==Phrack Inc.== Volume 0x0d, Issue 0x42, Phile #0x01 of 0x11 |=----------------------------------------------------------------------=| |=-------------------------=[ Introduction ]=---------------------------=| |=----------------------------------------------------------------------=| |=------------------=[ By The Circle of Lost Hackers ]=-----------------=| |=----------------------------------------------------------------------=| Let's imagine a man, sitting on the Moon and looking down to this 75%-water-25%-ground Planet. He doesn't know anything about us. Neither we do about him, but that's another story, maybe another Intro. He sees this Internet madness going on down there. He sits and watches. "This is not different from your favourite bar", a guy behind our man says in a smile. Down there a bunch of bar tenders provides connections to everybody. They earn their life out of that, so every so often they just scrappy down their service. There's water in my drink, sir, and there's a strange rate of packet loss on my P2P traffic. There are a bunch of gangsters: they want to control the business, they want to know who does what and they try to shut down whoever is not okay with that. We have cleaned their faces, put them on TV and we keep on calling them politicians. Good luck with your laws, we'll find our way out, somehow. There are beautiful girls, there are married couples, there are young guys, there are usual and occasional customers. Everybody is down there, everybody has his own chance to tell his story. If you're getting to this bar for the first time, you might spot some guys that are just different. You can't say why, but there's something. It doesn't matter if they are married, young, old, musicians, workers, even bartenders, this is just the outside. There's another life, behind that, it's now so-damn-clear that they're just trying to keep a balance with it. "You used to be one of them, didn't you ?" Our man-on-the-moon asks, looking at the guy. But there's no need of an answer, he is just different. You can't say why, but there's something. Somebody once told me that Heaven is on the Moon. "What's your name again ?" "Cliph." [ I don't know in what you believe or even if you believe. In the end, it doesn't really matter. This is not a story about science or religion or humanity, this is a Good-Bye. To a friend.. ] -----[ Phrack Issue #66 Welcome to Phrack, by the community, for the community. Its with an incredible pleasure that we present you our newly released issue : Phrack Magazine #66 For this release, we are gracious to be interviewing the PaX Team, whose work has made significant evolutionary and revolutionary advances in security. This is a radical change from the Phrack Prophile in issue #65 where the prophile was about the UNIX terrorist. Some could easily detect in this shift a certain seek for identity from the Phrack staff. As if the identity of Phrack had to be refined at all. In the previous prophile, we had interviewed probably the most hated "black hat" hacker, and in the current prophile, the most hated "white hat" hacker. Perceived as such. But the reality is more faded and every hacker has this paradoxical identity where each side of the barrier suddenly become very familiar to the other. And this is where the great hacker shall remain. Phrack keeps its identity. A magazine for all hackers, by all hackers. The Hacker culture. To the very firsts who don't believe in the virtue of the Underground, I answer: Kill the underground, you won't kill the Hacker culture. We are mourning one of the best hackers of recent time today. His spirit and contributions will remain part of the Hacker culture. We dedicate this issue of Phrack to Cliph, who left us really too early this year. Cliph did influence all kernel exploit writers in the last 5+ years with his advances on