Buffer Overflows pt. 1

Posted on 7th May 2011 in Tutorials

From a book I’m reading called Hacking: The Art of Exploitation, I recently learned what a buffer overflow is, and how it can be used to make a program do something totally separate from what it was designed to do (such as run code that spawns, for example, a shell prompt with root privileges). A buffer overflow is the result of a character buffer in C being filled with more bytes of data than were allotted to it. C doesn’t have any measures in place to stop the programmer from accidentally (or purposefully) overflowing a character buffer, which means that if you put ten bytes (characters) into an 8-byte buffer, you’ll see the entered values actually overflowing into variables that are next to the buffer in memory. Example:

Let’s say you declare two 8-byte buffers, one after another, at the top of your main function, like this:

char buffer_one[8], buffer_two[8];

What is this line of code actually doing? It allocates memory that will be used to store two buffers. The buffers are actually located right next to each other in memory. buffer_two might be located at 0xbffff29c, and buffer_one might be located at 0xbffff2a4. The reason that the second buffer is at a lower memory address is that the stack structure in memory that contains a function’s variables grows up toward lower addresses, rather than down toward the higher ones. You’ll notice that the two example memory addresses I just gave are exactly 8 bytes apart (a4-9c), which is due to the declaration of buffer_two as one that would be used to hold up to 8 bytes of data (buffer_one is also 8-bytes long, with the allocated memory ending at 0xbffff2bb). This is fine if nothing longer than 8 bytes ever gets copied to these buffers, but in the event that it does, it will cause a buffer overflow.

Say that we used strcpy() to copy a command-line argument into the space allocated for buffer_two like this:

strcpy(buffer_two, argv[1]);

We could run the example with different values for buffer_two just by adding them at the command line. Something like

./a.out AAAAAAAAAAAAAAAAAAAAAA

where the long string of A’s is the set of characters that will be copied into buffer_two. Remember that since the second character buffer is located at a memory address lower than that of the first one, any characters beyond the eighth in buffer_two will overflow into the next memory addresses, which happen to belong to buffer_one. If, after copying the argument to the buffer, you were to print the contents of each buffer with

printf("buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);

you’d see that both buffers contained some part of the argument string. buffer_two, located before buffer_one in memory, has overflowed into buffer_one. We only ever assigned the argument to the second buffer, yet part of it appears when we print the first buffer. This is the basic idea of a buffer overflow.

Check back for more in the next few days. I’m going to explain some more, including how to use a buffer overflow to divert the control flow of a program to different sections of the existing code. Thanks for reading!

comments: 0 » tags: , , , ,

How to Hack a Mac OS X Password

Posted on 30th April 2011 in Tutorials

I may have mentioned some time ago that I learned how to change Mac passwords without knowing the current password. Whether or not I did, I do know how to do it, and I do feel like sharing today. To be clear, this is a brief tutorial on how to change the password for one Mac user account on a computer to which you have physical access, in order to gain administrative privileges. This method doesn’t create a new user, it only changes the password of an existing one. As such, it does cause the password stored in that user’s keychains to fail, meaning that next time that user logs in, they’ll be prompted repeatedly for their newly changed password. I understand that this knowledge could pretty easily be used maliciously – have some self control, seriously. Knowing how to do it should be enough, you don’t need to break your school’s grading system or anything like that.

So before we start, you should know that there is a slight bit of prerequisite knowledge required. You should be comfortable with the command line interface, and knowing UNIX well is a big plus. I would just hate for you to try and follow this tutorial and then realize too late that you’re in over your head and accidentally breaking things. So, if you need it, here‘s a good tutorial on command line basics. Do it, and then do another, and then come back and break into your own Mac.

If the above paragraph doesn’t apply to you, let’s get started. In English, the general process for changing the password is to gain root access to the system, find the user account to change the password for, change the password, and reboot. If you were trying to do this remotely, the hardest part would be gaining root access, but as we have physical access to the computer, it’s completely trivial.

