on 2009-11-22 by hth

Python benchmarking

Here is a simple python script I wrote and used today to benchmark some python functions. It demonstrates how powerful and easy it is to use python decorators. Nothing really new here but I thought it could be cool to share it. Prepare for more, the benchmark was just a step in the development of a new tool, to be released here soon! 

#!/usr/bin/python
 
"""
simple python benchmark
"""
 
import time
 
def timing(func):
    def wrapper(*args):
        start = time.time()
        func(*args)
        stop = time.time()
        print '%s took %0.3f ms'%(func.func_name, (stop-start)*1000.0)
        return res
    return wrapper
 
 
#
# --- FUNCTIONS TO BENCHMARK ---
#
 
@timing
def range_based():
    for i in range(10000):
        n = 156
        if n in range(65535+1):
            continue
 
@timing
def comparison_based():
    for i in range(10000):
        n = 156
        if n > 0 and n < 65536:
            continue
 
 
if __name__ == '__main__':
    print 'Benchmarking range_based()...'
    range_based()
    print 'Benchmarking comparison_based()...'
    comparison_based()

on 2009-09-27 by hth

FreeBSD kernel hardened

Recently, the FreeBSD operating system has suffered a few kernel NULL-pointers dereference vulnerabilities. It is one of the least vulnerable system in its category. The other ones have disabled the possibility to map the lowest memory (0x0000 to 0xffff) to mitigate NULL-pointers dereferences from code execution (with kernel privileges) to simple Denials of Service.
Yes I know that this exploit bypass the protection under Linux but this is due to a default policy in SELinux that weakened(!!) the system.
Well, since two weeks, the FreeBSD developers are thinking about changing the VM_MIN_ADDRESS constant to 0xffff. This should appear in next commits to HEAD, and then CURRENT branches according to Robert Watson (FreeBSD security officer & releng teams).
The feature should be provided to -STABLE and -SECURITY branches if it appears that this doesn't break things too much.

Then phrack #67 or uninformed #11 will be released and...

on 2009-06-26 by kbok

Michael Jackson is dead !

And this has nothing to do with it, but i have made a small java application that aims to be a terminal emulator. Currently it is able to embed a Rhino console, and the shell is on the way with a native class.

You can find the source code & binaries & linux pty thing junk here.

on 2009-03-23 by hth

Stateless fast TCP port scanner

I wanted to write a stateless port scanner from a while now. I needed something simple and as fast as possible. Stateless port scanner filled exactly the specifications but existing ones (most famous ones are unicornscan and scanrand) suffered several problems on my boxen. A few days later (today), I'm proud to release my new baby : RoadRunnerScan.

(for uncultured: road runner)

If stateless scanners are so fast, that's because of the choice their c0derz did, to trade reliability off for speed. So probes (tcp SYN) are sent, as fast as possible, and replies are sniffed. The scanner doesn't know wether some probes have been lost or where discarded by a firewall. The use of such scanners isn't recommended in poor network conditions. But if you're in a hurry, they're what you need!

Here are the results of a rapid benchmark

Conditions RRScan nmap -T5
[1 hop] 100 ports <1sec 0:00:4
[1 hop] 65536 ports 0:02:34 0:15:02
[scanme.insecure.org] 100 ports <1sec 0:00:20
[scanme.insecure.org] 65536 ports 0:02:33 0:47:12

Please notice that :

The code uses BPF filters and other BSD specific raw networking code. Unlike under Linux, you can't receive tcp packets on a raw socket under FeeBSD. You have to send your probes using an usual SOCK_RAW, and sniff ethernet trames on /dev/bpf. RRScan has only been tested on freeBSD but should work on other BSD if they provide the same /dev/bpf system. It should not be a pain to port it under GNU/Linux : you just have to discard the bpf related parts and call a recv on you injection socket instead of reading /dev/bpf.

More information on :

[rrscan.c]

Hmm old skewl...

on 2009-03-12 by hth

TCP/IP drinking game

Our (French) government is currently ligislating against open bars and youth alcohol consumption, but don't give a damn about it, we're pirates hey!

So, to satisfy the "junkie" part of yourself, here is a drinking game. And what about the "unix" side of your soul?? Satisfied too, 'cause this drinking game is *THE* tcp/ip drinking game. Still don't know "What is the typical MTU for an RFC 1149 transmission" or "Who wrote the original traceroute program"? Then prepare to drink whatever looks liquid around.

Q&A are available at http://valerieaurora.org/tcpip.html

Next week we'll recite the freeBSD's netinet/ip_fw2.c source code.

on 2009-02-11 by kbok

Playing around with linux assembly

Yesterday, as often, my internet connexion didn't worked, so I had nothing else but to do some assembly. There are several ways of programming in assembly under linux, but the funniest is probably to wipe all libraries and use directly the linux 0x80 interrupt.

If you have the linux programmer's manpages and the linux headers, then you have all the information required to start writing a program.

You will find a list of syscalls in the header file <asm/unistd_#your_processor_word_size#.h> (for x86, I don't know for the others). There is a list of available syscalls, along with their syscall number, which you will need to make the syscall.

For information about the syscall, you just have to read the section 2 manpages. They document all(most?) of them.

The way syscalls are used in assembly is the same as in C language. Let's take the famous write() call: the manpage says

ssize_t write(int fd, const void *buf, size_t count);

So you will just have to pass in 3 registers the values fd, buf and count.

