#include
#include
char szDeobfuscated[4096];
int key[] = {86, -12, -17, 80, 52, 169,
-17, 107, 85, 75, 3, 60, 154, 1,
120, 179,-3, 177, 61, 211, 155, 210,
203, 159, 6, 209, 209, 101, -24, 189,
45, 159, 177, -17, 141,216, -12, -4, 187,
195, 184, 161, 11, 174, 61, 193, 46, 174,
-29,84, 7, -15, 10, 90, 208, 138, 120,
4, 6, 50, 134, 44, 172, -14};
void DeobfuscateString(char *enc)
{
int code = 0;
int z = 0;
int cDeobChar = 0;
char tempnum[5]; //e.g. 0xAB
int i = 0;
char *tmpstr = szDeobfuscated;
char a = 0;
char b = 0;
int length = 0;
if(NULL==enc)
return;
length = strlen(enc);
if(length> sizeof(szDeobfuscated)-1)
return;
printf("Decoding %s of length %d\n", enc, length);
for (i = 0; i < length; i++)
{
//check for ampersand '&'
if (enc[i] != 38)
{
code = enc[i];
}
else
{
//if it's an ampersand
i++; //skip over it
//take the next two characters and make a hex value out of it e.g.
//&ad would become 0xAD
memset(tempnum,0,5);
a = enc[i++];
b = enc[i++];
sprintf_s(tempnum,5,"0x%c%c\0",a,b);
sscanf_s(tempnum,"%x",&code);
}
cDeobChar = code - key[z];
if (cDeobChar < 0)
{
cDeobChar = cDeobChar + 255;
}
*tmpstr++ = (char)cDeobChar;
z++;
}
printf("\n\t%s\n",szDeobfuscated);
return;
}
int main(void)
{
memset(szDeobfuscated,0,4096);
DeobfuscateString("&ad;Y&5b;&b3;&a3;&17;T&8b;&c4;&b9;#&96;&04;c&ea;&1d;$%&5d;&16;&08;B3&c0;");
memset(szDeobfuscated,0,4096);
DeobfuscateString("&97;50&91;u&ea;0∾&86;|4m&cb;2&a9;&e4;");
return 0;
}
Thursday, December 24, 2009
OpenRG Deobfuscate in C
http://www.zibri.org/ Did this in a java script. I ported it to C. Have fun deobfuscating during the holidays!
Friday, November 13, 2009
vmware fusion and kernel debugging
Server (Vm Target to be kernel debugged)
========================================
serial0.present = "TRUE"
serial0.pipe.endPoint = "server"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.startConnected = "TRUE"
serial0.fileName = "/tmp/kdpipe"
Client (Vm Where you run windbg)
=============================
serial0.present = "TRUE"
serial0.pipe.endPoint = "client"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.startConnected = "TRUE"
serial0.fileName = "/tmp/kdpipe"
On the target to be debugged
=============================
bcdedit /copy {current} /d "Microsoft Windows Vista [debugger disabled]"
bcdedit /debug ON
bcdedit /set {current} debugtype SERIAL
bcdedit /set {current} debugport 1
bcdedit /set {current} baudrate 115200
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter" /v DEFAULT /t REG_DWORD /d 0xffffffff
_NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols
========================================
serial0.present = "TRUE"
serial0.pipe.endPoint = "server"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.startConnected = "TRUE"
serial0.fileName = "/tmp/kdpipe"
Client (Vm Where you run windbg)
=============================
serial0.present = "TRUE"
serial0.pipe.endPoint = "client"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.startConnected = "TRUE"
serial0.fileName = "/tmp/kdpipe"
On the target to be debugged
=============================
bcdedit /copy {current} /d "Microsoft Windows Vista [debugger disabled]"
bcdedit /debug ON
bcdedit /set {current} debugtype SERIAL
bcdedit /set {current} debugport 1
bcdedit /set {current} baudrate 115200
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter" /v DEFAULT /t REG_DWORD /d 0xffffffff
_NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Tuesday, September 29, 2009
awk
Why are people from China trying to login to my computer? I don't understand....
