Saturday, January 29, 2011

egiptian bgp routers withdraw from the Internet

What a crazy time we live in!
http://www.renesys.com/blog/2011/01/egypt-leaves-the-internet.shtml

kaspersky product source leakage confirmed

Today I've downloaded publicly available source of Kaspersky 2008 suite. Just to check what is inside. I really sympathize researchers who used it. But the most interesting thing is attached file:

KASPERSKY ANTIVIRUS SOURCES 2oo8
FiLe ...................... KASPERSKY.AV.2008.SRCS.ELCRABE.RAR
TyPe ...................... Code / Docs
LaNGuaGe ...................... C++ / Delphi
ReLeaSe DaTe ...................... 08 Nov 2010
DeScRipT10n ...................... Srcs of kaspersky av stolen in 2008
Last source change data was December 2007

http://ElCrabe.BlogSpot.com
http://forum.ru-board.com/topic.cgi?forum=55&bm=1&topic=10520

Thus hackers had the source since 2008! Perhaps this is cause that new versions of undetectable viruses appear from time to time.

Thursday, January 27, 2011

someone published keygen for iou

#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <string.h>
#include <openssl/md5.h>

int main () {
    uint32_t hostid,i;
    uint8_t hid[4];
    uint8_t a1[] = { 0x4B,0x58,0x21,0x81,0x56,0x7B,0x0D,0xF3,0x21,0x43,0x9B,0x7E,0xAC,0x1D,0xE6,0x8A };

    uint8_t a2[] = {
        0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    };

    char s[255];

    MD5_CTX ctx;
    gethostname(s,0x100);
    hostid = gethostid();
    for (i=0; i<strlen(s); i++) {
        hostid += *(s + i);
    }

    hid[0] = (hostid >> 24) & 0xFF;
    hid[1] = (hostid >> 16) & 0xFF;
    hid[2] = (hostid >> 8) & 0xFF;
    hid[3] = (hostid) & 0xFF;

    MD5_Init(&ctx);
    MD5_Update(&ctx,a1,16);
    MD5_Update(&ctx,a2,40);
    MD5_Update(&ctx,&hid,4);
    MD5_Update(&ctx,a1,16);
    MD5_Final(s,&ctx);

    for (i=0; i<8; i++) {
        printf("%X",(s[i]&0xFF));
    }

    printf("\n");
    
    return 0;
}

cisco iou exploration (and iou download link)

Recently I've came across IOU leakage topic on evilrouter site. Being delighted how light it was comparing to dynamips, I realized that it lacks real network connectivity. While tracing and looking at IOU internals I found out, that  iou instances exchange with each other through unix sockets in /tmp/netioY/X where X is IOU id. i.e.
./i86bi_linux-adventerprisek9-ms X
and Y is UID.

Assuming IOU is linux (unix) port of IOS with some stubs, I wrote small C application that sniffs traffic exchange. I think it's possible to retransmit it to the real network (connect to real switches etc) by extracting from local socket and then using AF_PACKET and bridge utils on Linux.
 I wonder if someone wants to research this topic too that is why I made this blog.

There is what local traffic exchange looks like. This is arp request packet from aabb.cc00.2a10.


0x0 0x2c 0x0 0x2a 0x10 0x10 0x1 0x0 0xffffffff 0xffffffff 0xffffffff 0xffffffff 0xffffffff 0xffffffff 0xffffffaa 0xffffffbb 0xffffffcc 0x0 0x2a 0x10 0x8 0x6 0x0 0x1 0x8 0x0 0x6 0x4 0x0 0x1 0xffffffaa 0xffffffbb 0xffffffcc 0x0 0x2a 0x10 0xa 0xa 0xa 0xb 0x0 0x0 0x0 0x0 0x0 0x0 0xa 0xa 0xa 0x64 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

0x00 0x2C - dst local socket number /tmp/netio0/44, dst IOU ID
0x00 0x2A - src IOU ID

0x10 - dst interface id inside iou
0x10 - src interface id inside iou
0x01 0x00 - unknown so far

and then arp header follows...

I also provide like to download unlocked iou (hope it draw people).
Very slow, but just in case...


h44p://93.92.219.66:5081/i86bi_linux-adventerprisek9-ms
h44p://93.92.219.66:5081/wrapper-linux