1. Step 1 – Write your C program
Pico created our c program – called firstprog.c.
2. Compile the C program using GCC.
gcc firstprog.c
ls -l a.out
./a.out
Step 3 – Objdump to display first 20 lines
objdump -D a.out | grep -A20 main.:
Grep is set to display 20 lines after the regular expression main.:
Each byte is denoted by 2 hexadecimal digits.
Assembly has 2 versions or syntax, AT&T or Intel. Often the Intel format is easier to read.
Step 4 – Change Objdump to Intel Syntax.
objdump -M intel -D a.out | grep -A20 main.:
Nope… that’s not intel format is it. ummh, interesting. Okay, if we intend to use Intel syntax assembly language, we need to configure this syntax inside GDB.
Step 5 – Configure Intel Syntax Assembly inside GDB
gdb -q
(gdb) set dis intel
(gdb) quit
Now we double check intel has been set
echo “set dis intel” > ~/.gdbinit
cat ~/.gdbinit
Intel syntax reads as <destination> <source>
*****
Step 6 – Compile GCC with -g
The -g flag can be used by the GCC compiler to include extra debugging information, which will give GDB access to the source code.
gcc -g firstprog.c
ls -l a.out
gdb -q ./a.out
(gdb) list
(gdb) disassemble main
Woohoo!! Intel Syntax!!
*******
Step 7 – Locate the address of EIP
(gdb) break main
(gdb) run
(gdb) info register eip
EIP = Ox80484666 -
Did you know that a short hand version of this command reads as:
i r eip
Step 8 – Using GDB X for examine command
GDB provides many ways to examine memory using the x command, short for examine of course. The debugger allows us to directly reference the EIP register (as $eip). x = examine and 2nd x = display in hexadecimal.
$eip = the EIP register
x/2x $eip
x/8x $eip
The number assigned before $eip denotes the multiple memory addresses that can be examined.
****
ps if you’re struggling without a UK keyboard… use this command to get a UK keyboard
loadkeys uk
Reference:
Erickson, J. (2008). Hacking: The Art of Exploitation, 2nd edn. San Francisco: No Starch Press.
******
How to compile a C program into assembly code.
http://uwnthesis.wordpress.com/2014/02/28/red-hat-how-to-compile-a-c-program-into-assembly-code/
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.
“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”
GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as “an important (and at the same time embarrassing) bug discovered during an audit for Red Hat.” Debian’s advisory is here.
Distant relative of “goto fail”
As was the case with last week’s critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced “goto fail” command, the mistakes involve errors with several “goto cleanup” calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It’s significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.
Security researchers are still studying the vulnerability and assessing its effect on the wide array of OSes and applications that depend on GnuTLS. For the moment, readers should assume that the severity is critical given the dizzying amount of downstream code that may be affected. One example: the apt-get installer some distributions of Linux use to distribute and update applications relies on GnuTLS, although exploits against the package can probably be caught by cryptographic code-signing of the downloaded program (thanks to readers for pointing out this secondary level of protection). Version 3 of lib-curl, which is distributed in Debian and Ubuntu, also depends on GnuTLS. Some Debian- and Ubuntu-based virtual private networking applications that work with Cisco Systems hardware are also affected. This list goes on and on.
Matt Green, a Johns Hopkins University professor specializing in cryptography, characterized the vulnerability this way: “It looks pretty terrible.”
Kenneth White, a principal security engineer of Social & Scientific Systems, agreed, saying the vulnerability “has a lot of side effects.”
This article will be updated if important additional details become available.
Watch this scam – isn’t it the greatest? Wow, social engineering, combined with phishing, combined with just about everything.
http://arstechnica.com/security/2014/03/watch-out-for-this-netflix-tech-support-scam/
*****
Jerome Segura has been tracking tech support scams for a year, documenting the ploys he’s encountered. But even this one found him unprepared.
“Combining a phishing scam with a fake tech support call center is something that I’d never seen before,” the Malwarebytes senior security researcher told Wired.co.uk. A video of the find shows Segura trying to enter a fake Netflix login on the streaming service’s homepage, only to be presented with a notice telling him the account has been suspended, and telling him to call a fake tech support number.
