redstack

Well, it has been a while since my last technical post … More than 1 year ?!? Wow, time runs so fast

So let’s go for a post about Linux kernel exploitation (yeah, I know, sounds cool). We will exploit a quite recent bug in kernel 2.6.31 (still unpatched while writing this) in the perf_counter_open syscall (CVE 2009-3234) to gain root privileges. As real hackers say, f34R.

But, let’s start by the begining: the bug.

perf_copy_attr and the dual fail
The perf_copy_attr method is meant to copy a data structure (of type perf_count_attr) from user space to kernel space. Its definition is:

1
2

static int perf_copy_attr(struct perf_counter_attr __user *uattr,  
                          struct perf_counter_attr *attr)

With uattr being a pointer to the (source) user space structure, and attr being a pointer to the (destination) kernel space structure.
Read the rest of this entry »

For the ones who was wondering, this blog is not dead, I just had some changes in my life …

After traveling a month in China, I moved to Copenhagen … And I am still unpacking all my stuff and wondering how I will be able to put everything in our new apartment located somewhere around here

Also, I am half French, half Italian, and as neither of this 2 countries are known to have aptitudes in learning new languages, it will certainly take a little while for me to learn Danish. (I already started but without a lot of success) …

So here I am … I will be looking for a job in Copenhagen during next weeks, and trying to find a good security related subject to blog about …
Perhaps another article on Metasploit or something about Symbian phones’ security … I still don’t know …

I recently got an Intel(r) Express 530T switch from eBay. It’s a “Manageable” switch, this means that you can connect to the switch through a null modem cable, telnet or a web interface to modify the switch configuration (Change MAC address filtering, create/delete VLANs, change ports speeds an priority, …).

But when I tried to connect to the switch, I discovered that the switch hadn’t been reseted, and that the seller didn’t gave me the username and password needed to manage the switch.
Read the rest of this entry »

Here is a little script that permits to report one or more nagios servers status in the ion3 status bar:

statusd_nginfo.lua (Download)
Read the rest of this entry »

I just discovered this very cool article about faking fingerprints: How to fake fingerprints?.
I love CCC

This article is about writing exploit using the Metasploit Framework, for very secure software: bof-server
Bof-server has been written especially to be exploited during this article, and as you already guessed by looking at it’s name, we will exploit a stack overflow bug. You can find bof-server here:
bof-server source code
bof-server binary for Windows

Before to start I would like to say that I am not a Metasploit expert, so feel free to correct me if something is not done the right way.

Bof-server
First of all, lets see how bof-server works. To start it on port 4242 use the command below: Read the rest of this entry »

This is the first article of a (I hope) long series of articles about ‘The Basics: What everyone should know about’

The calling convention defines the way a function or a piece of code should arrange data before calling a function, and what to do after. It responds to questions like “In which order should I pass the arguments ?”, “Should I clean something ?”, “Where is the result ?”, …

There is a lot of different calling conventions. Here are the 3 I see the most of the time:

• cdecl
• stdcall
• fastcall

cdecl convention

The cdecl convention is the default one used when working with a C compiler like GCC or MSVC. To use the cdecl scheme for a function, you can use this syntax (GCC): Read the rest of this entry »

Welcome to this blog !