0m1.252s
user 0m0.843s
sys 0m0.043s


[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt --format=nt
Loaded 5 password hashes with no different salts (NT MD4 [Generic 1x])
joshua (falken)
master1 (george)
virginia (monk)
passwor8 (susan)
poor (mike)
guesses: 5 time: 0:00:00:01 (3) c/s: 1309K trying: cbc7 - pamc

real 0m1.474s
user 0m0.952s
sys 0m0.040s


MMX
[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt
Loaded 7 password hashes with no different salts (NT LM DES [64/64 BS MMX])
PASSWOR (susan:1)
JOSHUA (falken)
A (monk:2)
MASTER1 (george)
VIRGINI (monk:1)
8 (susan:2)
POOR (mike)
guesses: 7 time: 0:00:00:01 (3) c/s: 1727K trying: 4OUH - PAVS

real 0m1.127s
user 0m0.804s
sys 0m0.039s

[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt --format=nt
Loaded 5 password hashes with no different salts (NT MD4 [Generic 1x])
joshua (falken)
master1 (george)
virginia (monk)
passwor8 (susan)
poor (mike)
guesses: 5 time: 0:00:00:01 (3) c/s: 1426K trying: cbc7 - pamc

real 0m1.348s
user 0m1.009s
sys 0m0.040s


SSE2
[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt
Loaded 7 password hashes with no different salts (NT LM DES [128/128 BS SSE2])
PASSWOR (susan:1)
JOSHUA (falken)
A (monk:2)
MASTER1 (george)
VIRGINI (monk:1)
8 (susan:2)
POOR (mike)
guesses: 7 time: 0:00:00:01 (3) c/s: 1915K trying: 4OUH - PRN3

real 0m1.019s
user 0m0.732s
sys 0m0.030s

[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt --format=nt
Loaded 5 password hashes with no different salts (NT MD4 [X86 SSE2 5x])
joshua (falken)
master1 (george)
virginia (monk)
passwor8 (susan)
poor (mike)
guesses: 5 time: 0:00:00:01 (3) c/s: 1459K trying: cbjk - pov0

real 0m1.315s
user 0m0.935s
sys 0m0.046s

Interesting results ;) ... HAPPY CRACKING !!

jueves, 29 de julio de 2010

Having fun with RISK management equations

Have past a few weeks without any post, so, I think it's the time... Today, I'm havin' fun with MS Excel (yes, I'm a f**ck1ng n00b in Excel) calculating and automating some equations for the risk assessment methodology I've created for a company.

Example of threat evaluation (taken from the Internet):

The methodology that we created as a team, includes the basic principles of risk management. I've used some references such as NIST-800-30 special publication (Risk Management Guide for Information Technology Systems), ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management and many others documents widespread on the Internet !

Finally, a few moments ago I optimized an excel formula to automate the process of THREATS valuation using their impacts and likelihoods. First, I tried this one:

=IF(AND(C4=1,D4=1),1,

IF(AND(C4=2,D4=1),1,

IF(AND(C4=3,D4=1),2,
IF(AND(C4=1,D4=2),1,
IF(AND(C4=2,D4=2),2,

IF(AND(C4=3,D4=2),3,

IF(AND(C4=1,D4=3),2,

IF(AND(C4=2,D4=3),3,

IF(AND(C4=3,D4=3),3,0)))))))))


But... It's too long, and excel sends u a syntax error. So, I exercised my mind and I could make it easier taking leverage of the boolean operators OR() and AND() as well as nested IF() statements.

=IF(OR(
AND(C4=1,D4=1),
AND(C4=2,D4=1),
AND(C4=1,D4=2)),1,

IF(OR(
AND(C4=3,D4=1),
AND(C4=2,D4=2),
AND(C4=1,D4=3)),2,
IF(OR(
AND(C4=3,D4=2),
AND(C4=2,D4=3),
AND(C4=3,D4=3)),3,0)))


Works fine !, not a big deal though. As you can see, this is something VERY VERY simple, but I'm pr0ud of my newbie Excel Skillz jajaj :D...

Have fun ! ;)

domingo, 11 de julio de 2010

NY Times - Bombing Suspect's Long Path to Times Square

This is a picture that I took the past month to a New York Times newspaper ... I was there a week after the failed attemp..

