Wednesday, October 29, 2014

Ressurecting a dead laptop - Dell XPS m1730

,
There was a dell xps m1730 sitting besides me. Nobody had ever said something about it.
I decided to open the lid and check it. Everything ran smooth, i started reformatting, installed drivers and just after driver installating, bang! No video....


I didn`t know that it was a common m1730 problem up to the point i googled around a bit and found so many problems regarding GPU, even a video about reconstructing it on youtube.
I examined the laptop closely, unscrew everything and took it apart.
All i was able to notice was that the fans weren`t spinning at all...

Then, my friend google helped me find some posts inside dell's support area where i was able to find sources and details about the problem, what i found?
There was a bios update from dell support that looks promising into fixing the blank screen / vga problem. I downloaded into a usb stick, and booted from it to install the update.

Things weren`t so easy though, as soon as i got into (you know the blue area :) the flash rom, dell asked me to recharge the battery to continue! Battery? What battery? It was dead!

Questions... where can i find another battery? any alternative solution? Nope!
I decided it was time for debugging., then i found the assembly code of the function that checks battery charge.

What I changed in the MXG7A11.exe was the PUSH 3 to PUSH 0.

004213C0 /$ 55 PUSH EBP
004213C1 |. 8BEC MOV EBP,ESP
004213C3 |. 83EC 0C SUB ESP,0C
004213C6 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004213C9 |. 50 PUSH EAX
004213CA |. E8 FD0E0000 CALL
004213CF |. 807D F4 00 CMP BYTE PTR SS:[EBP-C],0
004213D3 |. 75 04 JNZ SHORT MXG7A11.004213D9
004213D5 |. 6A 01 PUSH 1
004213D7 |. EB 22 JMP SHORT MXG7A11.004213FB
004213D9 |> 807D F5 80 CMP BYTE PTR SS:[EBP-B],80
004213DD |. 74 1A JE SHORT MXG7A11.004213F9
004213DF |. 807D F5 FF CMP BYTE PTR SS:[EBP-B],0FF
004213E3 |. 74 14 JE SHORT MXG7A11.004213F9
004213E5 |. 807D F6 0A CMP BYTE PTR SS:[EBP-A],0A
004213E9 |. 76 0A JBE SHORT MXG7A11.004213F5
004213EB |. 807D F6 FF CMP BYTE PTR SS:[EBP-A],0FF
004213EF |. 74 04 JE SHORT MXG7A11.004213F5
004213F1 |. 33C0 XOR EAX,EAX
004213F3 |. C9 LEAVE
004213F4 |. C3 RETN
004213F5 |> 6A 03 PUSH 3
004213F7 |. EB 02 JMP SHORT MXG7A11.004213FB
004213F9 |> 6A 02 PUSH 2
004213FB |> 58 POP EAX
004213FC |. C9 LEAVE
004213FD \. C3 RETN

After this thing, the update worked like a charm ;)
Read more →

Thursday, September 25, 2014

CVE-2014-6271 - Shellshock

,
Remotely Exploitable 'Bash Shell' Vulnerability Affects Linux, Unix and Apple Mac OS X
A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.

REMOTELY EXPLOITABLE SHELLSHOCK
The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.

According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. “In many common configurations, this vulnerability is exploitable over the network,” Stephane said.

This 22-year-old vulnerability stems from the way bash handles specially-formatted environment variables, namely exported shell functions. When assigning a function to a variable, trailing code in the function definition will be executed.

BASH BUG AFFECTS MILLIONS OF SYSTEMS
While bash is not directly used by remote users, but it is a common shell for evaluating and executing commands from other programs, such as web server or the mail server. So if an application calls the Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked.

In Simple words, If Bash has been configured as the default system shell, an attacker could launch malicious code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Proof-of-concept code for cgi-bin reverse shell has been posted on the Internet.

Similar attacks are possible via OpenSSH,
We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.”
Stephane warned. But if an attacker does not have an SSH account this exploit would not work.
This is a serious risk to Internet infrastructure, just like Heartbleed bug, because Linux not only runs the majority of the servers but also large number of embedded devices, including Mac OS X laptops and Android devices are also running the vulnerable version of bash Software. NIST vulnerability database has rated this vulnerability “10 out of 10” in terms of severity.

