Thursday, May 22, 2008

Comment on article about 'vm attacks' at www.eusecwest.com

I was reading the following story:

http://www.eusecwest.com/justin-ferguson-interpreter-vm-attacks.html

I'll keep my subjective opinion about the article to myself and will focus on the following:

I think that the use of the function 'sys._getframe()' mentioned in the article as a way to 'obtain a heap address' is 'misleading' .

Python gives away memory addresses all the time, there's no need to call a 'weird' function (sys._getframe() is not weird anyways):

(from http://shell.appspot.com/, but applicable to any python deployment):

>>> a = 'mythbusters'
>>> id(a)
6912173043421908880
>>> hex(id(a))
0xe81da54d11f45f88L'
>> sys._getframe()
frame object at 0xe81da54d1ff6afc8

both addresses are clearly in the same 'range', so I can infer they 'refer' to the same 'thing', if the 'thing' is the 'heap', then both methods 'leak' a heap address,
or more importantly, they 'leak' the same 'thing' :)


or

(on a windows machine)

>>> class a:
... def test(self):
... print 'hola'
...
>>> j = a()
>>> j
__main__.a instance at 0x004AF0F8
>>> sys._getframe()
frame object at 0x00475960

and finally (done at from http://shell.appspot.com/)

>>> import os
>>> os.uname()
('Linux', '', '', '', '')

If you think I'm wrong, please comment!

Thursday, May 08, 2008

Using whosthere.exe with psexec

Ok, a few days ago I received the following question and I have been asked the same thing before so here it goes:

The question, more or less, is:

How do you run whosthere.exe into a remote machine using psexec dettached from any console and leave it running there collecting hashes?

the answer is:

psexec \\ -d -c whosthere.exe -o myhashes.log -i

psexec's -d switch basically makes it run whosthere.exe and exit.
whosthere's -o switch specifies the name of the file containing the list of unique credentials collected.
and the -i switch makes whosthere.exe run in an infinte loop looking for new
logon credentials and storing them on the file specified by the -o switch.

Remember, of course, you will probably need to specify the -u and -p switch to psexec, or you can do from your machine something like

net use \\\ipc$ * /u:user password

and then run psexec.

Also remember, that if you want to use whosthere-alt.exe, you can't use psexec's -c switch (I think), because whosthere-alt.exe also requires the pth.dll, so you will probably need to copy whosthere-alt.exe and pth.dll to the target machine and then run psexec without the -c switch and specifying the path where whosthere-alt.exe and pth.dll are located.

Hope it helps!.