Thursday, March 26, 2009

Mozilla symbols + source in your WinDBG

After seeing the new Firefox 0-day which was announced today, I thought it would be fun to play with the PoC code.

Also, WinDBG has been becoming my debugger of choice lately, so I decided it would be nice to use that for debugging Firefox while I take a look at the exploit code.

In order to make debugging a little easier, I decided to poke around and see how I could go about getting debug symbols and source for Firefox and make it all work snazzily with WinDBG. Turns out Mozilla has these awesome pages for doing just this: symbols howto and source howto

It was actually astonishingly easy. Just typing these into your command window should be sufficient:

.sympath+ srv*c:\users\ryan\documents\symbols\firefox*http://symbols.mozilla.org/firefox
.srcpath+ srv*c:\users\ryan\documents\sources\firefox

and that's it!

Now all your sumbols and sources for this WinDBG session will be downloaded to your symbols\firefox and sources\firefox folders respectively. Of course, you'll want to replace the c:\users\ryan\documents with whatever your location is, but that's about it.

Go to it and hack you some Firefox!

Tuesday, March 24, 2009

Diffing the output of two commands

Today, while doing some server maintenance, I needed to diff the output of two different commands. To be more specified, it was actually the same command, but with different sets arguments. As an example, let's say I wanted to diff the contents of two folders, /tmp/folder1 and /tmp/folder2.

What I had done in the past was:

ls -l /tmp/folder1 > tmp.txt
ls -l /tmp/folder2 | diff tmp.txt
rm tmp.txt


Today I decided there had to be a better way to do that and set out to discover how. What I found was something that I had long forgotten about: named pipes. If you're not familiar with named pipes, check Wikipedia. For a refresher of how they work in Unix, here's an example:

mkfifo mypipe

then in two separate shells type:

ls -l > mypipe

and

cat < mypipe

Now, with a pipe already created, I can accomplish my task a little more quickly and efficiently:

ls -l /tmp/folder1 > mypipe&
cat ls -l /tmp/folder2 | diff < mypipe


Howevery after reading all the way through this great Linux Journal article I learned that what would work even better is the great <(...) syntax:

diff <(ls /tmp/folder1) <(ls /tmp/folder2)

This does exactly what I wanted to do without needing to create any temporary files or named pipes myself. What's happening here is that BASH creates a temporary named pipe and fills it using the output of the command between the parens.

As you can see, temporary pipes make these quick one-offs much, much easier.

Take a look at that awesome article for a peek at more awesome stuff you can do with named pipes.

I'll have to admit that I've not used named pipes much (maybe only once or twice that I can remember), but after this, I'll definitely keep my eyes peeled for more excellent piping opportunities.

Enjoy!

Saturday, March 21, 2009

Visor is my new best friend

Okay, so maybe it isn't my new best friend, but this is the first time I've mentioned it.  I've been using Visor for quite some time now, and every time I use it I fall even more in love with the tool.

From the Visor page: "Visor provides a a systemwide terminal window accessible via a hotkey, much like the consoles found in games such as Quake."

If you love the tool QuickSilver, and feel a little nervous when you don't have quick access to a command line (I get extremely nervous, personally), then this tool might just be for you.  It's easy to install, and once running, a quick press of CTRL+` brings down your console window:


Combine this with Screen and you'll practically never need a standard Terminal window again.  I used to have two or three Terminals open at all times, now I only ever open one if I really need a full screen console.  Being able to SSH into another machine and quickly change some settings was never easier now that my console is just a keystroke away! No more CMD-Tabbing, Exposè, or excessive mouse clicking.  It's quick and easy, and a must have for Mac users who are Terminal nuts.

Check it!

Thursday, March 19, 2009

Make VMWare stop syncing your guest clock with your host

Here's a little trick which I've just sumbled upon. If you're ever doing some sort of software or malware testing and you need your VM to stick to a time far in the past or in the future and persist this through suspend, resume, reboot, etc. add these properties to your .vmx file:

tools.syncTime = FALSE
time.synchronize.continue = FALSE
time.synchronize.restore = FALSE
time.synchronize.resume.disk = FALSE
time.synchronize.shrink = FALSE
time.synchronize.tools.startup = FALSE

This will pretty much prevent your VM from ever syncing its clock with your host. At first, I thought that disabling the clock sync option in VMWare tools was enough, but it turned out not to work so well. Your clocks would stay out of sync while the VM was running, but the second you suspended and resumed it or rebooted it the VM would sync. The above options will prevent that.