for i in `cat auth.log.1 | awk '{print $13}'|sort -n |uniq`; do whois $i |grep person; done
person: Chyi-Chuan Yang
person: Seednet Seednet
person: Haibo Ma
person: Ruixin Wang
person: Haibo Ma
person: Ruixin Wang
person: ChinaUnicom Hostmaster
person: Wei Wang
for i in `cat auth.log.1 | awk '{print $13}'|sort -n |uniq`; do whois $i |grep person; done
person: Chyi-Chuan Yang
person: Seednet Seednet
person: Haibo Ma
person: Ruixin Wang
person: Haibo Ma
person: Ruixin Wang
person: ChinaUnicom Hostmaster
person: Wei Wang
Trying to 0wn me
Failed password for invalid user mike from 85.62.95.198 port 40533
Failed password for invalid user mysql from 85.62.95.198 port 41292
Failed password for invalid user mythtv from 85.62.95.198 port 42027
Failed password for invalid user gnax from 85.62.95.198 port 47769
Failed password for invalid user mythtv from 85.62.95.198 port 49950
Failed password for invalid user upload from 85.62.95.198 port 51456
Failed password for invalid user status from 85.62.95.198 port 52202
Failed password for invalid user tomcat from 85.62.95.198 port 53781
Failed password for invalid user postgres from 85.62.95.198 port 54544
Failed password for invalid user anonymous from 85.62.95.198 port 55321
Failed password for invalid user worker from 85.62.95.198 port 56021
Failed password for invalid user craig from 85.62.95.198 port 56758
Failed password for invalid user webmaster from 85.62.95.198 port 57497
Failed password for invalid user user from 85.62.95.198 port 58246
Failed password for invalid user michael from 85.62.95.198 port 60504
Failed password for invalid user short from 85.62.95.198 port 33060
Failed password for invalid user admin from 85.62.95.198 port 33801
Failed password for invalid user music from 85.62.95.198 port 35241
Failed password for invalid user jessie from 85.62.95.198 port 35947
Failed password for invalid user notes from 85.62.95.198 port 36718
Failed password for invalid user turbo from 85.62.95.198 port 55037
Failed password for invalid user usuario from 85.62.95.198 port 55729
Failed password for invalid user spamfiltrer from 85.62.95.198 port 56512
Failed password for invalid user elite from 85.62.95.198 port 57211
Failed password for invalid user ftpuser from 85.62.95.198 port 57898
Failed password for invalid user radmin from 85.62.95.198 port 58659
Failed password for invalid user portal from 85.62.95.198 port 59417
Failed password for invalid user master from 85.62.95.198 port 60089
Failed password for invalid user sales from 85.62.95.198 port 60874
Failed password for invalid user util1 from 85.62.95.198 port 33436
Failed password for invalid user anthony from 85.62.95.198 port 34209
Failed password for invalid user oracle from 204.124.181.80 port 32963
Failed password for invalid user test from 204.124.181.80 port 33883
Failed password for invalid user eaguilar from 121.14.34.52 port 44125
Failed password for invalid user apple from 60.190.176.116 port 51325
Failed password for invalid user brian from 60.190.176.116 port 52237
Failed password for invalid user andrew from 60.190.176.116 port 53219
Failed password for invalid user newsroom from 60.190.176.116 port 54180
Failed password for invalid user magazine from 60.190.176.116 port 55126
Failed password for invalid user research from 60.190.176.116 port 56079
Failed password for invalid user cjohnson from 60.190.176.116 port 56972
Failed password for invalid user export from 60.190.176.116 port 57777
Failed password for invalid user photo from 60.190.176.116 port 32797
Failed password for invalid user gast from 60.190.176.116 port 35433
Failed password for invalid user murray from 60.190.176.116 port 38639
Failed password for invalid user falcon from 60.190.176.116 port 41879
Failed password for invalid user fly from 60.190.176.116 port 48042
Failed password for invalid user gerry from 60.190.176.116 port 51152
Failed password for invalid user guest from 60.190.176.116 port 33465
Failed password for invalid user test from 60.190.176.116 port 35047
Failed password for invalid user test1 from 60.190.176.116 port 36141
Failed password for invalid user teste from 60.190.176.116 port 37737
Failed password for invalid user admin from 60.190.176.116 port 39225
Failed password for invalid user postgres from 60.190.176.116 port 40829
Failed password for invalid user webmaster from 60.190.176.116 port 43524
Failed password for invalid user web from 60.190.176.116 port 45115
Failed password for invalid user http from 60.190.176.116 port 46528
Failed password for invalid user httpd from 60.190.176.116 port 48114
Failed password for invalid user www from 60.190.176.116 port 49698
Failed password for invalid user www1 from 60.190.176.116 port 51203
Failed password for invalid user ftp from 60.190.176.116 port 55250
Failed password for invalid user mysql from 85.62.95.198 port 41292
Failed password for invalid user mythtv from 85.62.95.198 port 42027
Failed password for invalid user gnax from 85.62.95.198 port 47769
Failed password for invalid user mythtv from 85.62.95.198 port 49950
Failed password for invalid user upload from 85.62.95.198 port 51456
Failed password for invalid user status from 85.62.95.198 port 52202
Failed password for invalid user tomcat from 85.62.95.198 port 53781
Failed password for invalid user postgres from 85.62.95.198 port 54544
Failed password for invalid user anonymous from 85.62.95.198 port 55321
