Slashdot Mirror

BIOS malware can install System Management Mode code that logs keystrokes. Please read: http://www.phrack.com/issues.h... http://www.eecs.ucf.edu/~czou/...

Yeah, I think you'd be better served going through old issues of Phrack than wasting your time with 2600's technical articles. The stuff in Phrack is dated, but at least it's real. And the letters page is way more entertaining than 2600's feeble attempt to copy it.

http://www.phrack.com/

Millions of times over the years by millions of people.

The 57 bytes looks impressive at first, but seriously? Is that using 57 bytes of their own rather than borrowing them from somewhere else? Come back next year and have another go...

(actually found that while googling for the last slashdot story about overlapping ELF headers to get a smaller hello world)

Don't forget Action Man. Elite hackers work in Windows, too.

c:\dos> vol

Volume in drive C is DOS
Volume Serial Number is 12A1-1C20

c:\dos> label
Volume in drive C is DOS
Volume Serial Number is 12A1-1C20
Volume label (11 characters, ENTER for none)? 3L1T3H4CK3R

c:\dos> vol

Volume in drive C is 3L1T3H4CK3R
Volume Serial Number is 12A1-1C20

c:\dos> damn i rool
Bad command or file name

c:\dos> root
Bad command or file name

c:\dos> give actionman root
Bad command or file name

c:\dos> password root actionman
Bad command or file name

c:\dos> FUCKFUCKFUCKFUCKFUCKFUCKFUCK
Bad command or file name

c:\dos> whyamisolameohgodpleasesomeonekillme
Bad command or file name

c:\dos> ohgodimafourstarloser
Bad command or file name ]

http://www.phrack.com/issues.html?issue=59&id=9

Quoth the article:

We will demonstrate that in certain conditions, it is still possible to exploit stack based buffer overflows protected by PaX with all options actived, including the new ET_EXEC binary base address randomizing.

We will show that we can reduce the problem to a standard return-into-libc exploitation. Heap overflows wont be developped, but it might also be possible to exploit them in an ASLR environment using a derived technique.

I googled for the ecrime howto but couldn't find it. Link please.

Try reading this zine and this zine, too. This is also recommended. Try here, too. Start searching forums, IRC, etc. Subscribe to all the major vulnerability sites, too. Learn to code, if you don't already know how. Get skills in C, assembler, Java, SQL, Visual Basic, Python, PHP, Perl, Unix, Linux, Windows, DNS, TCP/IP, routing protocols, Apache, MySQL, PostgreSQL, Oracle, etc. Understand how networks and systems work, architecturally speaking, from a high-level all the way down to the physical hardware.

The learning curve is pretty steep for anyone who wishes to ascend beyond the level of 'l337 skr1p7 k1dd13'.

Be aware, however, that the penalties for getting caught are very high. Think Kevin Mitnick.

Chapter 1 starts with an overview of the history of Nmap and how it came to be.

Trivia: I remember clearly reading nmap's introduction to the world in Phrack issue 51 "The Art of Port Scanning" more than 10 years ago.

(And it's cool to see Phrack is still still around!)

Modern Satellite Navigation systems use a recently developed standard called RDS-TMC (Radio Data System - Traffic Message Channel) for receiving traffic information over FM broadcast. The protocol allows communication of traffic events such as accidents and queues. If information affects the current route plotted by the user the information is used for calculating and suggesting detours and alternate routes. We are going to show how to
receive and decode RDS-TMC packets using cheap homemade hardware, the goal is understanding the protocol so that eventually we may show how trivial it is to inject false information.

It really amazes me just how much longevity the CCC has displayed, despite having gotten mixed up in scrambles that would have totally taken apart anyone less hardy. From concerns that one of their members might have been bumped off, working for the KGB, breaking into NASA... and somehow still finding time to run the Blinkenlights and the congress every year.

I know I would have cashed my chips and left a group like that a long time ago. Hats off guys, how do you do it?