To get root access, boot into single-user mode by holding down Command+S (or Apple+S, if you prefer) as you start the computer. That is, from the shut-down state, turn on the computer while holding down Command+S. The normal boot sequence won’t happen – instead you’ll be dropped to a UNIX prompt as the root user.

As a preliminary note, the $ preceding commands represents the shell prompt.

———————————————-

It’s generally a good idea to take this opportunity to check the hard disk for errors before mounting it. I like to do it for the peace of mind. The command to check the disk is

$ /sbin/fsck -fy

This will run the same check that’s run when you click “Verify Disk” in Disk Utility. It takes a little while, and it may look like it’s frozen, but it’s really not. It just takes a while. Once it’s done, mount the filesystem with

$ /sbin/mount -uw /

The slash on the end refers to the mount point of the filesystem, meaning the root directory. Now that the filesystem is mounted, load the Apple directory services commandline utility with

$ launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

Now you can use the dscl command to perform some simple operations on the computer’s list of users. First off, you want to see the names of all of the accounts on the system. You can get a listing easily using the following command.

$ dscl . list /Users

You’ll see a listing of all of the machine’s accounts, most of which start with an underscore. Most of these are accounts required for the proper operation of the system, but you never see them. You can ignore these. The ones you’re interested will be near the bottom of the list, without underscores. Generally, if you’re on a personal computer, you’ll be able to deduce which account has administrative rights, because it will be the one named after the person who owns the computer. If this isn’t the case, though, and you see a bunch of users with similar or ambiguous names, there’s an easy way to find out if a user has admin rights. Just enter

$ groups theusernamehere | grep admin

Replace “theusernamehere” with the name of the user you want to check admin rights for. If the command returns anything, this means that the user is an admin. You’ll also see the word “admin” among the groups in the command’s output. If not, they’re not an admin. Alternately, you can delete everything in the command after the user name and manually scan each output for the word “admin”. Use a bit of trial and error to find out who the administrator of the computer is. Once you’ve done that, changing their password is trivial. The command is

$ passwd theusernamehere

Replace “theusernamehere” with the exact username of the account you want to change. You’ll be asked to type and retype the new password for the user. Don’t be surprised that nothing appears when you type the password, that’s normal. Just reboot using

$ reboot

and log in as the user whose password you just changed. Congratulations, the system is now at your mercy.

———————————————-

As an alternative to this method, it’s possible to redo the setup that ran once when the computer was first started and create a new admin account that way. To do that, after you’ve mounted the filesystem, use

$ rm /var/db/.AppleSetupDone

to delete the file that indicates the completion of the initial setup. Then, when you reboot, you’ll go through the account creation process as if it was the first time you ever started the computer.

So there you go, be responsible with how you use this information. Try the process out though, it’s an incredible feeling the first time you break into a computer, even if it’s your own.

comments: 0 » tags: , , , , ,

PHP Howto: scrape an RSS feed

Posted on 29th March 2011 in Tutorials

Since I’m building my own homepage, I recently learned how to scrape an RSS feed in order to dynamically create content for a website. The idea is that I would have separate feeds from my twitter, tumblr, and this blog all in one place. The tumblr and twitter feeds are offered by those companies in the form of API calls, so using those two is very straightforward in both cases. When self-hosting a wordpress blog, though, as I do, there is no readymade option for a feed that one can just call and have ready to go. So I had to make my own.

An RSS feed is essentially just an XML markup document that browsers interpret and show you in some type of feed form. What I wanted to do with this document (which wordpress produces for me) is essentially the same as what the browser does with it when you click an RSS link – it parses the tags in the XML document and applies predefined visual styles to make the information accessible to humans.

PHP can perform this process quite simply, via the simplexml_load_file function, which provides a simple framework for parsing XML documents.