Failed password for invalid user worker from 85.62.95.198 port 56021
Failed password for invalid user craig from 85.62.95.198 port 56758
Failed password for invalid user webmaster from 85.62.95.198 port 57497
Failed password for invalid user user from 85.62.95.198 port 58246
Failed password for invalid user michael from 85.62.95.198 port 60504
Failed password for invalid user short from 85.62.95.198 port 33060
Failed password for invalid user admin from 85.62.95.198 port 33801
Failed password for invalid user music from 85.62.95.198 port 35241
Failed password for invalid user jessie from 85.62.95.198 port 35947
Failed password for invalid user notes from 85.62.95.198 port 36718
Failed password for invalid user turbo from 85.62.95.198 port 55037
Failed password for invalid user usuario from 85.62.95.198 port 55729
Failed password for invalid user spamfiltrer from 85.62.95.198 port 56512
Failed password for invalid user elite from 85.62.95.198 port 57211
Failed password for invalid user ftpuser from 85.62.95.198 port 57898
Failed password for invalid user radmin from 85.62.95.198 port 58659
Failed password for invalid user portal from 85.62.95.198 port 59417
Failed password for invalid user master from 85.62.95.198 port 60089
Failed password for invalid user sales from 85.62.95.198 port 60874
Failed password for invalid user util1 from 85.62.95.198 port 33436
Failed password for invalid user anthony from 85.62.95.198 port 34209
Failed password for invalid user oracle from 204.124.181.80 port 32963
Failed password for invalid user test from 204.124.181.80 port 33883
Failed password for invalid user eaguilar from 121.14.34.52 port 44125
Failed password for invalid user apple from 60.190.176.116 port 51325
Failed password for invalid user brian from 60.190.176.116 port 52237
Failed password for invalid user andrew from 60.190.176.116 port 53219
Failed password for invalid user newsroom from 60.190.176.116 port 54180
Failed password for invalid user magazine from 60.190.176.116 port 55126
Failed password for invalid user research from 60.190.176.116 port 56079
Failed password for invalid user cjohnson from 60.190.176.116 port 56972
Failed password for invalid user export from 60.190.176.116 port 57777
Failed password for invalid user photo from 60.190.176.116 port 32797
Failed password for invalid user gast from 60.190.176.116 port 35433
Failed password for invalid user murray from 60.190.176.116 port 38639
Failed password for invalid user falcon from 60.190.176.116 port 41879
Failed password for invalid user fly from 60.190.176.116 port 48042
Failed password for invalid user gerry from 60.190.176.116 port 51152
Failed password for invalid user guest from 60.190.176.116 port 33465
Failed password for invalid user test from 60.190.176.116 port 35047
Failed password for invalid user test1 from 60.190.176.116 port 36141
Failed password for invalid user teste from 60.190.176.116 port 37737
Failed password for invalid user admin from 60.190.176.116 port 39225
Failed password for invalid user postgres from 60.190.176.116 port 40829
Failed password for invalid user webmaster from 60.190.176.116 port 43524
Failed password for invalid user web from 60.190.176.116 port 45115
Failed password for invalid user http from 60.190.176.116 port 46528
Failed password for invalid user httpd from 60.190.176.116 port 48114
Failed password for invalid user www from 60.190.176.116 port 49698
Failed password for invalid user www1 from 60.190.176.116 port 51203
Failed password for invalid user ftp from 60.190.176.116 port 55250
Monday, September 21, 2009
using the old msvcrt runtime with visual studio 2005
If you are trying to run an .exe built with vs2005 on other than the box you built it with you might get an error saying that msvcrt80.dll is missing. This is because msvcrt.lib points you to the multithreaded import library for MSVCR7/8/90.DLL.
Microsoft says this about msvcrt.dll:
The msvcrt.dll is now a "known DLL," meaning that it is a system component owned and built by Windows. It is intended for future use only by system-level components. (and their own software like windbg)
Here's the breakout of which libraries cause which runtime dll to be imported:
e.g. MSVCRT.LIB == MSVCRT.DLL with Visual Studio 5/6, MSVCR7.DLL with Visual Studio 2002/2003 and MSVCR80/90.DLL with Visual Studio 2005/2008.
Well it goes in the face of logic to force someone to carry around all these DLLS. So the solution is to build one that relies on the lowest common denominator: MSVCRT.DLL
The trick to ensuring that your .exe uses this dll is by using the MSVCRT.LIB that comes with the DDK. Add this line to your Property Pages->Linker->General->Additional Library Directories
"C:\WINDDK\6001.18001\lib\crt\i386" -or- whereever your DDK is installed
You also need to link with msvcrt_win2000.obj
Now clean and recompile. You should now be able to run your exe on any box without the missing DLL error. (Assuming you don't use some feature that is _ONLY_ in the more modern DLL)
Microsoft says this about msvcrt.dll:
The msvcrt.dll is now a "known DLL," meaning that it is a system component owned and built by Windows. It is intended for future use only by system-level components. (and their own software like windbg)
Here's the breakout of which libraries cause which runtime dll to be imported:
e.g. MSVCRT.LIB == MSVCRT.DLL with Visual Studio 5/6, MSVCR7.DLL with Visual Studio 2002/2003 and MSVCR80/90.DLL with Visual Studio 2005/2008.
