Pages

Friday, December 11, 2009

Conflict

In all arguments, both solvable and perpetual, no one is ever right. There is no absolute reality in conflict, only two subjective realities.

Fundamental error: believing that the fight is all other's fault.

Thursday, December 10, 2009

Changes

People can change only if they feel that they are basically liked and accepted as they are. When people feel criticized, disliked, and unappreciated they are unable to change.
Instead, they feel under siege and dig in to protect themselves.

Wednesday, December 9, 2009

Vulnerability in HTML prevents opening CHM remote files

Problem:
       After downloading a .chm file from network or Internet, it is treated by windows as untrusted, so when you try to open it, an Action canceled  error page appears:




 Miscrosoft issued updates to fix the bug (Microsoft Security Bulletin MS05-026). To view the file correctly, there are at least 2 methods:
  1. Use HHReg utility to register HTML Help (.chm) files, and make them available for viewing, after they have been downloaded.  Details on how to use it on the site.
  2. A simpler way could also work:
    • Right-click the chm file, and then click Properties.
    • Click Unblock
    • Open the .chm again.
    • Enjoy the pirate copy of the book  :)

Monday, November 23, 2009

AutoIt script to execute on key combination event

     For the Programming section of SecurityOverride, you are required to make a script to resolve a task, given a random input, in a short time, 10-15 seconds.  The method I've used for all the challenges:  I've written an AutoIt  script that:
  • stays active when run
  • after a keyboard combination is pressed:
    • copies the selected text into clipboard
    • gets it, and executes a function on it
    • puts the result in the clipboard
Example for challenge1:


         In order to complete Programming Challenge 1, you must code a script that will reverse the string below, while maintaining the first letter at the beginning.
         Example: chicken -> cnekcih


#comments-start
#comments-start
 ;---------------------------------------
 Autorun program on Ctrl+C event (for SecurityOverride programming)
 ;---------------------------------------
#comments-end 

HotKeySet("^{F1}", "Solve")
Global $input

While 1
 Sleep(10000)
WEnd


Func Solve()
 GetInput()
 ParseInput()
 Exit(0)
EndFunc

Func GetInput()
 Send("^{c}")
 $input = ClipGet()
EndFunc

Func ParseInput()  
 Local $a = StringToASCIIArray($input)
 Local $len = StringLen($input)
 Local $i, $j = 1
 Dim $rez[$len]
 
 $rez[0] = $a[0]
 For $i = $len-1 to 1 Step -1
   $rez[$j] = $a[$i]
   $j = $j + 1
 Next
 
 ClipPut(StringFromASCIIArray($rez))
EndFunc

; cnekcih


References: 

  1. AutoIt official site
  2. Scite IDE for AutoIt3
  3. Great site: SecurityOverride

Tuesday, September 29, 2009

Script to find diff between labels in ClearCase

     A simple bash script, using cleartool,  to show files that have the new label, but not the old one. Supposedly modified files are label correctly with new label, the script will show the files modified between two labels, in ClearCase. It will also show the creator of the new version. There is also a grep with regular expression filter on the output, to show only the files with .c, .cpp, .h, ... extensions.

#! /bin/bash
# Script to show diffs between 2 ClearCase labels

#cleartool location
export CT=/usr/atria/bin/cleartool

function usage() {
 echo "Usage: cc_dif.sh <new_label> <old_label>"
 exit
}

if [ $# -ne 2 ] ; then
 usage
 exit
else
 echo -e "\t-- New label: $1 --"
 echo -e "\t-- Old label: $2 --\n"
fi

${CT} find . -version "{(lbtype($1) && ! lbtype($2))}" -exec 'cleartool describe -fmt "%Xn \t\tBy: %Fu (%Lu) \n" $CLEARCASE_PN' | grep -E '.*\.(c|cpp|h|hpp|xml)@' 


References:
  • cleartool find man page (cand also be accessed with cleartool man find )
  • cleartool describe man page
  • format to apply to describecommand:  fmt_ccase  
  • Useful regexp filters, this post
Hope it will be useful for others too. If you used other methods to do this, leave a comment:) 

Strings replacement for windows

      Sometimes a simple utility like unix strings can be very helpful in forensics process. Strings is a tool for Windows OS, developed by Mark Russinovich, that scans executables or object files for ASCII or UNICODE strings. Strings can be called with wildcard parameters and can be used in conjunction with other tools like findstr. 