$feedUrl = 'http://emmettbutler.com/threestegosaurusmoon/?feed=rss2';
$ret = array();

// retrieve search results
if($xml = simplexml_load_file($feedUrl)) { //load xml file using simplexml
$result["item"] = $xml->xpath("/rss/channel/item"); //divide feed into array elements

foreach($result as $key => $attribute) {
$i=0;
foreach($attribute as $element) {
if($i < 3){
$ret[$i]['title'] = (string)$element->title; //assign the desired elements to array entries
$ret[$i]['timestamp'] = (string)$element->pubDate;
$ret[$i]['summary'] = (string)$element->description;
$ret[$i]['link'] = (string)$element->guid;
$i++;
}
}
}
}

After the initial call, this code examines each unit of the divided document and assigns the contents of certain tags to elements of the $ret array. For example, there is a line in each item of the feed that is denoted by the pubDate tag, which contains the date that a certain post was published. The line $ret[$i]['timestamp'] = (string)$element->pubDate; finds those tags and assigns their contents to the $ret array. Once this loop is complete, you’ll have an array full of all the pertinent data for your feed. You can loop through the array and print each element between the appropriate tags, style with a bit of CSS, and you have yourself a homemade and very professional-looking RSS feed widget on your website.

comments: 0 » tags: , , , , , , , ,

How to Turn off 3D dock in Mac OS X Leopard/Snow Leopard

Posted on 14th February 2011 in Tutorials

A little tip I found a while back that I very much enjoy: the default Mac OS X Leopard dock looks like glass and reflects the desktop and application icons. I wanted to turn that off (have it reflect nothing), and it turns out that this is how one does that:

In Terminal, to turn the glass dock off, type
defaults write com.apple.dock no-glass -boolean YES; killall Dock

and to turn it back on, type
defaults write com.apple.dock no-glass -boolean NO; killall Dock

You’re welcome!

comments: 0 » tags: , , ,

MacBook Pro Backlit Keyboard in Ubuntu Maverick

Posted on 4th January 2011 in Tutorials

I was browsing around a little while ago and it occurred to me that the keyboard backlight on my MacBook Pro 5,4 wasn’t working under Ubuntu 10.10 Maverick Meerkat. I found a few resources online to help with the problem, and it ended up teaching me a lot. I wrote a script that changes the numeric string stored in /sys/class/leds/smc::kbd_backlight/brightness, then set the script to be run every time the keylight increment/decrement buttons on the keyboard are pressed. Here are the steps I took, in case you want to try this for yourself.

I worked up a shell script that, depending on the string passed from the command line, either increments, decrements, sets to zero, or sets to 100% the value of the backlight brightness.

Go ahead and use the code, or write your own, I don’t care. You can either copy and paste from here into a file called keylight in /usr/bin, or download the file here.

Once you have /usr/bin/keylight on your system, run sudo chmod +x /usr/bin/keylight to make the script executable. You’ll know that you forgot this step if you get a “command not found” error when you try to run it.

To test the script, run sudo keylight full. The keyboard backlight should come on. To turn it off, run sudo keylight off. I use an alias to avoid the necessity of sudoing every time – that is, I added the line alias keylight='sudo keylight' to the /home/emmett/.bashrc file. Still, a password is required when running the script. Since we want this to be controlled with the keyboard, we have to override that somehow. This can be accomplished by adding the following lines to /etc/sudoers (run the command sudo visudo to edit this file).

Cmnd_Alias KEY = /usr/bin/keylight
%admin ALL = (ALL) NOPASSWD: KEY

(it’s hard to see, but there is an underscore between Cmnd and Alias – that is, Cmnd_Alias)

These lines tell the computer that, when running the keylight command, members of the admin group do not need to enter a password. With that accomplished, all that’s left is to create new keyboard shortcuts for the script. In System->Preferences->Keyboard Shortcuts, click “Add”. Fill the “Name” field with something like “Keylight up”, and enter sudo keylight up into the “Command” field. (Don’t forget the sudo!) Click OK, and change the hotkey for the command to the F6 key (XF86KbdBrightnessUp). Repeat the process for keylight down, keylight full, and keylight off. I use the F5 key for down, and add Ctrl for full and off.