Well it goes in the face of logic to force someone to carry around all these DLLS. So the solution is to build one that relies on the lowest common denominator: MSVCRT.DLL
The trick to ensuring that your .exe uses this dll is by using the MSVCRT.LIB that comes with the DDK. Add this line to your Property Pages->Linker->General->Additional Library Directories
"C:\WINDDK\6001.18001\lib\crt\i386" -or- whereever your DDK is installed
You also need to link with msvcrt_win2000.obj
Now clean and recompile. You should now be able to run your exe on any box without the missing DLL error. (Assuming you don't use some feature that is _ONLY_ in the more modern DLL)
Thursday, July 30, 2009
w00t got dsniff built on centos
thanks to the help of numerous folks on the intertoobs!!!
Duh...I should have known this...but i'm impatient
http://forum.soft32.com/linux2/dsniff-make-error-ftopict43253.html
These patches really helped out
http://www.enzotech.net/dsniff.html
Duh...I should have known this...but i'm impatient
http://forum.soft32.com/linux2/dsniff-make-error-ftopict43253.html
These patches really helped out
http://www.enzotech.net/dsniff.html
Wednesday, July 29, 2009
Installing DSNIFF on centos is a full time job
glib2 this, libnids that, 5 different devel libs...hey it's free software what am i complain'n about
DSNIFF and SSL
I found this very informative site that walks one through the details of setting up a MITM rig to decompose SSL traffic. Exactly what I was looking for since busybox was not being nice to me.
http://forums.remote-exploit.org/tutorials-guides/9011-sniffing-ssl-traffic-using-mitm-attack-ettercap-fragrouter-webmitm-dnsspoof.html
(I think blogspot filters URLS with HTML tags), the above wouldn't show up....prolly because it's got the word EXPLOIT in it.)
Seems simple enough...just gonna take some time setting all this crap up, I love this stuff though and that's why I'm doing it.
In the mean time, I wanted to set up something to capture all the traffic to/from the router and I was looking at various firewalls etc...I finally settled on centos as a transparent bridge. One interface to the router, one to my switch, and Oreo stuffing in between.
If you want to do this yourself...it's DIRT SIMPLE, here's my rc.local script to get it going.
#!/bin/sh
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ip link set br0 up
ifconfig br0 192.168.0.3 netmask 255.255.255.0
route add default gw 192.168.0.1 dev br0
btw I'm running this on a 8 year old box I found in my basement under some paint rags. Aside from the oily smell the packets flow just fine.
busy box, applet not found
Since I managed to create some mips64 binaries and managed to get them on the router's filesystem, I thought I was in a good place....NOT. Apparently busybox (I didn't know this until now), is configured to only run the built in applets. It seems they actually turned off (at compile time) the ability to run arbitrary code via busybox. HOWEVER this certainly doesn't mean I couldn't upload my own firmware...there are at least 3 ways to do this...BUT I don't want to tank my rounter....so on to other ideas....like dsniff
Sunday, July 26, 2009
It's only a matter of time
Discovered open port 4567/tcp on x.y.235.2
Discovered open port 4567/tcp on x.y.235.3
Discovered open port 4567/tcp on x.y.235.134
Discovered open port 4567/tcp on x.y.235.201
Discovered open port 4567/tcp on x.y.235.202
Discovered open port 4567/tcp on x.y.235.204
Discovered open port 4567/tcp on x.y.235.205
Discovered open port 4567/tcp on x.y.235.207
Discovered open port 4567/tcp on x.y.235.208
Discovered open port 4567/tcp on x.y.235.206
Discovered open port 4567/tcp on x.y.235.216
Discovered open port 4567/tcp on x.y.235.217
Discovered open port 4567/tcp on x.y.235.219
Discovered open port 4567/tcp on x.y.235.220
Discovered open port 4567/tcp on x.y.235.221
Discovered open port 4567/tcp on x.y.235.222
Discovered open port 4567/tcp on x.y.235.224
Discovered open port 4567/tcp on x.y.235.226
Discovered open port 4567/tcp on x.y.235.225
Discovered open port 4567/tcp on x.y.235.227
Discovered open port 4567/tcp on x.y.235.228
Discovered open port 4567/tcp on x.y.235.229
Discovered open port 4567/tcp on x.y.235.231
Discovered open port 4567/tcp on x.y.235.230
Discovered open port 4567/tcp on x.y.235.215
Discovered open port 4567/tcp on x.y.235.179
Discovered open port 4567/tcp on x.y.235.232
Discovered open port 4567/tcp on x.y.235.233
Discovered open port 4567/tcp on x.y.235.235
Discovered open port 4567/tcp on x.y.235.236
Discovered open port 4567/tcp on x.y.235.234
Discovered open port 4567/tcp on x.y.235.237
Discovered open port 4567/tcp on x.y.235.239
Discovered open port 4567/tcp on x.y.235.240
Discovered open port 4567/tcp on x.y.235.238
Discovered open port 4567/tcp on x.y.235.242
Discovered open port 4567/tcp on x.y.235.251
Discovered open port 4567/tcp on x.y.235.253
Discovered open port 4567/tcp on x.y.235.252