He dutifully called up and was asked to download “Netflix Support Software”—really the remote control software TeamViewer, which allowed the scammer access to his system. Once he had hopped on, the hacker told Segura he’d been hacked. In fact, the scammer said he’d been hacked nine times, with one coming from Serbia, four from Russia, three from China, and one from Italy. It’s all part of a tactic to instill fear and get the user to comply, explains Segura. Like when the helpful voice on the other end of the phone showed him a scan of apparent hacker activity—which was really just custom-made Windows batch script.
“By running their own tool, which looks authentic, the crooks can detect ‘problems’ that do not exist,” says Segura. “Finally, showing those scan results adds to the fear factor, as well as creating a sense of urgency to fix the issue.”
As well as scraping plenty of personal information from Segura’s system, including a file named “banking 2013,” the scammers continued by attempting to secure a payment of $389.97 (with a generous $50 Netflix discount) for Microsoft support to fix the problem. (He was repeatedly told that the problem happened because his security software is not up to scratch).
Then comes a little “fixing” after the call is passed on to a technician. This time, it’s designed to induce the victim’s comfort—”I can also see that these hackers were trying to access some of your personal information like documents and pictures. Do you have any pictures?” asked the helpful hacker, before proceeding to recover them for him.
Perhaps the most bizarre and unusual part, the “Microsoft technician” asked Segura to hold up a photo ID with his credit card information, because they are doing the transaction over the Internet and Microsoft wants to make sure he’s the cardholder.
Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others.
The hackers appear to be using a variety of techniques to commandeer the devices and make changes to the domain name system (DNS) servers used to translate human-friendly domain names into the IP addresses computers use to locate their Web servers, according to a report published Monday by researchers from security firm Team Cymru. Likely hacks include a recently disclosed cross-site request forgery (CSRF) that allows attackers to inject a blank password into the Web interface of TP-Link routers. Other attack techniques may include one that allows wireless WPA/WPA2 passwords and other settings to be remotely changed.
So far, the attacks have hijacked more than 300,000 servers in a wide range of countries, including Vietnam, India, Italy, Thailand, and Colombia. Each compromise has the potential to redirect virtually all connected end users to malicious websites that attempt to steal banking passwords or push booby-trapped software, the Team Cymru researchers warned. The campaign comes weeks after researchers from several unrelated organizations uncovered separate ongoing mass hacks of other routers, including a worm that hit thousands of Linksys routers and the exploit of a critical flaw in Asus routers that exposes the contents of hard drives connected by USB.
Yet another recently discovered campaign targeting online bank customers in Poland worked in part by modifying home routers’ DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims’ computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service. The malicious sites would then steal the victims’ login credentials. The router “pharming” attack reported by Team Cymru appears to be part of a distinct campaign given its much larger size, geographic diversity, and the fact that so far there are no indications that DNS lookups for banking sites are affected.
“The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability,” Monday’s report stated. “The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group.”
Have I been hacked?
The telltale sign a router has been compromised is DNS settings that have been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted the provider that hosts those two IP addresses but have yet to receive a response. The researchers also privately contacted representatives of all manufactures of routers being successfully hacked in this latest campaign.
Monday’s report is the latest to underscore the growing real-world attacks that target weaknesses in routers, modems, and other devices running embedded software. Once the domain of computers running Microsoft operating systems, these hacks in some cases exploit software bugs in the underlying code. In other cases, they seize on the use of default passwords or other errors made by the people using the targeted devices.
“As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce,” the Team Cymru researchers wrote. “Security for these devices is typically a secondary concern to cost and usability and has traditionally been overlooked by both manufacturers and consumers.”
Team Cymru
https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf
Dear Asus router user: You’ve been pwned, thanks to easily exploited flaw – Ars Technica
Check if your IP has been hacked
NSA Surveillance starts with your router
http://uwnthesis.wordpress.com/2013/09/18/nsa-surveillance-starts-with-your-router/
There is a correlation between C code and Assembly code, that shows what exactly is happening on the machine. Assembly code is seriously enjoyable to read.