Ex:
      strings prog123.exe | findstr -i name > OUT


Another useful parameter is '-n' used for return only strings of a minimum length.  The flags -a and -u  can be used to scan for ASCII/UNICODE strings. It can scan files and folders too.


Using strings


Usage: strings.exe [-a] [-b bytes] [-n length] [-o] [-q] [-s] [-u]
Strings takes wild-card expressions for file names, and additional command line parameters are defined as follows:
-sRecurse subdirectories.
-oPrint offset in file string is located.
-aScan for ASCII only.
-uScan for UNICODE only.
-b bytesBytes of file to scan.
-n XStrings must be a minimum of X characters in length.
To search one or more files for the presence of a particular string using strings use a command like this:
strings * | findstr /i TextToSearchFor

References:


Monday, September 21, 2009

Alternate Data Streams in NTFS

Windows alternate Data Streams  
Windows NT from version 3.1 to 2000 and XP has a nice (and documented!) feature: a file can have multiple streams. Maybe one stream of data, the other with information, metadata. Anyway, you can have a small data file that can have a bigger (and hidden) alternate stream containing maybe viruses, or just information you want to be hidden. This (sometimes useful) feature can be exploited in not so friendly ways.


Creating ADS Example
  • Create an ADS associated with hello.txt file:
        echo "Hidden text" > hello.txt:hidden
  • Associate an executable with an ADS:
          type prog12.exe >hello.txt:hidden.exe
  • ADS text can be viewed with the same syntax:
          notepad hello.txt:hidden.txt
  • Running ADS executable:
         start hello.txt:hidden.exe 
    (This generates an error about absolute paths on Windows NT, so running with absolute path solves it)
         start c:\hello.txt:hidden.exe
    This command will start a new shell and execute it. Done.
  • Another feature is that ads can be attached to directories:
         type "in hidden dir" > c:\HELLO:hidden.txt
  • What makes ADS still cool (in an evil way:) is that public awareness is still very restricted to specific public
Detecting ADS
Those ads cannot be detected with the DIR command. DIR command reports the file hello.txt, with just it's size, not considering the alternate streams. Two good free programs to detect ADS are LADS by Frank Heyne and streams by Mark Russinovich.  The output shows how to create 2 alternate streams with text and an executable, and also that normal DIR operations don't detect them. 
(Click to enlarge)
Task manager and process tools (procexp and tasklist) show the hidden executable correctly ( c:\hello.txt:hidden.exe)


Deleting ADS
  • If you move the file/folder containing alternate streams to a file system different than NTFS, alternate streams are deleted
  • If ADS is not attached to a directory you can copy just the content of the file (without ads) to a new file, and maybe delete the old one
          type hello.txt > hello_noads.txt
  • If ADS is attached to a directory, use the trick from Frank Heyne site, or use streams program with -d parameter. 

References:

Wednesday, September 16, 2009

Hide data in images

     There's a nice feature on windows that allows masking or hiding some files in another file. For example you can append an archive (.zip/.rar/...) to a text file or image file (or any other) using the flag /b with the copy command.  

C:\>copy /?
Copies one or more files to another location.

COPY [/D] [/V] [/N] [/Y | /-Y] [/Z] [/A | /B ] source [/A | /B]
     [+ source [/A | /B] [+ ...]] [destination [/A | /B]]

  source       Specifies the file or files to be copied.
  /A           Indicates an ASCII text file.
  /B           Indicates a binary file.



As the help shows, copy can be used with multiple sources. The /B flag indicates binary copy. Without that flag it would be just a regular copy. The usage is as follows (suppose we have a picture (pic.jpg) and also a .zip file we want to hide, in the same directory):

   copy /b pig.jpg + hidden.zip pic.jpg
Click to zoom

Then the archive can be deleted. You can see the size of the initial file increased with the size of the archive.  Then you can open src.txt with WinZip or 7zip or other programs, like a normal archive:

Enjoy and be respectful:)


References:

Sunday, September 13, 2009

How to automate tasks with AutoIt AU3Recorder

   AutoIt allows recording of a series of action and then playing them back (recording a macro). Besides AutoIt, you need also the script editor (SciTE4AutoIt3). After you install both, run Scite, create a new file with .au3 extension, and run AU3 Recorder, either from the tools menu or with Alt+F6 combination (This option is not present if the file being edited is not au3).