Discovered open port 4567/tcp on x.y.235.254
Discovered open port 4567/tcp on x.y.235.3
Discovered open port 4567/tcp on x.y.235.134
Discovered open port 4567/tcp on x.y.235.201
Discovered open port 4567/tcp on x.y.235.202
Discovered open port 4567/tcp on x.y.235.204
Discovered open port 4567/tcp on x.y.235.205
Discovered open port 4567/tcp on x.y.235.207
Discovered open port 4567/tcp on x.y.235.208
Discovered open port 4567/tcp on x.y.235.206
Discovered open port 4567/tcp on x.y.235.216
Discovered open port 4567/tcp on x.y.235.217
Discovered open port 4567/tcp on x.y.235.219
Discovered open port 4567/tcp on x.y.235.220
Discovered open port 4567/tcp on x.y.235.221
Discovered open port 4567/tcp on x.y.235.222
Discovered open port 4567/tcp on x.y.235.224
Discovered open port 4567/tcp on x.y.235.226
Discovered open port 4567/tcp on x.y.235.225
Discovered open port 4567/tcp on x.y.235.227
Discovered open port 4567/tcp on x.y.235.228
Discovered open port 4567/tcp on x.y.235.229
Discovered open port 4567/tcp on x.y.235.231
Discovered open port 4567/tcp on x.y.235.230
Discovered open port 4567/tcp on x.y.235.215
Discovered open port 4567/tcp on x.y.235.179
Discovered open port 4567/tcp on x.y.235.232
Discovered open port 4567/tcp on x.y.235.233
Discovered open port 4567/tcp on x.y.235.235
Discovered open port 4567/tcp on x.y.235.236
Discovered open port 4567/tcp on x.y.235.234
Discovered open port 4567/tcp on x.y.235.237
Discovered open port 4567/tcp on x.y.235.239
Discovered open port 4567/tcp on x.y.235.240
Discovered open port 4567/tcp on x.y.235.238
Discovered open port 4567/tcp on x.y.235.242
Discovered open port 4567/tcp on x.y.235.251
Discovered open port 4567/tcp on x.y.235.253
Discovered open port 4567/tcp on x.y.235.252
Discovered open port 4567/tcp on x.y.235.254
CPE Wan Management Protocol v1.1
Well I think I found out what port 4567 is supposed to be for:
"2.3.4 Asynchronous ACS Initiated Sessions
An important aspect of service auto-configuration is the ability for the ACS to inform the CPE of a configuration change asynchronously. This allows the auto-configuration mechanism to be used for services that require near-real-time reconfiguration of the CPE. For example, this may be used to provide an end-user with immediate access to a service or feature they have subscribed to, without waiting for the next periodic contact.
The CPE WAN Management Protocol incorporates a mechanism for the ACS to issue a Connection Request to the CPE at any time, instructing it to establish a communication session with the ACS.
While the CPE WAN Management Protocol also allows polling by the CPE in lieu of ACS-initiated connections, the CPE WAN Management Protocol does not rely on polling or establishment of persistent connections from the CPE to provide asynchronous notification.
The basic mechanism defined in the CPE WAN Management Protocol to enable asynchronous ACS initiated communication assumes direct IP addressability of the CPE from the ACS. An alternative mechanism is defined in Annex G, which accommodates CPE operating behind a NAT gateway that are not directly addressable by the ACS."
"2.3.4 Asynchronous ACS Initiated Sessions
An important aspect of service auto-configuration is the ability for the ACS to inform the CPE of a configuration change asynchronously. This allows the auto-configuration mechanism to be used for services that require near-real-time reconfiguration of the CPE. For example, this may be used to provide an end-user with immediate access to a service or feature they have subscribed to, without waiting for the next periodic contact.
The CPE WAN Management Protocol incorporates a mechanism for the ACS to issue a Connection Request to the CPE at any time, instructing it to establish a communication session with the ACS.
While the CPE WAN Management Protocol also allows polling by the CPE in lieu of ACS-initiated connections, the CPE WAN Management Protocol does not rely on polling or establishment of persistent connections from the CPE to provide asynchronous notification.
The basic mechanism defined in the CPE WAN Management Protocol to enable asynchronous ACS initiated communication assumes direct IP addressability of the CPE from the ACS. An alternative mechanism is defined in Annex G, which accommodates CPE operating behind a NAT gateway that are not directly addressable by the ACS."
Saturday, July 25, 2009
unobscure_str
I found obscure_str's friend....
00000000001110f0 -31104(gp) 000000000000f0c0 000000000000f0c0 FUNC UND unobscure_str
Hmmm...wonder if
char *clearstr = malloc(1024);
clearstr = unobscure_str("&cc;Ya&b9;&ae;&19;]&d1;&be;&ba;v");
would give us an neato answer... IDA Pro...do you have any ideas?
00000000001110f0 -31104(gp) 000000000000f0c0 000000000000f0c0 FUNC UND unobscure_str
Hmmm...wonder if
char *clearstr = malloc(1024);
clearstr = unobscure_str("&cc;Ya&b9;&ae;&19;]&d1;&be;&ba;v");
would give us an neato answer... IDA Pro...do you have any ideas?
