Wednesday, April 28, 2010

Sockets Practice: pingscan.c

Some more proof of concept/socket practice, code is here.

dennis@ipa:~/projects/sockets/pingscan$ /home/dennis/projects/randips/randips 50 > ips
dennis@ipa:~/projects/sockets/pingscan$ sudo ./pingscan ips
Password:
71.45.159.69 is alive
126.4.37.254 is alive
pingscan: sendto: Network is unreachable
70.147.201.33 is alive

Monday, April 26, 2010

0x41414141.com: 1 - 3

@jjarmoc pointed me at 0x41414141.com and I spent a few hours with the first 3 challenges.

1: Base64 encoding, decoded it.

2: A PE executable:

bfab4d3c076ac4059f3c1e680c7a6933.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

Started off with a strings of the binary which showed the following:

Email is return value of fn in form 0x12345678 zero padded to eight digits

Continued on with a objdump -D and pieced together what the ASM was doing. This lead me to the following C program:

#include <stdio.h>

int
main()
{
int val = 0xc0ffee;
int first = 0x401000;
int second = 0x8744ee;

printf("original: 0x%x\n", val);

val = val ^ first;

printf("first transform: 0x%x\n", val);

val = val ^ second;

printf("second transform: 0x%x\n", val);

return 0;
}

At first, I zero-padded the wrong side which lead me to a frustrating multi-hour "what am I missing" hunt.

3: I haven't played with a file format yet, so this challenge was very educational. They provided a PNG image named gzip.png--logo of GZIP.

I tracked down some documents on the PNG file format (1 and 2) and was delighted that it wasn't too difficult to follow. PNG files start with a header which is then followed by various variable length "chunks".

hexdump -Cing the image, I saw the string "email" inside a zTXT chunk--a compressed text string inside the image. zTXT uses zlib to compress the text string and this is where a day of frustrations began.

It turns out that there is a gzip file format, but also a zlib file format--At first, I thought they were the same and didn't know the other existed. At second, the zTXT chunk in this image almost makes sense using both formats.

3.c reads the PNG file, skips to the zTXT chunk and parses out the compressed text.

I took the easy way out and instead of learning and writing a zlib inflater, I used the zlib's API example zpipe.c to uncompress and print the txt.

Tuesday, April 20, 2010

Sockets Practice: ircspider.c

ircspider.c "spiders" IRC channels. Most IRC networks are smarter than me, so during testing I got banned, a lot! It does work on my small, simple test server:

dennis@ipa:~/projects/sockets/ircspider$ ./ircspider 127.0.0.1 6667
connected to 127.0.0.1 (127.0.0.1):6667

read timeout

#hi
dennis!~dennis@localhost
ircspider!~ircspider@localhost
#blah
dennis!~dennis@localhost
ircspider!~ircspider@localhost

I'm ok with it being a PoC and code practice.

Code is here.

Tuesday, April 6, 2010

RFI Coverage in Emerging Threats

ha.ckers posted a Large List of RFIs (1000+) awhile back which caught my eye.

Continuing on with my socket programming practice, I put together rficrawl.c that loops through each remote file include pathname, stuffs it into a GET and launches it at a webserver.

I made a PCAP of the traffic while rficrawl was running and fed it to Snort. Snort was using a default snort.conf configuration file along with the Mar 27th version of Emerging Threats ruleset.

The alert breakdown is over here.

The Mar 26th version of RSnake's RFI list contains 2203 unique RFIs. There were 1541 alerts generated, resulting in about 70% coverage. The majority of them, 1410 alerts (64%) were detected by the generic, catch-all "ET WEB_SERVER PHP Remote File Inclusion (monster list http)" signature.

This leaves 662 currently undetected vulnerabilities!