P1nky’s Cool Sh*t #1

Are you troubled by strange hacks in the night?
Do you experience feelings of dread in your basement or attic?
Have you or your friends actually seen a phreak, script kiddie, or fed?
If the answer is yes, then don’t wait another minute. Just pick up the phone and ask for the Pwnton Pack!

And don’t forget, we will be meeting again soon (whether you-know-who wants us too or not ;] )

Format string $20 challenge

At the last meeting I showed everyone how to use a format string vulnerability in a password storage app to bypass the master password and pull data out of memory. That is just one way to exploit this type of vulnerability so I challanged everyone at the meeting to get the app I used “code below” to execute their supplied input. The first person to let me know they got it and do a demo get $20! So it pays to be a little early.

#include < stdio.h >
#include < string.h >

int main (int argc, char *argv[])
{
char** spw = "dc414 pwnz";
char text[1025];
strcpy(text, argv[1]);
if (strcmp(text, "asd123")==0) {
printf("Correct the password is %s \n",spw);
return 0;
}
printf(text);
printf(" is wrong\n");
return 0;
}

Upload your own XSS

A few meetings ago i gave a demo on uploading a flash file to file hosting sites that contains a evil XSS payload. Here is my write up on it.

A while back I was doing a penetration test on a friends file hosting service application. His service allowed the uploading of flash files and when you viewed the files detail page it showed you a preview of the flash movie. At the time I knew you could use actionscript to put javascript in a flash file but I was not sure if it would have full access to the DOM and allow us to do evil stuff.

I started messing around in actionscript and came up with this:

After compiling it and uploading, when viewing the preview page I was greeted with a prompt box that had the contents of my cookie for that domain and it was displayed in text with in the flash embed! So, just like that we are able to manufacture a XSS vulnerability on a application that is otherwise secure.

There is some protection for this attack. When you embed a flash file in a web page that you don’t trust you should add the allowScriptAccess param and set it to none. However this can be bypassed easily, just go to the swf file itself and it will still execute the javascript supplied by our swf file. This means to be fully protected you will also need to use a modrewrite rule to force a download when ever someone tries to view a swf file directly.

Here is one example – http://www.ziddu.com/viewfile/22413513/xss.swf.html

Here is another – http://swfchan.org/2335/xss.swf

June Meeting Recap

Thanks to all that attended the June meeting.  Lot’s of interesting discussion and demos as usual.

Some highlights were Klaiviel giving an in-depth look at the state of 3D printing with a focus on weapons and some of the issues surrounding it.

We later headed for the roof of Bucketworks to learn about DirectTV hardware installations and some of the tools the pros use.  We got to learn about different satellites  and had some really good discussions while the ISS zipped past brightly in the night sky.  Thanks Darkwind.

dw5304 took over next and showed off some 40Gb Ethernet gear along with a demo.  We also had fun exploiting some really awful security of a customer management portal that dw5304 stumbled upon.

edgewalker was one of the lucky contestants to win the Free Junk Giveaway.  Enjoy the LetterPerfect software on your IBM/DOS compatible PC! 

Some pictures courtesy of our beloved overlord, AnarchyAngel.

Upnp Exploiter

dc414 and I are proud to introduce Upnp Exploiter! A Upnp scanner and exploit tool. This tool comes with two main scanning functions and exploit functions.

The first scanning functions is the target scan. Here you can pick a single IP or IP range to find anything that reports back to a UPNP multicast packet sent to the normal UPNP broadcast address “239.255.255.250 on port 1900” If target responds it takes a closer look and sees if it can get the targets UPNP profile letting us know what type of device it is, what UPNP functions it supports, its IP, and other information. When used remotely, this all takes advantage of the fact that the target device violates the UPNP specs and responds to UPNP requests outside of the deices local area network.

The second scanning function only works in a local area network and just sends out a UPNP broadcast. This function is just using the UPNP protocol as intended.

Once a list of UPNP supported devices are found the script mines some information from it like device type, UPNP functions, IP. If its a gateway device it prompts you and asks if you want to attempt to exploit it.

The first option is to forward ports. If doing this LAN side its best to do some network recon with NMAP or something, find some fun services running on a internal server and forward them to the web for later hacking. While gathering information on the device it gets a list of other ports forwarded via UPNP and the devices internal IP. This is supper helpful when doing things on the remote side. One of my personal favs is routing the modems internal port 80 to 81 on WAN. This should give you access to the routers internal web UI for configuration. Most of the time the default creds will work for admin access >:)
This of course violates lots of rfc’s, protocols, and other stuff lol.

The second exploit option tries to turn a gateway device into a proxy. Now this works using IP addresses and one host per port. So if you want to connect to Victim A on port 8 you use the script to forward all data coming in on any port you choose “for now we will say 88” to VA on port 80. So you connect to port 88 on the Victim B “the gateway device” and all the traffic is forwarded to VA on port 80. This also breaks UPNP rules, but who cares.

The last little thing this script does is parse the replies for the unique_service_name() vulnerability and reports to you if it finds anything with some helpful information to aid in exploiting it.

You can get the script from the git page HERE. If you like it please consider donating to dc414 or me (Anarchy Angel – anarchy@dc414.org) for taking the time to make such an awesome script 🙂 If anyone would like to help with development please contact Anarchy Angel (me).

Many thanks to Ngharo for help with the regex and list stuff.