OpenRG lib
now that i have some mips64 binutils I can check out all the symbols in the openrg libraries...check these out
311: 000000000000b49c 0 FUNC GLOBAL DEFAULT 7 NtPasswordHash
371: 000000000000b3c4 0 FUNC GLOBAL DEFAULT 7 LmPasswordHash
0000000000110e50 -31776(gp) 000000000000f3c0 000000000000f3c0 FUNC UND obscure_str
hmmm obscure_str...wonder what that does????
311: 000000000000b49c 0 FUNC GLOBAL DEFAULT 7 NtPasswordHash
371: 000000000000b3c4 0 FUNC GLOBAL DEFAULT 7 LmPasswordHash
0000000000110e50 -31776(gp) 000000000000f3c0 000000000000f3c0 FUNC UND obscure_str
hmmm obscure_str...wonder what that does????
OK, now I've got gcc built...I guess I need to get the runtime installed.
[root@big binutils-2.19]# /usr/local/mips64-elf/bin/mips64-elf-gcc -v
Using built-in specs.
Target: mips64-elf
Configured with: ./configure --prefix=/usr/local/mips64-elf --target=mips64-elf --with-mpfr=/usr/local --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --program-prefix=mips64-elf-
Thread model: single
gcc version 4.4.1 (GCC)
[root@big binutils-2.19]# /usr/local/mips64-elf/bin/mips64-elf-gcc -v
Using built-in specs.
Target: mips64-elf
Configured with: ./configure --prefix=/usr/local/mips64-elf --target=mips64-elf --with-mpfr=/usr/local --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --program-prefix=mips64-elf-
Thread model: single
gcc version 4.4.1 (GCC)
Full Spectrum Dominance
A friend asked, out of curiosity, why I was researching this topic... I was concerned that the open port (4567) could lead to malicious use of the router by those outside the U.S government and law enforcement. Specifically countries like North Korea who have been rumored to deploy large bot nets in order to cause wide scale denial of service attacks across the global information grid as well as China who has been reported as having hacked into many U.S. Government networks. If the default password for port 4567 is not changed it could lead to wide spread misuse, not just by foreign state sponsored entities but also by crime syndicates like those operating out of Eastern Europe, Russia, South America and even those within the continental U.S. Especially alarming is that this seems to be the default configuration on all Fios enabled ISP provided home gateway/routers. My bandwidth up is 20Mbps. Imagine having hundreds or possibly thousands of these nodes under the full control of an enemy of the state. The fact that the operating system is Linux 2.6 adds more to my concern because it is quite simple to write custom tools and scripts that would execute whatever code the malicious user wishes. There are hundreds of API libraries available for Linux and the complexity of the tools that could be written makes this apparent flaw even more noteworthy. The ability to compose custom network packets and the high bandwidth available are really the top two concerns. Another one of my friends understands the gravity of this situation, this blog is hopefully going to get some attention so the problem gets addressed.
Interesting strings
It's taking me a lot longer than expected to get the cross compiler built...so I grabbed all the binaries off the router. One that stuck out was the openrg binary and some interesting strings I noticed:
Error creating maximum security rule
Aladdin
http://www2.jungo.com/~yoavp/mail_filter_pop3_server?vendor_id=%s&box_id=%s
http://www2.jungo.com/~oferfa/mail_filter_demo.htm?vendor_id=%s&box_id=%s
http://www2.jungo.com/~yoavp/mail_filter_expiry?vendor_id=%s&box_id=%s
http://www2.jungo.com/~yoavp/mail_filter_smtp_server?vendor_id=%s&box_id=%s
Not sure what those web sites are...but this really seems odd.
Here are some others
https://cpe-ems79.verizon.com/cwmpWeb/CPEMgt
https://upgrade.actiontec.com/
https://controlpanel.tzo.com/cgi-bin/tzopanel.exe
https://upgrade.actiontec.com/MI424WR2/MI424WR2.rmt
https://cpe-ems79.verizon.com/cwmpWeb/CPEMgt
Error creating maximum security rule
Aladdin
http://www2.jungo.com/~yoavp/mail_filter_pop3_server?vendor_id=%s&box_id=%s
http://www2.jungo.com/~oferfa/mail_filter_demo.htm?vendor_id=%s&box_id=%s
http://www2.jungo.com/~yoavp/mail_filter_expiry?vendor_id=%s&box_id=%s
http://www2.jungo.com/~yoavp/mail_filter_smtp_server?vendor_id=%s&box_id=%s
Not sure what those web sites are...but this really seems odd.