Step 1 – Create the C code. (Pico/Gedit/Nano).
Create a program called main.c
Step 2 – Compile into an executable.
gcc main.c -o userid
./userid
Step 3 – Compile into Assembly code
gcc -S main.c -o userassembly
cat userassembly | more
more…
****
nm to obtain Memory locations (nod to Xerocrypt)
nm userid | more
Objdump -D userid (nod to Xerocrypt)
Love those opcodes 
objdump -S userid | more
To display the Symbol table
objdump -t ./userid | more
Objdump Options – Happy reading
*****
How to use objdump – Intel Syntax – The Visual Guide
http://uwnthesis.wordpress.com/2014/03/06/how-to-use-objdump-using-gcc-and-c-the-visual-guide/
The free command displays both free and used memory.
Free
Free -m
Free can display free memory in megabytes (easier to read)
Free -s 15
Poll free memory in Seconds (impress your mates)
You can combine both
Free -m -s 15 (or)
Free -s 15 -m
******Second tool
vmstat
vmstat 10 3
vmstat [delay count]
example: vmstat 10 3
- delay is the delay between updates in seconds
- count is the number of updates
http://epic.org/privacy/tools.html
An updated privacy tools list, as we’re been a bit lazy on privacy tool updates. Ixquick is the mother ship of http://www.startpage.com search engine and the encrypted http://www.startmail.com. Ixquick/startpage are our EU certified winners of European privacy.
Browser Addons
Search Engines
Disk Encryption
Mobile Privacy Tools
Misc – the list goes on and on
Privacy Tactic
- Start with one tool a week – and substitute a privacy tool for a data collecting tool eg Stop using Google search and use Startpage.com or Duckduckgo.com. NEVER use Google!! EVER.
- Then in week 2, install HTTPS Everywhere, or install the Ghostery browser addon.
- These simple changes, will block door after door of those who collect your data and resell it to governments, medical insurers or the taxman.
- Soon, privacy will become second nature. You’ll have all the tools installed, and then you can venture onto to high powered VPN’s using OpenVPN or running TAILS from a CD for extra security. By Easter, you’ll be a privacy tools guru. It’s such fun and much easier than you’d think.
http://rt.com/usa/apple-nsa-ios-exploit-693/
Was the National Security Agency exploiting two just-discovered security flaws to hack into the iPhones and Apple computers of certain targets? Some skeptics are saying there is cause to be concerned about recent coincidences regarding the NSA and Apple.
Within hours of one another over the weekend, Apple acknowledged that it had discovered critical vulnerabilities in both its iOS and OSX operating systems that, if exploited correctly, would put thought-to-be-secure communications into the hands of skilled hackers.
“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” the company announced.
Apple has since taken steps to supposedly patch up the flaw that affected mobile devices running its iOS operating system, such as iPhones, but has yet to unveil any fix for the OSX used by desktop and laptop computers. As experts investigated the issue through the weekend, though, many couldn’t help but consider the likelihood — no matter how modicum — that the United States’ secretive spy agency exploited those security flaws to conduct surveillance on targets.
On Saturday, Apple enthusiast and blogger John Gruber noted on his personal website that information contained within internal NSA documents leaked by former intelligence contractor Edward Snowden last year coincide closely with the release of the affected mobile operating system, iOS 6.
According to a NSA slideshow leaked by Mr. Snowden last June, the US government has since 2007 relied on a program named PRISM that enables the agency to collect data “directly from the servers” of Microsoft, Yahoo, Google, Facebook and others. The most recent addition to that list, however, was Apple, which the NSA said it was only able to exploit using PRISM since October 2012.
The affected operating system — iOS 6.0 — was released days earlier on September 24, 2012.
If you’ve installed Redhat then you’ll probably be struggling with a UK keyboard in command line mode.
Step 1 – Configure a UK keyboard via the command line
loadkeys uk
Now you’ll have a UK keyboard on Redhat in text mode.
If you want X or GUI mode, then try out:
