I was reading the following story:
http://www.eusecwest.com/justin-ferguson-interpreter-vm-attacks.html
I'll keep my subjective opinion about the article to myself and will focus on the following:
I think that the use of the function 'sys._getframe()' mentioned in the article as a way to 'obtain a heap address' is 'misleading' .
Python gives away memory addresses all the time, there's no need to call a 'weird' function (sys._getframe() is not weird anyways):
(from http://shell.appspot.com/, but applicable to any python deployment):
>>> a = 'mythbusters'
>>> id(a)
6912173043421908880
>>> hex(id(a))
0xe81da54d11f45f88L'
>> sys._getframe()
frame object at 0xe81da54d1ff6afc8
both addresses are clearly in the same 'range', so I can infer they 'refer' to the same 'thing', if the 'thing' is the 'heap', then both methods 'leak' a heap address,
or more importantly, they 'leak' the same 'thing' :)
or
(on a windows machine)
>>> class a:
... def test(self):
... print 'hola'
...
>>> j = a()
>>> j
__main__.a instance at 0x004AF0F8
>>> sys._getframe()
frame object at 0x00475960
and finally (done at from http://shell.appspot.com/)
>>> import os
>>> os.uname()
('Linux', '', '', '', '')
If you think I'm wrong, please comment!
Thursday, May 22, 2008
Thursday, May 08, 2008
Using whosthere.exe with psexec
Ok, a few days ago I received the following question and I have been asked the same thing before so here it goes:
The question, more or less, is:
How do you run whosthere.exe into a remote machine using psexec dettached from any console and leave it running there collecting hashes?
the answer is:
psexec \\ -d -c whosthere.exe -o myhashes.log -i
psexec's -d switch basically makes it run whosthere.exe and exit.
whosthere's -o switch specifies the name of the file containing the list of unique credentials collected.
and the -i switch makes whosthere.exe run in an infinte loop looking for new
logon credentials and storing them on the file specified by the -o switch.
Remember, of course, you will probably need to specify the -u and -p switch to psexec, or you can do from your machine something like
net use \\\ipc$ * /u:user password
and then run psexec.
Also remember, that if you want to use whosthere-alt.exe, you can't use psexec's -c switch (I think), because whosthere-alt.exe also requires the pth.dll, so you will probably need to copy whosthere-alt.exe and pth.dll to the target machine and then run psexec without the -c switch and specifying the path where whosthere-alt.exe and pth.dll are located.
Hope it helps!.
The question, more or less, is:
How do you run whosthere.exe into a remote machine using psexec dettached from any console and leave it running there collecting hashes?
the answer is:
psexec \\
psexec's -d switch basically makes it run whosthere.exe and exit.
whosthere's -o switch specifies the name of the file containing the list of unique credentials collected.
and the -i switch makes whosthere.exe run in an infinte loop looking for new
logon credentials and storing them on the file specified by the -o switch.
Remember, of course, you will probably need to specify the -u and -p switch to psexec, or you can do from your machine something like
net use \\
and then run psexec.
Also remember, that if you want to use whosthere-alt.exe, you can't use psexec's -c switch (I think), because whosthere-alt.exe also requires the pth.dll, so you will probably need to copy whosthere-alt.exe and pth.dll to the target machine and then run psexec without the -c switch and specifying the path where whosthere-alt.exe and pth.dll are located.
Hope it helps!.
Subscribe to:
Posts (Atom)