exploiting the Linux kernel. ----------[ Phrack Issue #66 : what you were waiting for We have the great pleasure to release today another excellent selection of the best Hacking articles this year. An issue full of new exploitation techniques and ground work on writing attack software. [-]=====================================================================[-] 0x01 Introduction TCLH 0x02 Phrack Prophile on The PaX Team TCLH 0x03 Phrack World News TCLH 0x04 Abusing the Objective C runtime Nemo 0x05 Backdooring Juniper Firewalls Graeme 0x06 Exploiting DLmalloc frees in 2009 Huku 0x07 Persistent BIOS infection .aLS & Alfredo 0x08 Exploiting UMA : FreeBSD kernel heap exploits Argp & Karl 0x09 Exploiting TCP Persist Timer Infiniteness Ithilgore 0x0A Malloc Des-Maleficarum Blackngel 0x0B A Real SMM Rootkit Core collapse 0x0C Alphanumeric RISC ARM Shellcode Y.Younan & P.Philippaerts 0x0D Power cell buffer overflow BSDaemon 0x0E Binary Mangling with Radare Pancake 0x0F Linux Kernel Heap Tempering Detection Larry H. 0x10 Developing MacOSX Rootkits Wowie & Ghalen 0x11 How close are they of hacking your brain ? Dahut [-]=====================================================================[-] This issue has some evil number.. with a lot of evil content. Phrack proves once more how we can, every year, push the state of the art further its known limits. Some of these exploits articles are really innovative and we are proud to be able to release those contributions in our columns. Some others bring their values on different architectures. So, check out how to attack the Objective C runtime, the latest Linux heap allocator, the FreeBSD kernel heap management system. A special paper is the one of Black about explaining and giving more insights and code on the groundbreaking work previously released as the Malloc Maleficarum technique(s). Black did rework his article quite a lot since the first version he did, and we were impressed by the evolution. This will certainly help the younger audience to persevere in the realm of heap overflow exploitation in the most recent restrictive heap management implementations on Linux. We also have articles on alphanumeric ARM shellcode (long standing work) and exploiting the PowerCell architecture. Thats indeed a lot of exploitation. Beside exploit writing, we propose to you a couple of rootkits papers. Graeme shared his experience on backdooring Jupiner firewalls : check out the article for all details. Our friends from Argentina finished their stub just before the release and we could integrate their very first article about persistent BIOS infection. Other advances at the lowest level are also presented by the article of Core collapse, where he demonstrates how to make use of the System Management Mode interrupts in a real SMM rootkit. For more intermediate hackers of the OsX world, a nice state of the art article on OsX backdoors are given is the end of the issue, as an easy read. Its always good to have this kind of code ready to be used when you need it. Finally, as it always happen in Phrack, we have those articles that don't match with the others. This is the case of our single reverse engineering article in this issue, presenting the RADARE framework. RADARE is really an interesting tool, and some of its features are better explained with a tutorial like this one. Check out the RADARE website for a more complete documentation and to grab the latest code. Pancake and the RADARE team are always committing new stuffs in there and the list of supported features is impressive, and the scripting language really flexible and expressive for low level operations on binary files. Another special article is the one of Ithilgore about exploiting weakness in the TCP protocol. This is a great article, an innovative work we would like to see more often proposed for publication in