Reverseme – very very easy Linux

December 28, 2007 Leave a comment

This would probably be a good place to start if you’ve never reversed anything before.  Too easy for my taste though, and I’m just a beginner.

To try it, see http://crackmes.de/users/cyrex/linux_crackme/

With an objdump, you can see the strcmp is called right after scanf asks for the password.

The password is hard coded.  It is pushed from 0x80486a3.  Revealing what it is is as simple as starting up gdb and typing x/s 0x80486a4.  It is also revealed with the strings command or a hexdump.

Filed under Reverse Engineering Tagged with , ,

Rescue initramfs

December 20, 2007 Leave a comment

In my opinion, the best way to rescue after a failure is a live cd like knoppix.  However, there are times when you are a bit unprepared and don’t have the livecd with you, or your machind doesn’t have a cdrom drive, etc.  Yes, I could go to my office, grab a spare, bring it back, tear the computer apart, add the cdrom drive and do it that way.   Sometimes even this is not an option, like in the case of my tablet, which does not even have an option in the bios to boot from a cd or usb.  When I originally installed it was a network install.

More often than not, I just add init=/bin/bash to the kernel option in grub and boot to a shell.  This has many obvious disadvantages though.  You do not have any virtual consoles.  There is no job control. control-C and control-Z do not work.  You’d better not ping anything or you have to reboot!  For quick fixes this is an allright solution.

Another interesting option, although not as universal as adding /bin/bash to the init, is only really easy in Debian derivitives as far as I know.  It is, at least, different to do with red hat because of their different handling of initramfs.  But anyway, in Debian, navigate to your initramfs.conf file and set $DELAY seconds.  Now, when you’re booting, press the enter key when it says ‘waiting for $DELAY seconds’ to obtain a real Debian environment shell prompt that is much easier to use than the first option.  You can interupt and kill jobs, have more than one terminal, etc.

Filed under Misc Tagged with

websitebaker module: Random pic with text

November 29, 2007 1 Comment

This module includes a function you can call to randomly pick an image from a directory. It is based on a module written by John Maats, and I just added the captioning. 

Here is a link to the zip.

<?php
/* Random image snippet
   Call this nsippet with:
   RandomImage ('/media');
   in your template */

function RandomImage($dir) {
        //read folder and get the picture names
        $folder=opendir(WB_PATH.$dir.'/.');
        while ($file = readdir($folder))
        $names[count($names)] = $file;
        closedir($folder);

        //remove any non-images from array
        $tempvar=0;
        for ($i=0;$names[$i];$i++){
                $ext=strtolower(substr($names[$i],-4));
                if ($ext==&quot;.jpg&quot;||$ext==&quot;.gif&quot;||$ext==&quot;.png&quot;){
			$names1[$tempvar]=$names[$i];$tempvar++;
		}
        }

        //random
        srand ((double) microtime() * 10000000);
        $rand_keys = array_rand ($names1, 2);

        //random image from array
        $image=$names1[$rand_keys[0]];

        //name of image for alt text
        $name=substr($image,0,-4);

        //print associated Text
        echo &quot;<p><b>$name</b></p>";

        //read in the file if it exists

        if(file_exists(WB_PATH.$dir . '/' . "$name" . ".txt"))
        {
                $myfile=file(WB_PATH.$dir . '/' . "$name" . ".txt");
                echo '<p>';

                foreach ($myfile as $val)
                {
                  echo "$val ";
                }
                echo '</p>';
        }

        //image dimensions
        $dimensions = GetImageSize(WB_URL.$dir.'/'.$image);
        echo '<img src="'.WB_URL.$dir.'/'.$image.'" alt="'.$name.' image" />';
}
?>

