Tuesday, January 5, 2010
GNU GPL Malware?
Happy opensource pwning!
Sunday, June 14, 2009
Hacking iPhone SMS Alerts
Requirements: Jailbroken iPhone w/SSH, Mac of some sorts with iTunes and SSH/SCP client. or Windows for some of it.
1) Make a backup of all the original files (/Applications/Preferences.app/English.lproj/Sounds.strings and /System/Library/Audio/UISounds/sms-received*.caf)
2) Convert whatever mp3 you want to make the alert a caf file. http://support.apple.com/kb/HT1348 to convert it to aiff, and then rename the .aif file to .caf.
3) Rename the file(s) to sms-received[1-6].caf, and make a note of what number you create (this is necessary if you want to change the name of it).
4) Copy the newly created file back over to your iPhone, the following mapping applies. 1-Tri-tone, 2-Chime, 3-Glass,4-Horn,5-Bell,6-Electronic.
5) From now on this requires a Mac, or someway to do it on windows that I don't know.
6) Copy your back of Sounds.strings to Sounds.strings.new
7) Run plutil -convert xml1 Sounds.strings.new
8) Keeping the above mapping in mind, change whatever name you want in the now XML version of Sounds.strings.new, and save the file.
9) Run plutil -convert binary1 Sounds.strings.new
10) Copy this Sounds.strings.new to your iPhone, overwriting /Applications/Preferences.app/English.lproj/Sounds.strings.
11) Enjoy and don't complain to me if you mess something up.
[Edit: Apparently I can't use google correctly (Another Tutorial), but that ones lacks the ability to change the labels]
Tuesday, January 27, 2009
NFSEN UI Patch
First patch lookup.php
--- /home/nfsen-1.3/html/lookup.php 2007-07-20 07:32:48.000000000 -0500
+++ /home/nfsen-1.3_new/html/lookup.php 2009-01-27 09:46:12.000000000 -0600
@@ -51,12 +51,26 @@ header("Content-type: text/html; charset
<body>
<?php
-
-nfsend_query("@lookup", $opts, 1);
-nfsend_disconnect();
-unset($_SESSION['nfsend']);
-CloseLogFile();
-
+if (preg_match('/(?:^10\.|192\.168\.|172\.16\.)/',$lookup))
+{
+ nfsend_query("@lookup", $opts, 1);
+ nfsend_disconnect();
+ unset($_SESSION['nfsend']);
+ CloseLogFile();
+}
+else
+{
+ $url = 'http://www.dshield.org/ipinfo.html?ip='.$lookup;
+ $ch = curl_init($url);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+ $output = curl_exec ($ch);
+ preg_match('/(<table.*?table>)/ms', $output, $regs);
+ $tab = preg_replace('/(?:class.*?=.*?".*?"| \(click for more detail\))/','',$regs);
+ $tab = preg_replace('/ipdetails/','ipinfo',$tab);
+ $tab = preg_replace('/href.*?=.*?"/','target="_blank" href="http://www.dshield.org',$tab);
+ curl_close ($ch);
+ echo '<h3>' . $tab[1] . '</h3>';
+}
?>
</body>
Then patch lookup.css
--- /home/nfsen-1.3/html/css/lookup.css 2007-07-20 07:32:46.000000000 -0500
+++ /home/nfsen-1.3_new/html/css/lookup.css 2009-01-27 09:28:27.000000000 -0600
@@ -21,3 +21,13 @@ h3 {
margin-top:10px;
margin-bottom:6px;
}
+
+td {
+ font-family: Verdana;
+ font-size: 10px;
+ margin:0px;
+}
+
+tr {
+ margin:0px;
+}
Monday, January 5, 2009
Dell Mouse Hack
Step 1: Hope they have a mouse that looks like:
Step 2: Pull it apart
Step 3: Remove the white wires with a small screw driver by prying up (only slightly) the white tabs on the plug
Step 4: Cross the streams
Step 5: Reassemble
Wednesday, August 27, 2008
Kill-o-copter!
Wednesday, July 23, 2008
Pwning Javascript Malware: a soup to nuts approach
First some words of caution. This will (or should) set off any anti-virus software you have running on your machine. Also, this is live malicious code so please don't run it... and is the reason we use Linux to poke at this stuff. Again, live + malicious = bad so don't run it.
It seems other than a handful of ISC posts, javascript de-obfuscation references are few and far between. So taking what ISC and others have started, and maybe finished privately (just think if you shared we wouldn't be having this talk now, and I could have watched more episodes of BSG), we have constructed our own process of malware de-obfuscation. Don't worry this won't be a lame tutorial on how to hex decode something, or look you can change eval(unescape("...")); to document.write(unescape("...")). This will give an overview of looking at multiple levels of obfuscation using arguments.callee written specifically for Internet Explorer. So where's the "amazing" part? I'm going to tell you how to do it with SpiderMonkey on Linux.
A quick rundown of things you will need:
- SpiderMonkey patched to print eval(), but I'll show you why that's not necessary any more
- mystubs.js and mypost.js available here
- This script to emulate Internet Explorer's arguments.callee functionality
- A version of Chaosreader patched to do de-chunking (if you're getting this stuff from a chunked session)
- Some sort of text editor
- And the Javascript you want to de-obfuscate
If you can't find some malicious Javascript to de-obfuscate, you can download our example and follow along. The password for the zip file is 'pwned'.
After downloading the Javascript (evil.js from the zip file) open it up in your editor and add the following to the top:
window="";
window.location="/";
location="";
location.href="http://tag58.com/cgi-bin/index.cgi?ad";
This will allow us to fake the necessary information back to SpiderMonkey as to what objects the page has and where the page is located (in this case tag58.com).
Now we want to get the Javascript prepared for reversing. If you notice in this specific example it uses arguments.callee, then does a toString() and then gets the length. You will also notice that it concatenates the location.href to arguments.callee.toString(). So, how do we bypass all of these different tamper-resistant techniques? Simple, we use the script that emulates the IE version of arguments.callee.toString(). Copy and paste the entire function, from the first 'f' to the last '}', into a new document. Then without adding any spaces copy the http://...ad from above immediately after, save and exit (step2.js from the zip file). Finally run the script on the file you just created and note the output (which output is used depends on where in the script you want to inject it).
Now look for the part in the script that says TngP47fdn = TngP47fdn.toUpperCase(); and change that to TngP47fdn = "<output>"; Where <output> is the last bit from the script under [toUpperCase()]: (step2-function.js). Producing the file step3.js. This next part is the cool part. You can go through the trouble of patching SpiderMonkey to print out all calls to eval() or since you've subverted the tamper-resistant technique you can change them all to document.write(), *TaDa* To do this change the portion in the code from wegif4kx2(nmyWKuRI4) to document.write(nmyWKuRI4), and you'll notice all of the goodness being spewed forth when you run <path>/js -f <path>/mystubs.js -f step4.js -f <path>/mypost.js. As a side note, you can now put random code in the Javascript in the step4.js if you want to further debug the code to figure out how exactly the de-obfuscation routine works because by patching in the expected results the script doesn't know any better.
Simply wash, rinse and repeat until you get the meaty-goodness. I've tried this on quite a few of the samples I was able to get a hold of, and it has worked, but if you try it and it doesn't work let me know.