Phrack. We still don't realize entirely how far Phrack is breaking through by providing all those technical details about the most alternative techniques. We were previously talking of PaX and evolutionary changes, we have an article discussing kernel heap security, and how it can be made more resistant to attack. It has been rare to find mitigation articles in Phrack, but its not the first time this has happen, nor will it be the last. Sometimes, mitigation articles also contains some useful information for the exploit writer. Sometimes, offensive articles also contains some useful information for defense purposes. Finish up your mind by reading the paper on Hacking your Brain, a refreshing cyberpunk inspired work by Dahut. In the hope that your neural plugs were not wired in vain. - The Phrack staff --------[ Greets for issue #66 We'd like to thank (in no particular order): - PaX team - karl - pancake - Graeme - Ithilgore - Larry H. - nemo - blackngel - Wowie - Huku - core collapse - Ghalen - .aLS - Y.Younan - Dahut - Alfredo - P.Philippaerts - argp - BSDaemon for their contributions. Without them, this issue would not be as good as it is. If you see something that you would like covered, but is not / has not been recently, do some research and send us an article. Have you came up with a better mouse trap? Share it with the world. Phrack lives via the contributions made by the community. Hasta luego, Phrack para siempre. [-]=====================================================================[-] Nothing may be reproduced in whole or in part without the prior written permission from the editors. Phrack Magazine is made available to the public, as often as possible, free of charge. |=-----------=[ C O N T A C T P H R A C K M A G A Z I N E ]=---------=| Editors : circle[at]phrack{dot}org Submissions : circle[at]phrack{dot}org Commentary : loopback[@]phrack{dot}org Phrack World News : pwn[at]phrack{dot}org |=-----------------------------------------------------------------------=| Submissions may be encrypted with the following PGP key: (Hint: Always use the PGP key from the latest issue) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.10 (GNU/Linux) mQGiBEovYLgRBAD0+0JIMKclm1uY6gJMCxwSt4yOudXAktNKGfbpCFIUn/P/gacR teZUAp3T/0t2bpWLw5tKSfSKFk9i6LainHZqCXpB8NHhBXws6dH4uk06tf9LAFbQ scabxp2+qgKHEP6r15pzSKVqXCTy/fXzTweYUkwz3If2QkikHXrMnAKdHwCgpMlL FuK2e+z3tJdWPh7ORdt1/EUD/AnIshYeOvcUQ3VxOqD66M/E7hDoptYTrjYsUG67 3XF7jwXvghEnPg4dWv4B2obkMS7kRdDnsHdngqk683IhC6nHRDc59odwit+eor/J Q86rqw5YhFwqbknL5bYgnNH6GxL6maqaXZ9bAJZdbNoZqdkFOVc6Qr2NqTzgNyLS DeXcA/9fksLr7slsMk0ZXaRhJY3RlmKYbuQZDFBoO6yhLfX1YJxtT8vvJ75gYFiz jNYfvmUvYr4TwMt5DLSIN1EQ3nC7qv+zEuV0BYPiHBIkldmxgOyQ67ysWlTTCTAa RNQnxludOcp+maC+zOK4RYbWw5x+TlbxKiaOuMjhEm4DYs+MNLRHVENMSCAtIFRo ZSBQaHJhY2sgU3RhZmYgKFBocmFjayBzdGFmZiAyMDA5IEdQRyBLZXkpIDxjaXJj bGVAcGhyYWNrLm9yZz6IYAQTEQIAIAUCSi9guAIbAwYLCQgHAwIEFQIIAwQWAgMB Ah4BAheAAAoJEJp0US5OshGiO/gAn0We2iWa2uzBnnA1IMDII/6YSK8DAJ9o+ozl OmM7bkkRnx6Ga1iEUL2aqbkCDQRKL2C4EAgA6kEGtB0jw/HkU0jmDJug4IkUWMN/ 8LdZNCUK5SvPNw+lTiv647OiSyhuCVnIED5ubJLovG49tYLIDmawiPDP1kQCCxBn 0yfpJHeDtPHO0w5St5F54PYCAClwyp8PHRUXEpN2oHMa8CvvzlG8OUR9ycdlMrM1 VzkJWNeoQ0axjTpg6Bmw+uLCwpOEZTGD8QiBrXqRo80qdy2s7tUybzFbhse9TFkE 0kJ7QQ6o1LcMm8Xhfs+kNZemFt5srY+kjbQxyCOk38atncvs4aEUCUhgDIeoJjSp Xxbi5fNx2JT18It3TDYjxDnYGDAfMes+IRFW4Db92jQ9X/koKSwoJLoNdwADBQf/ RqYZda5tUyOYS7ZyEKnYYG7EF919NOAz1UMHpkVtdOA6e2Dc3pBFTWJ9jUgNVpMr lMG5dAKjga61udVBTMyObnpYhXv0BpLM/GJ2QRZ8Ys16Lbyg+Kb7uQ09M1lTSf8r 3CEd2Ue+Ll67SIb86CrcOZD84VQDWvsfaRaL51P6jAsQEjMamGcU7dwm0AvuiA4I 49IxHYqUlnEd+jDPIws63LvHRj5gm78bmYwru6lxSNEFK91ImEd/FZrNMQL3wX63 C5vviEWjJDPAEyp9wnKQcrmNvlF6B0VT8UPM/WT78EDZXNqUplMd6h0ymYCZV7xG OLJuVHoWLExmN8WpQMaSyYhJBBgRAgAJBQJKL2C4AhsMAAoJEJp0US5OshGi+QoA n0/wQqewpYDny3kFv7QwiB74xTR5AKCbBdNdO5mCbS6Mrzb/LZaqFVUkWg== =yFr3 -----END PGP PUBLIC KEY BLOCK----- --------[ EOF