VMWare fun install

by | Leave a comment

VMCI isn’t default since VMWare workstation 6 but happens that with my version 9 it is enabled.

With my kernel 3.8.0-29 it is breaking during modules compilation at driver.c, an open-vm-tools file. Few syntax errors like missing data types (declaration) and so on.

I could simply disable VCMI or fix the problem correctly, but this is my own computer at my home so I decided that it woudn’t be fun enough.

VMCI should get the file from:

/usr/src/open-vm-tools-2012.12.26/vmci/linux/driver.c

But for some reason it is messing things up and using another file or re-generating some other shit.

The solution was to brute force it 🙂

https://gist.github.com/carloslack/6385712

cya!

PHP and mysqli_connect()

by | Leave a comment

Here is a tip that may save a couple of hours: If you want to connect to a different MySQL’s port other than default 3306, do not use “localhost” as $host because mysqli_connect and deprecated mysql_connect will both ignore port argument. 

Use instead “127.0.0.1”.

Lame but useful.

NX-Protected pages

by | Leave a comment

Hi!

Recently, while playing with ELF images inside of Linux kernel > 2.6.35 I was, by accident, surprised by a message from syslog, after having my module Killed:

kernel tried to execute NX-protected page – exploit attempt? (uid: 1000)

Now I am wondering if is possible to toggle off NX (NX stands for Never eXecute) bit, just like we can do with the 16th bit of cr0 for read-only pages…

SQL Injection back in 2006

by | Leave a comment

Many years ago a friend of mine came around with an idea, not new even back on those days, but fun anyways.

The idea was to automate SQL Injection attacks by using search engines to find vulnerable targets.

Integrated with a tiny Delphi malware (yes, Delphi 0_o) it has became powerful.

This code lays in a separate part of my heart (yes, I do have a heart) not because it was 31337 (it wasn’t!) or extremely advanced but only because it was fun to write.

I did not run the code in the wild, not even once, truly. I wrote it with the help of other people testing it at the same time I was writing it down, back on 2006 when internet was a savage place with practically no rules. Nowadays things has changed a lot and everything you do is either illegal or shameful, so I do nothing else like this anymore.

This code is outdated and no longer work so it is not of much use, even less because the Deplhi malware is not included but I would like to share Volatile myself because other people already did this so it is my right, right?.

I believe I’ll sleep well and apart from that, this software is already out there on the internet since 2006 and it was used even  for teaching computer security in few Universities.

It has basically three steps to accomplish complete control over remote computers running ASP + Windows:

– Find possible vulnerable targets using web search engine by applying an specific SQL command and testing its return, if it was an error then:

+ Perform cmd_shell command, pinging origin IP, Volatile would then start an ICMP sniffer to see if ICMP packets would arrive from remote target, if so;

– Execute a new cmd_shell command downloading and executing the malware from a different remote host. Such malware would take control over the box and then send a screenshot and star to listen an specific port (backdoor) , waiting for connections.

– It would keep running through hundreds of possible vulnerable machines , creating a list of compromised hosts.

Fun enough, but nowadays pretty illegal and I do not recommend anyone to do anything similar to this in the times we live, so it is a fossil , only, for posterity (myself) appreciation.

Here is the code: https://gist.github.com/carloslack/9f6348606c4447b89830

Hidden pids

by | 4 Comments

After few years I’ve found myself looking for a code I wrote after suspecting that my system had a weird behave while using chorme browser then I thought that I could take a deeper look at the running PID’s to see if there was anything suspicious.

Sometime ago, in ancient days, I was a fanatic Slackware user (I am not anymore) and the system/kernel/applications those times hadn’t the annoying approach of hiding some of its PID’s , it was rootkits approach only. Time has changed since then.

When you perform a simple “ps -ax” in your Linux system nowadays lots of running processes are hidden from userland tools like ps. Actually I don’t know exactly why but anyways the following code may help you to locate those PID’s in your system.

https://gist.github.com/carloslack/5375805

Compile: gcc -c psearch.c

Then:

./a.out |while read line ; do echo -n "$line: " ; cat /proc/$line/cmdline ; echo ; done 2>/dev/null

It is possible to list then because they are hidden only from sys_getdents* (If my memory is not failing) but once you know their numbers (PID’s) you can chadir() into.