Here are some others
https://cpe-ems79.verizon.com/cwmpWeb/CPEMgt
https://upgrade.actiontec.com/
https://controlpanel.tzo.com/cgi-bin/tzopanel.exe
https://upgrade.actiontec.com/MI424WR2/MI424WR2.rmt
https://cpe-ems79.verizon.com/cwmpWeb/CPEMgt
OpenRG Features
I was going through some of the new features advertised in Jungo's OpenRG software (which apparently is installed on my new router). These features stuck out:
NationZone (Guest Access) An end-to-end service, which enables Operators to convert their deployed residential gateways into a nation wide hotspot network, providing their customers with a Wifi roaming network without adding infrastructure costs
Video Surveillance Jungo has added a video surveillance service to Jungo.net. End users can subscribe to this service and can securely and remotely use multiple IP cameras that are connected to their home or office gateway
huh... "Enable operators (read ISPs) to convert .... into a nation wide hotspot"
NationZone (Guest Access) An end-to-end service, which enables Operators to convert their deployed residential gateways into a nation wide hotspot network, providing their customers with a Wifi roaming network without adding infrastructure costs
Video Surveillance Jungo has added a video surveillance service to Jungo.net. End users can subscribe to this service and can securely and remotely use multiple IP cameras that are connected to their home or office gateway
huh... "Enable operators (read ISPs) to convert .... into a nation wide hotspot"
Friday, July 24, 2009
Building a MIPS64 cross compiler
./configure --prefix=/usr/local/mips64-elf --target=mips64-elf --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --program-prefix=mips64-elf-
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
...
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
...
OpenRG
Once you have a busybox shell you can basically do anything. I'm eventually gonna build a mips64 cross compiler so I can put some other tools on board, but that takes time...something I don't have a lot of....
Here's the loaded module list for those interested in what this router is running:
/proc # cat version
Linux version 2.6.16.14 #1 SMP Wed Mar 4 01:29:00 PST 2009
And loaded modules…
/proc # lsmod
Module Size Used by
clnkdvr 220688 0
ks8995m_mod 11728 0
dwc_otg 141568 0
octeon_eth 44536 0
wlan_scan_ap 6672 0
qos_ingress 3584 0
btn 5568 0
rg_pppoe_relay 6752 0
pppoe_relay 168544 1 rg_pppoe_relay
kleds_mod 7392 0
rg_ipv4 3584 0
rg_dhcp_pktfil 8720 0
tcp_mss 5008 0
rg_stp 16656 2
igmp_proxy_mod 37456 1
log_chardev 5936 0
ath_pci 109360 0
wlan_acl 5504 0
wlan_xauth 2816 0
wlan_ccmp 9216 0
wlan_tkip 13696 0
wlan_wep 7296 0
ath_dfs 34192 1 ath_pci
ath_rate_atheros 30208 1 ath_pci
wlan 166432 9 wlan_scan_ap,ath_pci,wlan_acl,wlan_xauth,wlan_ccmp,wlan_tkip,wlan_wep,ath_rate_atheros
ath_hal 224208 3 ath_pci,ath_rate_atheros
one_module 826832 23 ks8995m_mod,qos_ingress,btn,rg_pppoe_relay,kleds_mod,rg_ipv4,rg_dhcp_pktfil,tcp_mss,rg_stp,igmp_proxy_mod,log_chardev
Here's the loaded module list for those interested in what this router is running:
/proc # cat version
Linux version 2.6.16.14 #1 SMP Wed Mar 4 01:29:00 PST 2009
And loaded modules…
/proc # lsmod
Module Size Used by
clnkdvr 220688 0
ks8995m_mod 11728 0
dwc_otg 141568 0
octeon_eth 44536 0
wlan_scan_ap 6672 0
qos_ingress 3584 0
btn 5568 0
rg_pppoe_relay 6752 0
pppoe_relay 168544 1 rg_pppoe_relay
kleds_mod 7392 0
rg_ipv4 3584 0
rg_dhcp_pktfil 8720 0
tcp_mss 5008 0
rg_stp 16656 2
igmp_proxy_mod 37456 1
log_chardev 5936 0
ath_pci 109360 0
wlan_acl 5504 0
wlan_xauth 2816 0
wlan_ccmp 9216 0
wlan_tkip 13696 0
wlan_wep 7296 0
ath_dfs 34192 1 ath_pci
ath_rate_atheros 30208 1 ath_pci
wlan 166432 9 wlan_scan_ap,ath_pci,wlan_acl,wlan_xauth,wlan_ccmp,wlan_tkip,wlan_wep,ath_rate_atheros
ath_hal 224208 3 ath_pci,ath_rate_atheros
one_module 826832 23 ks8995m_mod,qos_ingress,btn,rg_pppoe_relay,kleds_mod,rg_ipv4,rg_dhcp_pktfil,tcp_mss,rg_stp,igmp_proxy_mod,log_chardev
BusyBox is now Available
Wow, I can't believe how much access one has to this router. Turns out busybox is available on the telnet port.
telnet 172.16.0.4
Trying 172.16.0.4...
Connected to 172.16.0.4.
Escape character is '^]'.
Username: root
Password:
Wireless Broadband Router> system
system> shell
Temporary setting log_level off
BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (lash)
Enter 'help' for a list of built-in commands.