Before I ever read it on slashdot, my friends and I were hacking traffic lights thanks to phrack. It used to take me 25 minutes to get to work, but now it only takes 15 :P

It also tells you how to get into the main traffic light control system, though you have to go through a bunch of backdoors into a VAX system. Imagine if Al-Qaeda managed to do that, though...

http://www.phrack.org/phrack/60/p60-0x0e.txt

A search for "GPS jammer" can be interesting for the bored.

No they look somewhat similiar, but it isn't the same person.

Tsutomu Shimomura is the person you are thinking of, not Morgan Lim.

BTW I although the bio might be accurate, I would actually trust everything I read at takedown.com. It is *definitely* biased towards the Markoff side of the Mitnick saga. Read this for an interesting take on the Mitnick saga. Start at section 2a.

Voice Over ICMP. Ingenius. ICMP can be used as a covent data channel, there is a nice article in Phrack, highly recommended.

This will not help you at all. One can modify the kernel at runtime using /dev/kmem, and you cannot protect against that (for a detailed discussion, see this article from Phrack 58). There are rootkits out there that use this technique.

A much more common source of randomness that was published in Phrack Volume 8 Issue 54 is to use a cleaned white noise signal from a soundcard. See This link for more details.

I read an article in Phrack about how people could start setting up webpages, with links that are exploits. So say you made a web page with a link to www.blah.com/blah.asp?HHHHHHHHHHHHHH.... something like the code red exploit. Then when the a web indexer etc. comes around it will not only perform the exploit for you, it may end up indexing this expoit for others to find in search results. Although I don't think that google will archive something with a ?HHHHH.. on the end, many bots will probably follow any link they come across. That would be a search engine manipulation if you ask me, although quite different than say googlebombing.

Anyone remember "g-philes," little instruction books on hacking/phreaking/applied chemistry? I believe the term came from "general files" text file listings on RBBS's.

What is funny is that they are still out there, stuff me and my friends wrote back in 1986, probably on a handful of BBS's. And let's not forget about Phrack.

If a business has a 1-800 number, it costs them money each time you call right? it's like long distance in reverse right

There's lot of the 800 numbers that pay a monthly "flat-fee" now, but YMMV.

i'd be willing to get an extra phone line (different number) and have my computer call and listen to the message all day. i could have it call them over and over again.

I wouldn't suggest war-dialing. Guaranteed to get you trouble. A Long Time Ago, this was done and was well logged by Southern Bell.

On the contrary.

Have a look at Phrack 58, phile 0x05

(From the introduction to the article:)

The UNIX world has lagged far behind the Microsoft world (including both MS-DOS and MS Windows) in the twin realms of binary protection and reverse engineering.

The variety and types of binary protection are a major area of difference. MS Windows PE binaries can be encrypted, packed, wrapped, and thoroughly obfuscated, and then decrypted, unpacked, unwrapped, and reconstructed. Conversely, the best that can be done to a UNIX ELF binary is stripping the debugging symbol table. There are no deconstructors, no wrappers, no encrypters, and only a single packer (UPX [12], aimed at decreasing disk space, not increasing protection) for the ELF. Clearly the UNIX ELF binary is naked compared to the powerful protections afforded the Windows PE binary format.

The quantity and quality of reverse engineering tools are other key areas of significant gulf. The runtime environment of the PE binary, and indeed the very operating system it executes on, is at the mercy of the brilliant debugger SoftICE. Meanwhile the running ELF can only be examined one word at a time via the crippled system call ptrace(), imperfectly interfaced via adb and its brain dead cousin: gdb. The procfs, on those systems on which it is present, typically only provides the ability to examine a process rather than control it. Indeed, the UNIX world is an unrealised nightmare for the UNIX reverse engineer. Unrealised because up until now no one has bothered to protect an ELF binary.

I can't find in the list the Metal Shop BBS, the BBS of one of the phrack magazine founders, Taran King.

Check the original announcement

Micro$oft considers it a feature that you can piggyback queries passed through an ODBC connection. What does this mean? This means that websites using ODBC connections to run queries (translation: dynamic pages) are extremely vulnerable to "tinkering" with. Basically, if someone is passing variables into a page (say index.asp?variable=5) then you can piggyback your own query after that (say index.asp?variable=5%20DELETE%20FROM%20sysobjects ). Or something. Of course you have to have permissions, and you have to understand SQL a bit -- but hey. 'tis a bit scary. See the link to phrack, the relevant info is down towards the bottom. Again, this is old -- as in from SQL Server 6.5 days.

L0pht Heavy Industries
Cult of the dead cow
Happyhacker.org
Infiltration.org
hackers.com
Hacker news
attrition.org
AntiOnline
AntiCode
phrack
2600
Many of these pages contain arhives that have documents on cracking networks and such.
Vast documents on cracking NT servers.
A few of these are not really related but fun any how.
And the archives also contain many documents on system defence.
-----
If my facts are wrong then tell me. I don't mind.

If /. is going to be publishing stuff about body modification, why not go with someone who has something to do with computers? He's been the editor of Phrack, he has really cool body modifications, and he produces code.

Check out Nirva.

>rant<
Personally I think that body modification is cool, but do we really need it on /.? There's a lot of good stories that are getting rejected, and we get stuff like this? I guess I would feel better about it if there weren't 200 stories in the queue right now. Some of those are probably really interesting things that we won't see.
</rant>
--

But anyhow, the logic behind attack trees looks solid. If you can compromise one system it you can use it as a stepping stone to move on to the next.

Phrack once ran an article called "Distributed Metastasis" which might make an interesting read.

I already had WAY too much stuff to do today, and now I have to spend an hour or two reading Phrack! Thanks alot.

BTW, the FTP link was a bad choice. It's about dead, but you can pull it via HTTP pretty easily.


Phrack 55

According to www.phrack.com it was released on 9/9/99.

Phrack 55

>example: how do you prove that Win2K doesn't use some modified Linux IP stack? Nobody's allowed to
>see the source so nobody will ever find out right?

Someone's already thought of that.

An excerpt from http://www.phrack.com/search. phtml?view&article=p54-9 which describes nmap, an OS fingerprinting-by-TCP/IP-stack-details tool:

TCP Initial Window -- This simply involves checking the window size on
returned packets. Older scanners simply used a non-zero window on
a RST packet to mean "BSD 4.4 derived". Newer scanners such as
queso and nmap keep track of the exact window since it is actually
pretty constant by OS type. This test actually gives us a lot of
information, since some operating systems can be uniquely
identified by the window alone (for example, AIX is the only OS I
have seen which uses 0x3F25). In their "completely rewritten"
TCP stack for NT5, Microsoft uses 0x402E. Interestingly, that is
exactly the number used by OpenBSD and FreeBSD.

-----------------

Interesting indeed! Hmmm, looks like MS has been caught with their pants down and their finger in the pie and their hand in the till. :)

mentaldent

Heap based overflows are very similar but they occur in the data (bss) segment of a program. w00w00 on Heap Overflows has a pretty good explanation.

and within 24 hours of something like BO being released for Linux there would be a patch/detection/fix released

I saw this was released on January 26, 1998 and still no magical "fix" released. That is even worse than BO because it hides itself from detection. *BSD has a little more protection because when the system security level is raised, modules can't be loaded. Once someone has root/administrator on your system (NT, Linux, or any of the better systems :) ), it is time for a re-install. Or maybe you can believe that module really isn't a big threat because you didn't see it on CNN or slashdot.

Sending a secretary a electronic greeting card will get BO installed on most networks

Anyone who clicks on an attachment is vulnerable to this. Pine has an interesting feature where messages can download and execute code, without the user's permission! A patch was released several months ago and was at least applied to the redhat rpm so most people should be ok... for now. It isn't a buffer overflow either but rather stupid programming.