These arguments are passed through the ebx, ecx, edx, esi and edi registers. eax will contain the syscall number you've picked up from unistd_foo.h. So for write, the call looks like this:

movl $4, %eax /* write() syscall number */
movl $1, %ebx /* int fd = stdout(1) */
movl place_where_ths_string_is, %ecx /* void* buf */
movl length_of_the_string, %edx /* size_t count */
int $0x80

Obviously, as write() needs only 3 arguments we will not use esi and edi. We always just use as many registers as needed.

The return value/errno is returned in eax. In case of an error, the value is between -4095 and 0 and is the errno code. Otherwise, the value is the return value. Of course, in case of an error there is no return value ;) so this won't be any problem.

Then, let's write a small hello world program:

.text
.global _start
 
_start:
 /* This has been already seen */
 movl $4, %eax
 movl $1, %ebx
 movl hello, %ecx
 movl $14, %edx
 int %0x80 
 
/* I don't care about errors, if there is
an error with this I won't be able to de anything ! */
 
 movl $1, %eax /* exit */
 movl $0, %ebx /* success */
 int %0x80
 
.section .rodata
hello:
 .ascii "Hello world !\n"

By the way, the data you reference to the syscalls must be in the .rodata section, not in .data (It segfaults).

Then, happy assembly !

on 2009-02-01 by hth

Hdos 0.2 Released!

All of you guys who are interested in how robust your computers are has ever tried at least one Denial Of Service (DOS) tool against them. Most common ones are SYN or ICMP flooders, old skewl hackers play with ping of death or related but how many use TCP resource exhaustion attacks?

Such attacks are described there : http://insecure.org/stf/tcp-dos-attack-explained.html By Fyodor

I started coding Hdos after reading this article (and I was not the only one http://complemento.sourceforge.net). Here is the help screen. You'll have to set your firewall to block outgoing tcp RST packets. The sourcecode is provided and commented enough, you won't need anything else.

root@Bizdee:~/# hdos
 
[+] Starting session at Sun Feb  1 00:29:50 2009
 
Incorrect target specification
 
hdos [options] <target> <port>
Supported options:
        -S <IP or hostname>    Use the given machine as the attack source address (may require -e).
        -e <devicename>        Use the given device to send the packets through.
        -w <msecs>             Wait given number of milliseconds between sending fresh probes
        -W <size>              The TCP window size to be used.
        -F <filename>          Send the file's content in opened connections (must fit in one packet).
        -I <portnum>           Initial port to use
        -l <portnum>           The lowest source port number hdos should loop through.
        -h <portnum>           The highest source port number used in loop
        -t <timeout>           The lowest allowed receive timeout (in ms)
 
Quitting!

The quickest crash I saw using hdos 0.2 was the one of my Asus eeepc, it took about 5 seconds!
Efficient stuff, have fun, learn and be responsible.

on 2009-01-19 by hth

Need some RFCs?

Some time ago I wrote some lines of bash with Kbok to create a small RFC viewer, this was aimed to provide RFCs to coders the same way they have man pages. Well, the stuff was dirty and not really efficient.

But today, kind of a genuine genius idea came to my mind, and I started looking for the more or less the same tool in my system's ports (real ones use BSD). Rudes will say it would have been the first thing to do and that's absolutly true (but less fun).

And guess what? I found this : /usr/ports/misc/rfc

Before using it you need to build the index (rfc -i). If you face connectivity problems, this index is available at http://www.rfc-editor.org/rfc.html

Download the complete rfc index and copy it to /usr/local/etc/rfc-index.

Then you'll be able to type cool ass things like

rfc -o 2324 | more

but looking for informations into rfcs, like ports numbers or any regexp you want. RTFM and enjoy!

on 2009-01-12 by kbok

Free SVN Hosting at csie.org

This morning I was looking for a free SVN hosting. The problem is that if you want to host something at googlecode or sourceforge, you're forced into releasing it under a free and open source license. This is a problem since I do not want to do this. I mean, I don't make sharewares, but I want to keep control of my projects at least until they are ready to mainstream utilization.

But svn hostings are very expensive : most of them start at $5 a month (which is crazy, it's about five times the amount of this hosting's price). So I found the graal : opensvn.csie.org gives free svn hosting to whomever wants it. It's fast, without limitations, and totally free. You also have a trac installed to manage your project.

By the way, my school project, wings, is hosted there. You can go check out how this works by viewing the source or the wiki when there will be some things on it : http://opensvn.csie.org/traccgi/wings/

Do not hesitate to put a ticket if you have some comment to say ;)

on 2009-01-08 by hth

Nmap's companion tools

If you don't come from a deep and dark cavern lost in Redmond's hills, you know Nmap. But the nmap's companion tools are far less known. They're at the number of three.

These tools are efficient and portable under nearly everything. Other ones are expected soon... stay tuned!

on 2009-01-07 by kbok

Matlab crashes at startup

After installing Matlab r2008, it crashed with this error: 

MATLAB: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.
Obviously this is an error with xcb. In fact this is an error with xinerama on xcb, witch is used by the awt java library. You just have to get rid of the xinerama support.

This is a workaround, but it works : 

sed -i 's/XINERAMA/FAKEEXTN/g' /usr/local/matlab/sys/java/jre/glnx86/jre/lib/i386/*/libmawt.so
Then you can launch matlab without problems.

Source : http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6532373