Follow this process, and the backlight on your keyboard should work like it does under Mac OS X. At least, it does for me. Feel free to comment with feedback, comments, or additions you make to my code. Thanks for reading!

comments: 3 » tags: , , , , , , ,

How to hack a Wii

Posted on 7th November 2010 in Tutorials

Since I’m home for the weekend, I spent about two hours yesterday hacking my family’s Wii to allow it to play media/games from a USB flash drive. I found some instructions on how to do this on a site called wiihacks.com, which has a bunch of forums for people who write and use homebrew Wii software. It was sort of hard to find the actual steps to go through, since the site is a bit convoluted, so I’ll reproduce the steps here in case you care to try this out for yourself.

I ran into a lot of warnings that doing certain steps in the wrong order could break the system and make it unusable, but managed to avoid doing this during my hacking process. These steps work for Wiis running version 4.3 of the software, and no others, according to wiihacks.com. And you also need a specific game for it – so if you own a copy of Super Smash Bros Brawl, you’re in luck. There are also a few games that you can also do it with, but I’ll just share my experience using SSBB.

DISCLAIMER: Not following these steps exactly, or trying to follow these steps on a Wii running a version other than 4.3 can easily result in your Wii being unusable. Please read these instructions before you begin, and make sure to follow them as closely as possible. Help can be found at wiihacks.com.

Things you’ll need:

  • 1 or 2 GB SD card
  • Internet connection
  • Wii running 4.3 with at least 300 free memory blocks
  • Super Smash Bros. Brawl

Part 1 – Obtaining Homebrew Channel and BootMii

  1. Format SD card as FAT32
  2. Download this file and extract contents to root of SD card
  3. Turn off WiiConnect24 in the Wii System Menu
  4. With SD card removed from Wii, launch Super Smash Bros Brawl
  5. Go to the Stage Builder, delete all custom stages, and exit the stage builder
  6. Exit all the way to the main SSBB menu
  7. Insert SD card, return to Stage Builder
  8. HackMii installer will load
  9. Read the warning and wait for the “press 1″ message to appear – press 1
  10. Install the HomeBrew Channel
  11. Install BootMii as boot2
  12. Prepare the SD card
  13. Create a backup:
  14. Load HBC, press ‘home’, launch BootMii
  15. Make a backup (press Power, Power, Power, Reset, Reset)

Part 2

  1. Download this file – password is www.wiihacks.com
  2. Extract to root of SD card
  3. Using the computer, run md5summer.exe
  4. Click “Verify Sums”, then ModPack-AnyWii.md5
  5. This should complete without errors
  6. Insert SD card to powered-off Wii
  7. Start HBC, press home, launch bootMii
  8. Multi-Mod Manager should start
  9. Select WAD manager, press A
  10. Press 1 to “install all WADS”, press A
  11. When installation is complete, press A
  12. Return to the main MMM menu by pressing B twice

Part 3 – Protection from future destruction of your Wii

  1. At the MMM main menu, select App Manager, press A
  2. Select Priiloader, press A
  3. Read warning, press +/A to install
  4. It will probably glitch or freeze when it’s done – don’t worry, it worked
  5. Remove SD card and reboot Wii while holding reset
  6. Priiloader will load
  7. Select System Menu Hacks, insert SD card, press A
  8. Enable “Block Disk Updates” and “Block Online Updates”, save changes
  9. Reboot Wii without SD card

Final Steps – Obtaining Software

  1. Download this file and extract to root of SD card
  2. Opening Homebrew Channel with this card inserted will give you access to a few nice apps, including a browser that allows you to download new ones to the card.
  3. I recommend MPlayerCE for playing media from a USB flash drive
  4. It’s now safe to turn on WiiConnect24 again

So those are the steps that I went through to hack my Wii. Note that it is incredibly easy to break your Wii after doing this if you install any system updates. The automatic updates should be disabled by Priiloader, so as long as you don’t install any manually you should be ok. Happy hacking!

And here’s an introduction to the Whitest Kids U Know - a very funny comedy group who put a lot of stuff up on the internet.

comments: 1 » tags: , ,