Comments for Michael Coppola's Blog http://www.poppopret.org Talkin' 'bout bugs 'n stuff Sat, 16 Mar 2013 02:57:50 +0000 hourly 1 http://wordpress.org/?v=1.3.37 Comment on NETGEAR unsquashfs.c version 1.3 by digitaladdictions http://www.poppopret.org/?p=204#comment-8487 digitaladdictions Sat, 16 Mar 2013 02:57:50 +0000 http://www.poppopret.org/?p=204#comment-8487 I had to set a couple of the variables used in the Makefile before I could build. export LINUXDIR=~/bcm5356/src/linux/linux/ export SRCBASE=~/bcm5356/src/ Just wanted to note it here in case it helps others. This assumes the bcm5356 directory is in your home folder. I would imagine these variables normally would be set by the ./configure step which we do not have here. I had to set a couple of the variables used in the Makefile before I could build.

export LINUXDIR=~/bcm5356/src/linux/linux/
export SRCBASE=~/bcm5356/src/

Just wanted to note it here in case it helps others. This assumes the bcm5356 directory is in your home folder. I would imagine these variables normally would be set by the ./configure step which we do not have here.

]]> Comment on Anatomy of a SCADA Exploit: Part 2 – From EIP to Shell by Jewel http://www.poppopret.org/?p=141#comment-8000 Jewel Sat, 09 Mar 2013 06:47:04 +0000 http://www.poppopret.org/?p=141#comment-8000 I used to be suggested this website via my cousin. I'm not positive whether or not this post is written by way of him as nobody else realize such specified about my difficulty. You're amazing! Thanks! I used to be suggested this website via my cousin. I’m not positive whether or not this post is written by way of him as nobody else realize such specified about my difficulty. You’re amazing!
Thanks!

]]> Comment on Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM by [翻译]简易Linux模块检测Hook | 残风 http://www.poppopret.org/?p=251#comment-7697 [翻译]简易Linux模块检测Hook | 残风 Mon, 04 Mar 2013 06:40:20 +0000 http://www.poppopret.org/?p=251#comment-7697 [...]         这里有几种Hook的方法。在Michael Coppola最近的文章中,谈论了《Inline Kernel Function Hooking》。对于我来说,这篇文章是很经典的Hook系统调用。下图是一个很典型的Hook系统调用。 [...] [...]         这里有几种Hook的方法。在Michael Coppola最近的文章中,谈论了《Inline Kernel Function Hooking》。对于我来说,这篇文章是很经典的Hook系统调用。下图是一个很典型的Hook系统调用。 [...]

]]> Comment on NETGEAR unsquashfs.c version 1.3 by mncoppola http://www.poppopret.org/?p=204#comment-7340 mncoppola Tue, 26 Feb 2013 04:02:53 +0000 http://www.poppopret.org/?p=204#comment-7340 I'm not a regular in the DD-WRT community, so I'm not sure what challenges are stopping progress on the WNR1000v3. Though, someone else did ask the exact same question: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=65317&postdays=0&postorder=asc&start=30 I’m not a regular in the DD-WRT community, so I’m not sure what challenges are stopping progress on the WNR1000v3. Though, someone else did ask the exact same question:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=65317&postdays=0&postorder=asc&start=30

]]> Comment on NETGEAR unsquashfs.c version 1.3 by RkaneKnight http://www.poppopret.org/?p=204#comment-7331 RkaneKnight Tue, 26 Feb 2013 00:52:57 +0000 http://www.poppopret.org/?p=204#comment-7331 Does this help us with putting DD-WRT on the WNR1000v3? Does this help us with putting DD-WRT on the WNR1000v3?

]]> Comment on NETGEAR unsquashfs.c version 1.3 by mncoppola http://www.poppopret.org/?p=204#comment-6736 mncoppola Fri, 15 Feb 2013 03:10:50 +0000 http://www.poppopret.org/?p=204#comment-6736 Glad to hear it! Glad to hear it!

]]> Comment on Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM by mncoppola http://www.poppopret.org/?p=251#comment-6735 mncoppola Fri, 15 Feb 2013 03:10:03 +0000 http://www.poppopret.org/?p=251#comment-6735 I'll consider it, thanks. I’ll consider it, thanks.

]]> Comment on NETGEAR unsquashfs.c version 1.3 by Warker http://www.poppopret.org/?p=204#comment-6712 Warker Thu, 14 Feb 2013 18:26:00 +0000 http://www.poppopret.org/?p=204#comment-6712 Thanks sir, this article helped me a lot! I tried to unsquash a version 2.0 FS which I copied from a Siemens S1621-z220-A (Alice Modem Wlan 1121). It always failed with a Zlib error -3 (corrupted data). I've tried unsquash >= 2.0 but all failed. The version you posted worked for me. I've had to add a break in the switch statement of the main function which they seemed to forgot but then it just worked fine. Thank you very much! Thanks sir,

this article helped me a lot!
I tried to unsquash a version 2.0 FS which I copied from a Siemens S1621-z220-A (Alice Modem Wlan 1121). It always failed with a Zlib error -3 (corrupted data). I’ve tried unsquash >= 2.0 but all failed. The version you posted worked for me. I’ve had to add a break in the switch statement of the main function which they seemed to forgot but then it just worked fine.

Thank you very much!