Fuck t3rr0r1st5 !!.. Fuck 'em all !!

sábado, 19 de junio de 2010

2600 m33ting @ Toronto, Canada

me (nitr0us) holding a Lineman's Handset (the *LEGAL* beige b0x :D)

I spent a great time with some Canadian friends in the monthly Toronto's 2600 m33ting. It started at 6pm when I arrived to the venue (Free Times Coffee), met Nicholaus and at the same time we asked for organic beer. We talked for about half an hour when another girl & boy arrived to the place =).

After that, we asked for more beer and fries !.. Meanwhile, we were talking about some interesting topics such as Toronto's airport physical insecurity, urban exploration, plants growth, comics, phreaking, electricity, comedy, etc..

1 hour later, another guy and hi's girlfriend joined us. He was a very interesting guy who brought a Lineman's Handset (the *LEGAL* beige b0x :D) and knew a looooot of things about phreaking and electricity.

2 hours later, 2 radical guys, dressed all in black (I mean, ALL), I can't remember where they came from, if from Chicago or San Francisco, but anyway... They were there, in Toronto, 'cause of their work: CAR HACKING =)... Yes, those guys were aliens or something like that, they weren't humans jejeje, they knew a lot of things to hack new and old Cars!!! and also, they carried a lot of cool stuff and devices in their bags ;).. Aw3some shit !!!...

As you can see, THAT'S HACKING ... As I said before, hacking is not about 31337 üb3r 0-day exploits and l33tz0r pwnz0r st3alth b4ckd00rz ...

I had a great and interesting time there !...


The venue, Free Times Coffe @ Toronto, Canada

Keep rocking !

martes, 1 de junio de 2010

Trend Micro Data Loss Prevention 5.2 (formerly LeakProof) Data Leakage

I just published a security advisory regarding a vulnerability that I found the last year.

CLICK HERE TO READ IT


Keep rocking !!!

miércoles, 26 de mayo de 2010

I'm a GPEN now ! ;)


Today I presented the 4-hour GPEN Certification exam (by SANS Institute), and finished it in 1 1/4 hours, yes, Childs play (hehe just kidding).

I like this certification, 'cause is one of the most advanced in the market and also, demand very realistics hardc0re n1nj4 h4cking skillz that MUST be presented in all the (supposedly) EXPERT PENETRATION TESTERS xDDD !...

But anyway =) ... keep pwning

martes, 11 de mayo de 2010

SANS Toronto - I got the Flag in the CTF ! ;)

Well, I'd like to post my experience at SANS 560 CTF (Captuer The Flag), which was held on May 10th at the Intercontinental Toroton Centre in Toronto, Canada.


Everything started at 9 am and 4 specially configured & hardened servers and 2 routers were setup in order to break into them. Anyway, it was one of the most challenging CTF's I ever had, 'cause I showed up my COMPLETE NINJA SKILL-SET B-D !!.. yeahh baby !!

Well, the challenge was about to get a 4-times GPG encrypted file, by different people, and then, decrypt it in the inverse order it was encrypted. So, the challenge was to obtain the public and private keys from the 4 different users from the Windows and Linux b0xes.

Ready, set, go !!... Then, I started my ninjutsu h4ck1ng, and also, I had no time to eat, nor time to go to the restroom, I had only time to go for phree c0ffee while my GBs of RAM-resident rainbow tables were destroying some NTLM hashes and my source-c0de patch3d John the ripp3r was cracking others *UNIX accounts.

So, teh hard work was based on some of the f0llowing n1nj4 skillz:
  • MOSTLY TACTICAL EXPLOITATION (yes, use of the BRAIN)
  • netcat hardc0re ninj4 hacking, using *NIX backpipes ($man mknod with the 'p' parameter for n00bz) in order to chain different b0xes/ports to bypass FW rules..
  • Hardc0re packet analysis, specifically capturing traffic with tcpdump with very specific pcap filters and sending the output somewhere you can reach it through a wind0wz machine in order to analyze all the traffic so as to detect a specific pattern to continue the attack against other servers (LOT OF PEOPLE DIED HERE xDDD, n000bz)
  • Very Rude ! UNIX commands !!! (not for newbies B-D !! like j00 !!!) and STDIN, STDOUT, STDERR deeeeeeeeeeeep knowledge
  • Rem0te and privilege scalation Exploits' source code modification and compilation...
  • iptables knowledge in order to append some SPECIFIC rule sets (no iptables -F allowed for kiddies xDDD)
  • Using l33t techn1quez like passing-the-hash to SMB services to PWN other win b0xez !! ;) (yes n00b, I know it's the first time you read about it xDDD)
  • d3crypting files using stolen public and private GPG keys (yes, I know, it was the easy part =D)
At the end, after of 6:30 hours of non-stopin' PWNAGE, I got teh madafakin' Flag ! ;) !!