This is a good start to begin automating simple things on windows. After crating the au3 script, it can be edited manually if it needs adjustments and then run every time.  


Any possible scenarios can be imagined and automated, starting from clicks and key combinations, installing programs, running tasks....
Great productivity increase:) 
Simple example of automation some browser stuff (selecting text, copying, open tabs,..):
Func Solve()
 Dim $i, $result, $input
 
 For $i = 5 To 1 Step -1
  ; Double left click at cursor position (mouse button swapped from Control Panel)
  MouseClick("right", Default, Default, 2)

  Send("^{c}")   ; Copy
  $input = ClipGet()  ; Get clipboard content
  $result = StringCompare($input, "fail", 1)
  If $result <> 0 Then
   Print($adr, 2000)
  EndIf

  Send("^{t}")   ; Open new tab in browser 
  Send($adr,0)    ; Type address
  Send("{ENTER}") ; Hit Enter
  
  Sleep(1000)
 Next
EndFunc    ; ==> Solve()

Func Print($string, $time)
 ToolTip($string)
 Sleep($time)
 ToolTip("")
EndFunc   ;==>Print()
References:

Change icons for X applications in Cygwin

       When applications are started on a remote computer, and locally there's a Cygwin installation with an X server running, all programs have a default X shaped icon. This, and other settings can be configured  from c:\cygwin\etc\X11\system.XWinrc file. The syntax is also explained there and on manual pages. 
To modify/add specific icons for specific programs, the syntax is as below. There is also a default icon configured, and a local folder containing the .ico files. 
IconDirectory     "D:\icons"
DefaultIcon        "favicon.ico"

#Some comments

ICONS {
      < class-or-name-of-window> <icon-file-name.ico>
      . . .
}

  • Window class name can be figured out with xprop utility. Run xprop, then click another open window and information will in the terminal where xprop is running. 
  • Name of the window is also shown with xprop utility. It doesn't have to be the full window name, it works also with first n letters of the title
Enjoy!

( I am running Cygwin X Server version 1.5.3. I ran into different problems with older versions.)

References:

Monday, September 7, 2009

Use Python mechanize library to simulate a browser


    Mechanize is a library to programmatic web browsing in python. Some basic features are:
  • HTML form filling and submitting
  • Link parsing and following
  • Manage Browser history (.back() and .reload() methods)
  • Modify/View HTML headers
  • Deal with cookies
  • Download files
  • Setting proxies

The examples from here were very helpful. I was working the programming challenge 10 from Security Override. The task is to code a script that will scan 100 subdirectories for 3 given passwords, then formulate an answer an submit it in a form. The script below uses mechanize to login to the site, submit requests and compute the answer.


import urllib
import urllib2
import mechanize

# Login to site
url = 'http://securityoverride.com/login.php'
userinfo = {'username' : 'pennypecker', 'password' : 'abracadabra'}
br = mechanize.Browser()
br.addheaders = [('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10')]
br.open(url)
br.select_form(name = "loginform")
br["user_name"] = userinfo['username']
br["user_pass"] = userinfo['password']
br.form.action = url
response = br.submit()

answer = ''

# Open sites
for i in range(1, 101):
    response = br.open(challenge_url + 'moo/' + str(i) +'/index.php')
    content = response.read()
    print str(i) + ' = ' + content
    if 'fail' != content:
        answer = answer + str(i) + ':' + content + '; '

answer = answer[0:len(answer)-2]
print answer

# Open index and fill submit form with answer
br.open(challenge_url)
br.select_form(name = "submitform")                                                                                                                               
br["string"] = answer
br.form.action = challenge_url + '/index.php'
print br.form
response = br.submit()

References:

