Meeting: 2006.10.25 0x0002

Our third technical meeting was held Oct. 25th, 2006, from 6pm to 9pm, at Central Market. Central Market is located at 4001 North Lamar, Austin, Texas (map)

Food and drinks (including alcohol!) is permissible at the meeting, provided you purchase said food and drink from Central Market. As such, there was no sponsored food or drink this meeting.

Speaker Notes

Aaron Portnoy

I presented on a small aspect of a side project involving code execution on an Acura vehicle navigation system. I demo'd an IDApython script for finding slack space in a binary and injecting your own code into it. I've recently developed/brainstormed a better means for doing this, so no code will be made available… yet.

Cody

I had been thinking about the power of UNIX when processing data on the command line. Find, grep, awk, etc. are all well designed for this purpose. With that in mind I came up with a novel approach to representing a binary in unix. Since all binaries can be effectively broken down into functions, basic blocks, and instruction I wrote a script that takes a pida file and writes it in a UNIX directory structure. This allows for a user to navigate a binary with whatever UNIX environment they prefer using the powerful command line utilities. The way in which the script works is it creates a directory for each function, and a directory for each basic block in the function containing a file for each instruction. Each file/directory is named by address and the instruction files contain the disassembly of that instruction. For instance

$ find -L .
./0x401000                    <--- Function
./0x401000/0x401000           <--- Basic Block
./0x401000/0x401000/0x401000  <--- Instructions
./0x401000/0x401000/0x401002  <
./0x401000/0x401000/0x401008  <
./0x401000/0x401000/0x401009  <
./0x401000/0x401000/0x40100e  <
./0x401000/0x401000/0x401010  <

You can also print the contents of a basic block or function like so.

$ for i in `ls`;do echo -n "$i: "; cat $i; echo; done
0x401050: push ebp
0x401051: mov ebp [esp+arg_0]
0x401055: push esi
0x401056: mov eax ebp
0x401058: push edi
0x401059: lea edx [eax+1]
0x40105c: lea esp [esp+0]

Also I create symlinks for any call inside of a basic block, linking it to the functions directory. Like below, where a directory with an "_" is the call address and its destination function.

$ find -L . -type d
./0x402140/0x4023b9/0x4023c0_0x401050
./0x402140/0x4023b9/0x4023c0_0x401050/0x401050
./0x402140/0x4023b9/0x4023c0_0x401050/0x401060
./0x402140/0x4023b9/0x4023c0_0x401050/0x401067
./0x402140/0x4023b9/0x4023c0_0x401050/0x401070

Here is another simple example to look for interesting library calls.

$ find . -type f -exec egrep -H 'sprintf|sscanf|recv|bind|accept' {} \;
./0x401050/0x401094/0x4010aa:call ds:_imp__sprintf
./0x401700/0x401700/0x401716:call ds:_imp__sprintf
./0x404850/0x4048e6/0x4048f9:call ds:_imp__accept
./0x406090/0x4061d9/0x4061e6:call ds:_imp__sscanf
./0x406090/0x40624d/0x40625a:call ds:_imp__sscanf
./0x4062e0/0x406340/0x406353:call ds:_imp__sscanf
./0x406c90/0x406d64/0x406d7a:call ds:_imp__sprintf
./0x404060/0x4040a7/0x4040b1:call ds:_imp__recv
./0x40dd20/0x40dd62/0x40dd6b:call ds:_imp__bind

Kinda funny. The script can be gotten from the link below, and it take a pida file and output directory.
module2dir.py
Paimei

H D Moore

I presented on the new wireless (802.11) features in version 3.0 of the Metasploit Framework and skape's new kernel-mode payload stager.

Install the latest Lorcon snapshot:
$ http://www.802.11mercenary.net/lorcon/ [11mercenary.net]

Grab the latest version of metasploit 3:
$ svn co http://metasploit.com/svn/framework3/trunk/ [metasploit.com]

Compile the Metasploit Lorcon wrapper:
$ cd trunk/external/msflorcon
$ make

Plug in a support network card (I use a WPN511 with the madwifi-old driver in Gentoo)

Load the Metasploit Console (as root, since it needs raw WiFi access)
# trunk/msfconsole

Play with some of the demo modules :-)

This is an example of sending fake beacon requests to flood the Windows Wireless Network Browser:
msf > use auxiliary/dos/wireless/fakeap
msf auxiliary(fakeap) > show options

Module options:

      CHANNEL 11 yes The default channel number
      DRIVER madwifi yes The name of the wireless driver for lorcon
      INTERFACE ath0 yes The name of the wireless interface

Type the "run" command, or use "set VARIABLE VALUE" to change these options.

msf auxiliary(fakeap) >run

I)ruid

I gave the first in hopefully what will become a series of turbo talks that I've named "Blast From the Past" over something novel, useful, or notable from many many years ago. The one I gave at this meeting was a very short overview of an exploitation framework that CAU designed and implemented just under a decade ago (in 1997), drawing some comparisons to HD's Metasploit Framework.

Slides: HTML | PDF | Flash
Files: README | hackit.cf

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.