It is the, dumbass users as you call them, that make up the majority of the computer market

Exactly. And as linux becomes more popular, these users will make up a higher percentage of Linux users. What's going to prevent these users from running every single attachment that they do now? Oh, maybe because the Linux system is sooo secure, there will be a message that pops up and says this attachment may do bad things and it shouldn't be run unless they trust the sender...

BO2k can easily take over Win9x boxes. The only defense against it are virus checkers (the core logic won't change that much even with the source) or doing the best thing and telling users not to run attachments. NT however is in exactly the same boat as Linux. BO2k can't do a thing to the system unless it is running as administrator (or a user with admin rights) just like that linux kernel mod. can't do a thing unless it is loaded as root.

On a side note, http://www.phrack.com/search. phtml?view&article=p52-6 has a patch for Linux 2.0.x which allows low port bindings to be given out by running setgid 16 rather than setuid 0. They do the same thing for raw sockets and SOCK_PACKET privilege.

Close, but even nastier:

http://www.phrack.com/search .phtml?view&article=p52-18. It modifies system calls to make itself invisible and pretty much undetectable. The #include lines are mangled from the html display. Look at the source if you want to give this a try. It works on 2.0.x but I don't have the guts to try it on a 2.2.x production system.

Even worse, anyone serious who exploits a hole will usually patch it to keep others out. At least one daemon will usually be modified to allow remote access. Tripwire is the sysadmin's best friend!

Take a look at this article from Phrack called Weakening the Linux Kernel. They have code for a loadable module which will hide itself along with starting several backdoors on the system. Go down about 1/2 way to see the full feature list. The #include files are hidden because of the html interperter. You can see them by viewing the source or saving the file.

Take one look at rootshell.com. They have a wide assortment of exploits for IMAP, POP, ftpd, bind, lpd, nfs/portmap, and my personal favorite, samba. All of these give a remote root shell. There is no way to even count CGI's which are exploitable due to bad programming. BugTraq posted a remote root exploit for FakeBO several months ago.

And if you are one of those "31337 firewall" people, take a look at Project Loki and it's actual source code. All traffic can be nicely hidden within ICMP or DNS query packets.

Take one look at rootshell.com. They have a wide assortment of exploits for IMAP, POP, ftpd, bind, lpd, nfs/portmap, and my personal favorite, samba. All of these give a remote root shell. There is no way to even count CGI's which are exploitable due to bad programming. BugTraq posted a remote root exploit for FakeBO several months ago.

And if you are one of those "31337 firewall" people, take a look at Project Loki and it's actual source code. All traffic can be nicely hidden within ICMP or DNS query packets.

The nice people at Phrack Magazine put this nice article in a while ago. This module (go down to "A practical example") does several things like hide itself from view with lsmod, hide specific files from a directory listing, hide a network sniffer, and drop in a couple back doors. It is designed for 2.0.x kernels but could be adapted to 2.2.x if it doesn't run there already.

My point for mentioning this is to show no matter how "secure" or how "open-source" your OS is, the weakest link is going to be that thing between the chair and the keyboard...

Note: this example is skript-kiddie proofed for obvious reasons.

The nice people at Phrack Magazine put this nice article in a while ago. This module (go down to "A practical example") does several things like hide itself from view with lsmod, hide specific files from a directory listing, hide a network sniffer, and drop in a couple back doors. It is designed for 2.0.x kernels but could be adapted to 2.2.x if it doesn't run there already.

My point for mentioning this is to show no matter how "secure" or how "open-source" your OS is, the weakest link is going to be that thing between the chair and the keyboard...

Note: this example is skript-kiddie proofed for obvious reasons.

You can learn a lot from phrack magazine. In the 20 firts number there's a special collumn just on BBS/Phreakers being busted. They also usualy explain why and how they got busted by FBI and Secret service.
I love to log on to bbses. they migth become a alternative for power user the day the net will only have newbies and unresponsible persons