Programmatic Gmail authentication with urllib2

   The python urllib2 library can be used to automate login to sites requiring authentication. Below I used it to authenticate to Gmail, get the atom mails feed, and parse the feed with feedparser library from M. Pilgrim.  References contain lot of examples and documentation. 
import urllib2
import logging
import feedparser

def auth(user, passwd):
 auth_handler = urllib2.HTTPBasicAuthHandler()
 auth_handler.add_password(
  realm='New mail feed',
  uri='https://mail.google.com',
  user='%s@gmail.com' % user,
  passwd=passwd
 )
 opener = urllib2.build_opener(auth_handler)
 urllib2.install_opener(opener)  
 
    try:
  feed = urllib2.urlopen('https://mail.google.com/mail/feed/atom')
 except urllib2.HTTPError, e:
  logging.error('The server couldn\'t fulfill the request.')
  logging.error('Error code: %s ', e.code)
  exit(1)
 except urllib2.URLError, e:
  logging.error('We failed to reach a server.')
  logging.error('Reason: %s .', e.reason)
  exit(2)
 except DownloadError, e:
  logging.error('Download error: %s.', e)
  exit(3)
 except Exception, e:
  logging.error('Other exception in urlopen: %s', e)
  exit(4)
  
 logging.info('Feed opened')
 return feed.read()

 def read_mail(feed):
  # Parse the Atom feed
  atom = feedparser.parse(feed)
  
  num_email = len(atom.entries)

  for i in range(num_email):
   mail = atom.entries[i]
            . . . . . .


References:

Configure network from command line in Ubuntu 10

A. Temporary settings for the network can be added and tested with the ifconfig command.  to view network settings:

# ifconfig wlan0
or:

# iwconfig wlan0 

iwconfig is similar to ifconfig but dedicated to wireless networks, and shows more information.

For example, to set an ip address for wireless wlan0 interface:

# ifconfig wlan0 192.168.0.22 netmask 255.255.255.0 up

Note that all the commands need super user rights. Use su to switch to root.

$ sudo su

To configure a default gateway, you can use the route command in the following manner. Modify the default gateway address:
# route add default gw 192.168.0.1 wlan0
To verify your default gateway configuration, you can use the route command:

# route -n
To add DNS servers IP addresses, modify the file/etc/resolv.conf. Add nameservers corresponding to your network. For example:
nameserver 89.32.16.2
nameserver 192.168.0.1

B. Permanent settings can be configured for the appropriate interface in the file /etc/network/interfaces. Example for configuring permanent static ip address, gateway and netmask for wireless interface wlan0:

auto wlan0 
iface wlan0 inet static 
address 192.168.0.22 
netmask 255.255.255.0 
gateway 192.168.0.1
After adding interface configuration in this file, the interface can be brought up and down using the commands ifup and ifdown:

sudo ifup eth0
To manually disable the interface, you can use the ifdown command.
sudo ifdown eth0
Links:

Saturday, August 22, 2009

Install Ubuntu 10.10 on usb with persistence

I used the Universal USB Installer from the link below and downloaded and installed Ubuntu 10.10 with persistence on a 2 GB usb stick. Great article!


Full article:

Python remove list elements in-place

   In Python, If you want to remove elements from a list based on a condition, a normal iteration will not work correctly:

for elem in list:  
    if cond(el):
        list.remove(elem)

In this case, for example if the list contains 10 elements, all invalid, only 5 of them will be removed, because of the internal counter on the list, that is used by the iteration. Python offers 2 simple approaches(Method 2 and 3 below). These 2 methods create a new list. Another solution will be to remove elements in-place, without using additional memory(Method 1). The code for this is self-explaining. The index keeps track of where we are in the list and need to put valid elements. After that, the other elements can be deleted.

# In-place filter of a list
# Keeps elements matchign condition
def filter_list(list, cond):
    to_idx = 0
    for el_current in list:
        if cond(el_current):
            list[to_idx] = el_current
            to_idx += 1
    del list[to_idx:]

big_list = [1, 2, 7, 4, 6]

def main():
    my_list = [11, 1, 9, 3,  5, 2, 2, 7, 5, 5]
    contained_in_big = lambda el: el in big_list
    #Method 1
    filter_list(my_list, contained_in_big)
    #Method 2
    #my_list = [ x for x in my_list if contained_in_big(x)]
    #Method 3
    #my_list = filter(contained_in_big, my_list)

    print my_list

if __name__ == "__main__":
    main()