Filed under Misc Tagged with , ,

Really global environment variables for ssh

November 29, 2007 Leave a comment

<mopey> how do I export a variable in pvm?  I add it to my .bashrc or .profile but it ignores it.
<mopey> an environment variable
<mopey> Because I get this error:
<mopey> The value of the $PVM_ROOT environment
<mopey> variable on compute-0-1 is invalid (“”).
<mopey> Use the absolute path to the pvm3/ directory.
<mopey> but if I ssh into compute-0-1, echo $PVM_ROOT it is set correctly
<staynalive_> mopey: I don’t know much about PVM
<staynalive_> but I would check to see if it gets set for non-login sessions
<staynalive_> by doing (in one command) “ssh compute-0-1 printenv”
<staynalive_> Yeah, I just tested it and that’s the issue.
<mopey> good call, it’s not being set for some reason, although it’s “being set” in ~/.bashrc
<mopey> where would I set it, if not bashrc?
<staynalive_> Umm
<mopey> my .profile calls bashrc btw, although that shouldn’t really matter since that’s only on interactive logins, right?
<staynalive_> Yeah
<staynalive_> I think I actully changed a ssh flag to carry the environment variables through to the new machine in a ssh session.
<staynalive_> “PermitUserEnvironment yes”
<mopey> oh.  well that’s handy.
<staynalive_> That way if users set something up funky they can carry it to the nodes.
<staynalive_> But the manual warns of some possible security issues…
<mopey> if someone is on my frontend node, it’s only being used on the compute nodes, so it shouldn’t be that big of a deal.
<mopey> since they are basically thin
<mopey> aaah, ssh has env variables all of it’s own…
<mopey> I remember telling you that at one point.  I guess I’m losing my marbles

<mopey> has anyone ever gotten sshrc to succesfully set ssh environment variables?
<mopey> it *should* be straightforward
<mopey> the sshd man page says:  8.  If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, runs it; otherwise runs xauth.  The “rc” files are
<mopey>  given the X11 authentication protocol and cookie in standard input.
<mopey> is this not run (when I do ‘ssh compute-0-0 env’) because it is too late in the process?
<mopey> because my $HOME/.ssh/environment _is_ run, and I can set them that way.  Except that I want to do it for all users and that seems to be a lame solution.
<mopey> It seems like the command should be executed *after* the rc files are read (it’s step 9)
<mopey> So I wonder why the hell it’s being ignored…
<mopey> staynalive, you said you use “PermitUserEnvironment yes”.  So do you just set a $HOME/.ssh/environment for each user?

<mopey> haha
<mopey> for those who care, pam overrides my ssh variables for the most part
<mopey> so you can define variables in /etc/security/pam_env.conf
<mopey> god, that took forever to figure out why my /etc/environment variables weren’t getting set over ssh
* Vog-work has quit (“ChatZilla 0.9.79 [Firefox 2.0.0.10/2007111504]“)
<twinprism> thanks for sharing, mopey, I care…
<mopey> weird.
<mopey> :)
<_sera> I don’y
<_sera> sheesh… don’t
<mopey> Normally it probably doesn’t matter I’m sure.  Like if you get a bash shell and can actually execute profile/bashrc
<mopey> But if you have a crippled pvm shell or something, it’s way important
<mopey> plus I think pam_env is how PATHs and junk get set on login – at least on ubuntu
<mopey> *gdm/kdm/xdm login

Filed under Security Tools Tagged with , , ,

chkrootkit

November 26, 2007 Leave a comment

chkrootkit operates sort of like a virus scanners for windows in a way – in that it looks for infected files from signatures.

From the man page:

chkrootkit examines certain elements of the target system and determines whether they have been tampered with. Some tools which chkrootkit applies while analyzing binaries and log file  can be found  at  /usr/lib/chkrootkit.

I installed using apt-get.

By default, it logs to a file. I like to check my logs over email every morning, so I changed the cron job to reflect this. I added the MAILTO: root line, and the /usr/bin/chkrootkit at the end (the standard output is what gets mailed).  The following entry is /etc/cron.daily/chkrootkit.  So it gets logged and mailed.

#!/bin/sh -e

CHKROOTKIT=/usr/sbin/chkrootkit
CF=/etc/chkrootkit.conf
LOG_DIR=/var/cache/chkrootkit
MAILTO=root

if [ ! -x $CHKROOTKIT ]; then
exit 0
fi

if [ -f $CF ]; then
. $CF
fi

if [ "$RUN_DAILY" = "true" ]; then
  if [ "$DIFF_MODE" = "true" ]; then
    $CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.new 2>&1
    if [ ! -f $LOG_DIR/log.old ] \
      || ! diff -q $LOG_DIR/log.old $LOG_DIR/log.new > /dev/null 2>&1; then
      cat $LOG_DIR/log.new
    fi
    mv $LOG_DIR/log.new $LOG_DIR/log.old
  else
    $CHKROOTKIT $RUN_DAILY_OPTS
  fi
fi
/usr/sbin/chkrootkit

chkrootkit seems like it has quite a bit of promise.  I use chkrootkit with tripwire, selinux, iptables, fail2ban, and good service configuration for a functional system that is still fairly secure.

Filed under Security Tools Tagged with ,

Older posts

Follow

Get every new post delivered to your Inbox.