Keep r0cking !! B-) !

viernes, 30 de abril de 2010

c155p... my next challenge ! 4 phun & pr0fit

Hi all, a couple of days ago, I bought the "CISSP All-in-one Exam Guide, 5th Edition (Hardcover)" by Shon Harris , yes, the *NEW* edition (2010). So, i'll have a lot of fun reading 1216 pages about "5ecur1ty" in the next months, and then, I'll try to obtain the certificate jeje ... just for phuck1ng phun ! B-) yeahh !!! xDD



jueves, 22 de abril de 2010

XOR Swap Algorithm

20 minutes before I got to work, I was tackling against a couple of Mexico City's traffic jams !! and then, I recalled a simple but pretty cool algorithm I used like 5 years ago to swap 2 different variables without using a temporary one. If you're new at programming, there exist a variety of such algorithms, more commonly referred as Sorting Algorithms, and most of them use a temporary variable in order to swap the values they have, so, if u want to optimize your c0de and n1nj4 skillz ;) take a look at this !..

This is the XOR Swap Algorithm, and instead I explain it... A picture is worth a thousand words ;) ...


As you can see, it's mathematically simple, and below you can see the c0de & screensh0t I took a few minutes before ...



Keep h4cking !!

sábado, 17 de abril de 2010

31337 order at Cinépolis

Yes! that'z right, more than a year ago, I received the order number 31337 !!! just imagine the number of posibilities, thousands of people buyin' shit at the cinema, hundres of malls within a movie theater, thousands of orders !!! pfff, and yes, teh fate, my fate, did the work !! B-D !...



Who one else better than me would receive "teh number" jajaj none !! that's right xDDD.. just kidding !!! ... someday, u'll have one too ... just fucking kidding again jajajajajja !!!! xDDDDD ..

Afterall, I still have the voucher in my wallet =D !

lunes, 12 de abril de 2010

Exploiting apps replacing _init through shared libraries

Yes, an old topic, but this time, with a different and interesting approach. This time, Rh0 found a new attack vector, taking advantage of Glibc's shared library.

It reminds me the old LD_PRELOAD technique ;). Anyway, this time, everything is on dlopen(3), so, let's take a look into the man-page:

"The four functions dlopen(), dlsym(), dlclose(), dlerror() implement the interface to the dynamic linking loader... The function dlopen() loads the dynamic library file named by the null-terminated string filename and returns an opaque "handle" for the dynamic library."

Independently the binary was compiled with RTLD_LAZY (Lazy Binding) or RTLD_NOW, the dynamic linker always execute the content of _init, which in a C programm it's defined by the function with the attribute __attribute__((constructor)) assigned.

So, I tested this in my leasure time and the results are displayed in the next screensh0t.





ch33rz!

domingo, 11 de abril de 2010

From Hacker to C-Level

This is the latest speech I gave. It was given in the Master of Business Administration at Universidad Anáhuac, a couple of months ago.

CLICK HERE TO DOWNLOAD THE PRESENTATION



Any comments, suggestions, or anything ... send them 2 me !

jueves, 8 de abril de 2010

Welcome



Hi all,

Welcome 2 my bl0g, yes, I'll retake it 'cause I removed the last I had (~4 years ago).. Anyway, I'll write in english 'cause I've to improve it ...

In this little internet corner, you'll find some things I've found interesting, voodoo, hilarious, complex, weird, cool, etc etc, and all about hacking, research, c0ding, security, inse-fucking-curity, voodoo coding shits, presentations, projectz, blah blah !!..

Hope u enj0y it !!

Kind regards madafakaz !!