Look at /proc/cpuinfo
cd /proc
/proc # cat cpuinfo
system type : MC524WR
processor : 0
cpu model : Cavium Networks Octeon CN50XX V0.1
BogoMIPS : 1000.47
wait instruction : yes
microsecond timers : yes
tlb_entries : 64
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented :
VCED exceptions : not available
VCEI exceptions : not available
processor : 1
cpu model : Cavium Networks Octeon CN50XX V0.1
BogoMIPS : 1000.47
wait instruction : yes
microsecond timers : yes
tlb_entries : 64
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented :
VCED exceptions : not available
VCEI exceptions : not available
This is quite a powerful little router. Dual core Octeon 64 bit processors running at 1Ghz.
Ok Check This Out
Via the web interface of the ActionTec router there is a configuration file you can dump. Not knowing what was in it, I decided to dump the config and read through it. HOLY CRAP....
In the config you can see the user name and password of the account that has access to port 4567:
(username(verizonfios))
(password(&cc;Ya&b9;&ae;&19;]&d1;&be;&ba;v))
I could also see the username and password for the Admin account which I changed for this blog temporarily so you could see an example hash with plaintext password (hoping that someone smart can break it, it's probably dirt simple)
(username(root))
(password(&97;50&91;u&ea;0∾&86;|4m&cb;2&a9;&e4;))
Password is AAAAAAAA11111111
I thought on a whim that the password for the verzionfios might be on the web somewhere.....(really hoping NOT)...BOOM here it is (confirmed by my friend)
http://filedb.experts-exchange.com/incoming/2008/06_w23/30839/Wireless-Broadband-Router.txt
So this is messed up, the secret backdoor port 4567 has the same username and password enabled for every router. Nice...just waiting for FIOS networks to become the WORLDS LARGEST, FASTEST BOTNETS.
In the config you can see the user name and password of the account that has access to port 4567:
(username(verizonfios))
(password(&cc;Ya&b9;&ae;&19;]&d1;&be;&ba;v))
I could also see the username and password for the Admin account which I changed for this blog temporarily so you could see an example hash with plaintext password (hoping that someone smart can break it, it's probably dirt simple)
(username(root))
(password(&97;50&91;u&ea;0∾&86;|4m&cb;2&a9;&e4;))
Password is AAAAAAAA11111111
I thought on a whim that the password for the verzionfios might be on the web somewhere.....(really hoping NOT)...BOOM here it is (confirmed by my friend)
http://filedb.experts-exchange.com/incoming/2008/06_w23/30839/Wireless-Broadband-Router.txt
So this is messed up, the secret backdoor port 4567 has the same username and password enabled for every router. Nice...just waiting for FIOS networks to become the WORLDS LARGEST, FASTEST BOTNETS.
The solution
Well, being slightly paranoid and not wanting arbitrary folks logging into my router, I wanted to find a way to protect myself. I also thought the router manufacturer or ISP employees may give out the admin password for this strange port, then it hits the intert00bs and catastrophe...you know, cats and dogs blah blah.
So here's what you need to do if you own one of these routers:
1. Remove the router.
2. Remove the COAX conection from the ONT (Optical Network Connection)
3. Call your ISP and have then enable the Ethernet connection in the ONT.
4. Connect your favorite router to the Ethernet broadband ONT connection
5. Put the ISP's router behind your router
6. Keep the COAX connection from the ISPs router to the STB (Set Top Box) to maintain program information and monitoring of what you watch…..(or just leave it disconnected and use your TIVO, MythTV etc. for program information)
That doesn't turn the port off but at least makes it hard to get to from the outside. Time to do some deeper investigation.
So here's what you need to do if you own one of these routers:
1. Remove the router.
2. Remove the COAX conection from the ONT (Optical Network Connection)
3. Call your ISP and have then enable the Ethernet connection in the ONT.
4. Connect your favorite router to the Ethernet broadband ONT connection
5. Put the ISP's router behind your router
6. Keep the COAX connection from the ISPs router to the STB (Set Top Box) to maintain program information and monitoring of what you watch…..(or just leave it disconnected and use your TIVO, MythTV etc. for program information)
That doesn't turn the port off but at least makes it hard to get to from the outside. Time to do some deeper investigation.
Port 4567
time to go spelunking
A while ago I had set up a TrixBox and knew that I'd have to dig into this new Fios router to re-enable my phone service (I'm a geek, I have cisco phones throughout the house). The Fios installer was kind enough NOT to leave the router admin account/password with me, so I had to search the web to find it LOL. Anyway once logged in I'm presented with a fairly ghay interface which hurts my eyes. I enabled port forwarding for SIP and RTP and got my TrixBox working again. While I was poking around I noticed this interesting port forward rule that YOU CAN'T TURN OFF!!!
The Router from my favorite FIOS provider
I got this new router with my snazzy FIOS service. It's made by actiontec and seems to be a pretty powerful unit. By default, at least in my area, the ISP connected the COAX side of the router to their ONT (Optical Network Terminal) which usually sits just outside your house by the phone lines. On the inside they split the COAX, one side goes to your STB (Set Top Box), and the other to your router. The router uses the MOCA (Multimedia over Coax Alliance) protocol on the COAX line to get intelligent networking to your STB (so it can get program updates...kinda like Tivo).
Subscribe to:
Posts (Atom)