Also, you'll want to make sure that you disable any NTP or similar services within the guest OS so that it doesn't end up syncing with an internet time server.

I can't tell you how long I've been trying to figure this out. At some point I just gave up because I didn't think it possible.

Here's the great PDF which describes VMWare's timekeeping and where I found those options.

Cheers and happy VM-ing!

Thursday, March 5, 2009

Embedding DLLs and EXEs inside your Win32 PE

I'm re-writing some code from C# to Win32 C++ right now, and needed to access a PE which was embedded inside a .Net assembly. My first thought was to see if I could access the resource within the .Net assembly from my Win32 program. Unfortunately, it does not appear that .Net embedded resources are contained within your typical PE resource section, but are inside some .Net specific assembly resource location.

So, I figured, the embedded PE needed to be moved out of the .Net assembly and into the PE I am building with C++. So, I spent a few hours trying to figure out how to embed and access arbitrary binary data inside the PE resource section, and found this really great blog post.

After I found that, it was just a matter of minutes until I got it working with my Win32 program. Thanks, Akbar!

Tuesday, March 3, 2009

Botnet Turfwar - Zeus Crimeware Kit Vulnerability

Botnet turfwars are nothing new. People have been hijacking other peoples botnets for several years, even back in the IRC botnet days. You could easily grab a chunk of a competitors botnet if you were able to get access to their IRC channel and, after determining the command set of the bots, issue an update command pointing at your own bot.

But, with tools such as Zeus and Firepack, it may be even easier to grab a botnet and all of the stolen data which was obtained by the bots prior to you jacking another guys bots.

Dancho Danchev, in his post about a Zeus Kit vulnerability, and another, citing an example of how an actual bot master lost much of his botnet, explains how some of these new kits might open up a flood gate of botnet jacking activities.

Just like how botnets take over thousands of machines which run outdated OSes and software, competing bot masters are taking over thousands of bots on potentially hundreds of nets which are running outdated command and control servers.

Although some people would wonder why an attacker would hack another attacker, it actually makes perfect sense. The malware business is exactly that, a business. Bot masters make real $$$ by spamming or stealing information with their bots. If you can jack another dude's 100k node botnet and double your own profits, why wouldn't you?

It will be interesting to see how this trend progresses. If a certain toolkit becomes more popular, but also is poorly coded, it could lead to some very amusing battles :)

Like Excite Truck? Then check out Excitebots!

Monster Games, the company who made Excite Truck, and which my bro has been working at for some time, has finally come public with news of the next game, called Excitebots:


This is huge for me, because he's been telling me about all the fun development stories and meetings with the folks from Nintendo Japan, but I've never been privy to any of the juicy details, not even the name, until recently. All I ever new was, "It's going to be like Excite Truck, but better."

Just recently, Nintendo released their list of upcoming games. Once that happened, I finally heard word from my brother about what the games name was. It was definitely cool to hear the name after many months of not knowing. Unfortunately, though, all it was then was a name, because there still weren't any screen shots or anything.

Today, however, I saw the article in Nintendo Power. Finally, some images! I think I can say that all the waiting was worth it. I liked Excite Truck, but it didn't have all that much replayability. Excitebots, though has online play, so that should make it much more fun since you can play with your buddies online. I don't know what the online play is like, but I imagine it should be pretty cool.

Anyhow, if you like Excite Trucks, please go out and get Excitebots so my bro and his company can keep making cool games!

Check your GMail passwords

A new GMail CSRF vulnerability was announced today which allows attackers to determine and/or change a user's password.

Of course, this requires that you're logged in to GMail and that you visit a particular page which is hosting the CSRF vulnerability. This is often accomplished by sending you a link in an email, so that once you click the link, you're guaranteed to be logged in.

I think the main threats right now are that if you have an easy password, an attacker can determine what your password is pretty easily by running a few CSRF attacks against you. There is also the possibilty of someone changing your password, but that requires that they already know your password or can get you to type it in for them on the malicious web page.

Bottom line, make sure you have a secure password, and as always, be wary of emails from strangers (especially HTML emails).