HOW TO CHECK FOR VULNERABLE SHELL
To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:
  • env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"
  • env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"
If you see the words "shellshock" in the output, errrrr… then you are at risk.

BASH BUG PATCH
You are recommended to disable any CGI scripts that call on the shell, but it does not fully mitigate the vulnerability. Many of the major operating system and Linux distribution vendors have released the new bash software versions today, including:

  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian
If your system is vulnerable to bash bug, then you are highly recommended to upgrade your bash software package as soon as possible.

More here
Read more →

Wednesday, July 23, 2014

Kali Linux - Assuring Security by Penetration Testing

,
Interested about ‪#‎security‬? A big fan of ‪#‎kali‬ linux?Stay tuned with this amazing book from PacktPub.http://goo.gl/TQ80h3
This is what i posted today on my social networks, all about a perfect book.


This is a book where i chose to be a reviewer.
Excellent content inside, have a look on Amazon or on the publisher's website, PacktPub.
Read more →

Wednesday, February 19, 2014

Reverse Engineering - Hack Norton GoBack

,
That was an old trick i used as a PoC to some of my fellas, some years ago in a net station : > This hack will definitely get you out of shit. Especially when you're in troubles!

1. Run OllyDbg, open file GBOption.exe in "%Program Files%\Norton GoBack".

2. Hit F9 in OllyDbg. The Norton GoBack Options will appear.
Choose 2nd tab, click "Change Level...". A window to change level for each action will appear: enable/disable, uninstall, autobackup... There are three levels: ADMIN, USER and NONE. By default, the level for uninstall is ADMIN, mean that you must have administrator password in order to uninstall it.

3. Return to OllyDbg, jump to address 0x0043697D by pressing Ctrl+G, enter address in it and click OK. Then you will notice these addresses below:
00436970 > 8B0D A8964700 MOV ECX,DWORD PTR DS:[4796A8]
00436976 . 50 PUSH EAX
00436977 . 51 PUSH ECX
00436978 . E8 93E9FFFF CALL GBOption.00435310
0043697D . 83C4 08 ADD ESP,8
00436980 . 85C0 TEST EAX,EAX
00436982 . 0F954424 0F SETNE BYTE PTR SS:[ESP+F]
The address which GoBack uses to check administrator password is 0x00436978. This function will always return false because we're missing the password... So we will set a breakpoint in address 0x0043697D to change its return value by pressing F2. Then the line will change red.

4. Enter any pass you want and return to Norton GoBack Options, click OK, it will ask for the administrator password, enter anything you want and press OK. Now, the control is changed to OllyDgb, it ran to address where I set breakpoint and paused. Look in the registers window of OllyDbg, you'll see EAX = 0x00000090. Double click to it, change EAX to 0x00000000 and press F9 to continue. Now you'll see that no warning message was shown.

Voila! Owned....
Read more →

Wednesday, February 12, 2014

Keep users happy: Don`t call them users.

,
Sysadmin blog A common complaint about IT staff is their lack of social skills. As in any industry that attracts a certain type of person, there's a high percentage of dark-room-dwelling people who can sometimes struggle to communicate. This is either through what they say or how they interact with others.
Not all IT people are like this of course, just as nurses are not all popping out of their skimpy outfits and pool cleaners don't universally have a mustache and manage to find themselves in many interesting and awkward situations.