]]> Comment on Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM by Eino http://www.poppopret.org/?p=251#comment-6664 Eino Wed, 13 Feb 2013 13:43:43 +0000 http://www.poppopret.org/?p=251#comment-6664 Hi, This rootkit looks interesting and I like your design ideas including support for both 2.6.x and 3.x kernels and nice socket hiding features. A few feature ideas: (if you like them). -Autostart on boot -Remote shell backdoor (with encryption and TTY/PTY support) -Keylogger/TTY Sniffer logs sniffed data to hidden logfile -Option to hide network interface's promiscious mode -Install script Hi,

This rootkit looks interesting and I like your design ideas including support for both
2.6.x and 3.x kernels and nice socket hiding features.

A few feature ideas: (if you like them).
-Autostart on boot
-Remote shell backdoor (with encryption and TTY/PTY support)
-Keylogger/TTY Sniffer logs sniffed data to hidden logfile
-Option to hide network interface’s promiscious mode
-Install script

]]> Comment on Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM by mncoppola http://www.poppopret.org/?p=251#comment-6469 mncoppola Sat, 09 Feb 2013 14:53:04 +0000 http://www.poppopret.org/?p=251#comment-6469 I actually have considered it, but unfortunately it seems that Android isn't compiled with Kprobes support by default (which opposes what your blog post says ;) ). I'll show you: Android kernels are certainly compiled with CONFIG_HAVE_KPROBES, however a quick grep of a source tree shows very few instances of this flag, none of which are #ifdef's: <code>$ grep CONFIG_HAVE_KPROBES -r . ./include/config/auto.conf:CONFIG_HAVE_KPROBES=y ./include/generated/autoconf.h:#define CONFIG_HAVE_KPROBES 1 ./.config:CONFIG_HAVE_KPROBES=y ./.config.old:CONFIG_HAVE_KPROBES=y ./arch/um/defconfig:# CONFIG_HAVE_KPROBES is not set ./arch/arm/configs/android_4430_defconfig:CONFIG_HAVE_KPROBES=y</code> I'm actually not even sure what function this flag serves, and documentation seems to have no explanation for it. However, if you take a look at the tree's .config file, there is actually a second flag CONFIG_KPROBES that is <em>not</em> set. This is the flag that actually enables support for Kprobes: <code>$ grep CONFIG_KPROBES -r . ./drivers/misc/lkdtm.c:#ifdef CONFIG_KPROBES ./include/linux/kprobes.h:#ifdef CONFIG_KPROBES ./include/linux/kprobes.h:#else /* CONFIG_KPROBES */ ./include/linux/kprobes.h:#endif /* CONFIG_KPROBES */ ./include/linux/kprobes.h:#ifdef CONFIG_KPROBES ./include/linux/kprobes.h:#ifdef CONFIG_KPROBES_SANITY_TEST ./include/linux/kprobes.h:#endif /* CONFIG_KPROBES_SANITY_TEST */ ./include/linux/kprobes.h:#else /* !CONFIG_KPROBES: */ ./include/linux/kprobes.h:#endif /* CONFIG_KPROBES */ ./.config:# CONFIG_KPROBES is not set ./kernel/Makefile:obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o ./kernel/Makefile:obj-$(CONFIG_KPROBES) += kprobes.o ... (another 60 lines or so)</code> I actually have considered it, but unfortunately it seems that Android isn’t compiled with Kprobes support by default (which opposes what your blog post says ;) ). I’ll show you:

Android kernels are certainly compiled with CONFIG_HAVE_KPROBES, however a quick grep of a source tree shows very few instances of this flag, none of which are #ifdef’s:

$ grep CONFIG_HAVE_KPROBES -r .
./include/config/auto.conf:CONFIG_HAVE_KPROBES=y
./include/generated/autoconf.h:#define CONFIG_HAVE_KPROBES 1
./.config:CONFIG_HAVE_KPROBES=y
./.config.old:CONFIG_HAVE_KPROBES=y
./arch/um/defconfig:# CONFIG_HAVE_KPROBES is not set
./arch/arm/configs/android_4430_defconfig:CONFIG_HAVE_KPROBES=y

I’m actually not even sure what function this flag serves, and documentation seems to have no explanation for it.

However, if you take a look at the tree’s .config file, there is actually a second flag CONFIG_KPROBES that is not set. This is the flag that actually enables support for Kprobes:

$ grep CONFIG_KPROBES -r .
./drivers/misc/lkdtm.c:#ifdef CONFIG_KPROBES
./include/linux/kprobes.h:#ifdef CONFIG_KPROBES
./include/linux/kprobes.h:#else /* CONFIG_KPROBES */
./include/linux/kprobes.h:#endif /* CONFIG_KPROBES */
./include/linux/kprobes.h:#ifdef CONFIG_KPROBES
./include/linux/kprobes.h:#ifdef CONFIG_KPROBES_SANITY_TEST
./include/linux/kprobes.h:#endif /* CONFIG_KPROBES_SANITY_TEST */
./include/linux/kprobes.h:#else /* !CONFIG_KPROBES: */
./include/linux/kprobes.h:#endif /* CONFIG_KPROBES */
./.config:# CONFIG_KPROBES is not set
./kernel/Makefile:obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
./kernel/Makefile:obj-$(CONFIG_KPROBES) += kprobes.o
... (another 60 lines or so)

]]>