April meeting recap

Aprils meeting was awesome! Ngharo started us off with room introductions, which was helpful considering all the new faces at this meeting. Next I gave a quick demo of my new tool Upnp Exploiter. Which lead to me disclosing two 0day vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router “expect more on all this later”! Then dw5304 gave his SNMP demo again and showed all the n00bs how to pwn Cisco routers using SNMP to upload a your own config to them. Then we all started messing around with trying to draw words on an oscilloscope with my arduino. Because of a late start that is all we had time for. Congrats to BigStarHero for winning a Emerson switch board in the free junk giveaway! Here is some pictures from the meeting.

Free junk giveaway big winner!

Some awesome useful irssi scripts.

If you dont already know to use scripts you have to put any scripts in:

/home/< your_user >/.irssi/scripts/

And to load it into irssi use:

/script load < script_name.pl >

adv_windowlist.pl – If you have lots of windows open in irssi like me this script will make your life much easier. It adds a permanent advanced window list in a statusbar by default. You can configure it to put it on a sidebar if you like.

trackbar.pl – This little script will do just one thing: it will draw a line each time you switch away from a window. This way, you always know just up to where you’ve been reading that window 🙂 It also removes the previous drawn line, so you don’t see double lines.

nickcolor.pl – In channels with lots of activity, all nicks having the same old white color can get a little crazy, this script gives each user is own color and put a little organization to the chaos.

spell.pl – Spell check for irssi. This script takes a little setup. first you have to install Lingua::Ispell and Ispell using the following commands:

$ sudo apt-get install ispell liblingua-ispell-perl

It should pull in a number of other packages including a dictionary. I actually received an error as well, but it seems safe to ignore:

error in control file: `Index' value missing for format `info' at /usr/sbin/install-docs line 709, line 16.

Now load the script into irssi and bind Alt-s as a short cut to check the line you wish to send.
to bind Alt-s type the following into irssi:

/bind meta-s /_spellcheck

Also set the max guesses:

/set spell_max_guesses 3

Now your ready to use this script. After you type a message before you hit enter hit Alt-s and this script if you have any misspelled words and give you up to three guesses for correction.

For the cause!

As some of you might know I run a Tor exit relay from my home connection. I got this in the mail the other day:

Hello and welcome to Tor!

We’ve noticed that your Tor node dc414 has been running long enough to be flagged as “stable”. First, we would like to thank you for your contribution to the Tor network! As Tor grows, we require ever more nodes to improve browsing speed and reliability for our users. Your node is helping to serve the millions of Tor clients out there.

As a node operator, you may be interested in the Tor Weather service, which sends important email notifications when a node is down or your version is out of date. We here at Tor consider this service to be vitally important and greatly useful to all node operators. If you’re interested in Tor Weather, please visit the following link to register:

https://weather.torproject.org/

You might also be interested in the tor-announce mailing list, which is a low volume list for announcements of new releases and critical security updates. To join, visit the following address:

https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce

Additionally, since you are running as an exit node, you might be interested in Tor’s Legal FAQ for Relay Operators (https://www.torproject.org/eff/tor-legal-faq.html.en) and Mike Perry’s blog post on running an exit node (https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment).

Thank you again for your contribution to the Tor network! We won’t send you any further emails unless you subscribe.

Disclaimer: If you have no idea why you’re receiving this email, we sincerely apologize! You shouldn’t hear from us again.

Yay my node is now stable!! Now we just need to get one running on the dc414 server 🙂

September meeting recap

Last meeting was awesome as always, we had some good demos and new faces which is always great. Ngharo started it off going around the room and asking ppl what they hacked last month and what they plan to hack next.

I gave my fakeAP demo to get credit card numbers or sniff traffic. The CC part failed :/ but the sniff part worked like a charm!! Then dw5304 gave a demo titled “Cable hacking for fun” and talked about how to get online anonymously with cable modems, getting almost unlimited bandwidth, modem cloning and lots more. Faraday came packing with some lithium ion batteries and big ass LEDs he gave out “to make flash lights out of” and stuff for making your capacitors which is always fun.

Then I spent the rest of the night drinking beer and yelling in to a ham radio, so I didn’t take any pictures. Congrats to uberushaximus for winning the dc414 free junk giveaway!

Here is a link to the github fakeAP pwnage project, it only works with Backtrack 5 and could use some improvement.
https://github.com/dc414/fakeAP_pwnage

Here is the slides to dw5304’s Cable hacking for fun:
https://skydrive.live.com/redir?resid=463779BB134E309F!375&authkey=!AF56QcP0xP4Ofco

August meeting awesomeness

Klaiviel started us off by giving us a nice show of binary key card hotel locks popular over seas, showed us a 3d printed key for one of his locks, explained pick proof locks from the 40s that are no longer used but highly effective and how to make them today using regular locks. Then he showed us why he is the second best key impressionist in the world, and made a working key for a lock right in front of us and giving us step by step instructions on how to do it our selves.

I stepped in and gave a quick demo of how I made our new and improved donations bucket which I will be making a blog post on later. Darkwind came packing with a alfa wifi antenna hooked up to a satellite dish! This made a killer directional wifi antenna, we took it up to the roof of bucketworks and got signals from all over including the moon 😛 Ngharo hooked it up to his lappy and cracked a few networks 🙂

After the roof party was over and we got back down stairs Castor gave a DEFCON20 badge hacking demo and showed us how to turn our badges into any other badge type we wanted, then showed us how to make the LEDs on the badge flash out words and stuffs. Then we all just started bull shitting and talking about up coming projects.

Cmoney couldnt make it out so I took a few picture that you can view here. Congrats to darkwind and faraday for winning the dc414 free junk giveaway!!