There are some guidelines I can recommend based on many years of personal experience, as well as observing others.
Helpdesk 101: Never trust the user. When a user tells you something is happening, see it for yourself. Think of this situation as if they just watched a doctor perform brain surgery, then had to summarise what happened. They're going to make guesses and assumptions on the bits they don't understand. Once you see the issue for yourself, then start the troubleshooting. There is no point spending hours chasing a dragon to slay if the dragon turns out to be a funny-shaped rock. Ask to see that error message or recreate the issue.
Don't call them 'users': IT staff can often forget they're in a position of service. Nobody likes getting bad service; it doesn't matter if it's the 15-year-old at your local fast food restaurant or a rude doctor. This means respecting every person you deal with. "User" is a technical word and should not be used outside of technical circles - people want to feel like people. Generally I would recommend calling them "staff" for internal people, and "clients" for external people – a good guide is to use the same term as other departments with their communications.
Turn a "no" into an alternative solution: Everyone gets questions that should receive a negative answer, but when someone reaches out for help, that's the last thing they want to hear. "Can I plug in my personal laptop and use it at work?" usually comes under that category. The answer should be an alternative solution to their problem. Maybe they can do everything over the internet from that laptop, or they just need to get some files off, which could be done via USB storage.
Often people will ask for something they think is the best solution to their problem, which means more questions need to be asked to find out what they are actually trying to accomplish.
Good communication: Keep people updated. Let them know someone is working on their issue. Let everyone know of outages and resolutions by whatever notification method works the best. Check if people want more assistance, or to be left alone. Follow-ups should always be done; all users should be notified somehow that their issue or request has been addressed.
Adaptation: Some users want to know every intricate detail about their brand new laptop and how to use all the fancy new options. Others will want the laptop left on their desk without a word. Part of adaptation is reading people and asking the right questions, and the other half is leading them down the path that actually helps them more.
You can't hassle that person who wants to be left alone, but if there's one important nugget of information, you need to get that across somehow. Just wiping your hands clean and walking away won't help: if they don't know their password was reset, they'll just get angry and think you're useless at your job.
This might all sound like common sense to many, but it takes a lot of time to build up trust with your userbase, while only a few slip-ups can completely destroy it. You're there to assist the business, and that often doesn't align with an individual's particular request, but part of your job should be to keep both sides happy.

Read more →

Monday, January 20, 2014

Windows XP svchost bug - finally a fix

,

For the past several months, we have been checking on a bug in Windows XP that has caused SVCHOST to push the CPU of a PC up to 100 percent usage for some users. Microsoft tried in November to fix the issue but was unsuccessful. However, the company pledged to continue to work on fixing the bug, which it stated was due to "Windows Update Agent processing long lists of superseded updates."

On Tuesday, Microsoft depreciated legacy security updates for Internet Explorer that had been replaced by more recent ones. We did this to improve customer experience, reducing the time Windows Update requires to check existing updates before installing new ones. This action was purely to improve update performance and does not affect customer security.

The update came less than three months before all software patches for Windows XP from Microsoft will end on April 8th, although the company will continue to provide antivirus signatures for the OS until July 2015.
Read more →

Tuesday, December 24, 2013

Windows Server 2012 R2 & HP Proliant Microserver

,
Windows Server 2012 R2 hangs on 'Getting devices ready 84%'
Fails to Complete the installation on HP MicroServer Gen7 (N36L, N40L & N54L)
The MicroServer N36, N40L and N54L all share the same embedded NC107i PCI Express gigabit NIC. The NC107i uses the Broadcom BCM5723 chip which doesn’t have an updated driver included with the Server 2012 R2 installation media. The lack of drivers will get you stuck at 84%...

The current workaround is to disable the on-board NIC and install another card.
Flash the custom BIOS to unlock the hidden BIOS screens
Install a supported NIC in the PCIe slot (Joe used the Intel EXPI9301CTBLK
Go into the BIOS and change the settings to match
Boot Settings -> Embedded NIC Port 1 Control – [Disabled]
Boot Settings -> Wake-On LAN – [Disabled]
Chipset -> Atheros AR8132M NIC – [Disabled]
After a reboot, Server 2012 R2 should install fine.

Fall back to R1 or...., here's a solution for you!

Download this driver and add it to the $WinPEDriver$ folder of your media installation kit.
Disable Embedded NIC Port 1 Control in BIOS
Install Windows Server 2012 R2
Add a Server name
Reboot into BIOS to Enable the NIC
This should get you working, have fun!

HP have documented this as a known issue and are currently working with Microsoft to resolve prior to the official release of R2.
Read more →