2010-07-26 Snake by wudu
Terminal snake. First project in python by wudu
Author: wudu
Source
2010-07-20 Python MIT Binary Trees
After reading chapter form MIT Introduction in algorithms about trees I have implemented same algorithm in python
I haven't tryed to make best perfomance only easy to understund and one to one like is in pseudo-code
Tree python class that are used to represent BinaryTree.
class Tree: p = None left = None right = None key = 0
pseudo-code
Inorder_Tree_Walk( x ) if x != NIL then Inorder_Tree_Walk( left[x] ) print key[x] Inorder_Tree_Walk( right[x] )
python code
def inorder_tree_walk( t ): if t != None: inorder_tree_walk( t.left ) print t.key, inorder_tree_walk( t.right )
pseudo code
Tree_Search( x , k ) if x = NIL or k = key[x] then return x if k < key[x] then return Tree_Search( left[x] , k ) else return Tree_Search( right[x] , k )
python code
def tree_search( t , k ): if (t == None) or (k == t.key): return t if k < t.key: return tree_search( t.left, k ) return tree_search( t.right, k )
pseudo code
Tree_Minimum( x ) while left[x] != NIL do x <- left[x] return xpython code
def tree_minimum( t ): while t.left != None: t = t.left return tpseudo code
Tree_Maximum( x ) while right[x] != NIL do x <- right[x] return xpython code
def tree_maximum( t ): while t.right != None: t = t.right return tpython code
def tree_root( t ): while ( t.p != None): t = t.p return tpseudo code
Tree_Successor( x ) if right[x] != NIL then return Tree_Minimum( right[x] ) y <- p[x] while y != NIL and x = right[y] do x <- y y <- p[y] return y
python code
def tree_successor( t ): if t.right != None: return tree_minimum( t.right ) y = t.p while (y != None) and (t == y.right): t = y y = y.p return ypseudo code
Tree_Insert( T , z ) y <- NIL x <- root[T] while x != NIL do y <- x if key[z] < key[x] then x <- left[x] else x <- right[x] p[x] <- y if y = NIL then root[T] <- z else if key[z] < key[y] then left[y] <- z else right[y] <- zpython code
def tree_insert( t , z ): y = None x = tree_root( t ) while x != None: y = x if z.key < x.key: x = x.left else: x = x.right z.p = y if y == None: r = tree_root( t ) r = z else: if z.key < y.key: y.left = z else: y.right = z
def tree_insert_recrusive( t , z ): if t.left == None and t.right == None: if z.key < t.key: t.left = z else: t.right = z return if z.key < t.key: tree_insert_recrusive( t.left , z ) else: tree_insert_recrusive( t.right , z )
pseudo code
Tree_Delete( T , z ) if left[z] = NIL or right[z] = NIL then y <- z else y <- Tree_Successor( z ) if left[y] != NIL then x <- left[y] else x <- right[y] if x != NIL then p[x] <- p[y] if p[y] = NIL then root[T] <- x else if y = left[p[y]] then left[p[y]] <- x else right[p[y]] <- x if y != z then key[z] <- key[y] return y
python code
def tree_delete( t , z ): if (z.left == None) or (z.right == None): y = z else: y = tree_successor( z ) if y.left != None: x = y.left else: x = y.right if x != None: x.p = y.p if y.p == None: r = tree_root( t ) r = x t = r else: if y == y.p.left: y.p.left = x else: y.p.right = x if y != z: z.key = y.key return y
Example of usage:
Now we can use out tree. There is some more functions like create_tree that creates binary tree from given array.
And print_tree that print all ree values.
keys = [10,6,1,0,3,8,7,9,21,15,11,17,25,23,46] max_deep = log(len(keys),2)
def create_tree( n=0 , p=None): if (len(keys) == 0) or (n >= max_deep): return None t = Tree() t.p = p t.key = keys.pop(0) t.left = create_tree( n+1 , t ) t.right = create_tree( n+1 , t) return t
def print_tree( t ): if (t != None) and (t.key != None): if t.left == t.right == None: print "Key:%d "%(t.key) return if t.left.key == None: print "Key:%d Right:%d"%(t.key,t.right.key) print_tree( t.right ) return if t.right.key == None: print "Key:%d Left:%d"%(t.key,t.left.key) print_tree( t.left ) return print "Key:%d Left:%d Right:%d"%(t.key,t.left.key,t.right.key) print_tree( t.left ) print_tree( t.right )
t = create_tree() r = tree_search( t, 10 ) n = Tree() n.key = 150 tree_insert_recrusive( t , n ) inorder_tree_walk( t ) print "" tree_delete( t , r ) inorder_tree_walk( t ) print "" r = tree_root( t ) print r.key
Source
2010-06-25 PSP sample color filled rectangle
This is sample where is drawn colofilled rectangle. Used functions was taken from
pspsokoban
and
valentine-hbl.
To take screenshot press SELECT
for exit press HOME.
As it very simple to code and easy to see what is inside. It can be first
programm that you would try to modify and test on PSP.
Tested:
valentine-hbl - R86
firmware - 6.20
model - 3003
Source
2010-04-24 CVS 2010-1160 Exploiting nano
CVE-2010-1160 Nano Changed File Symlink Privilege Escalation
Usualy if I have to edit some file I am using nano editor.
It is almost on every distribution and easy and fast to use. Some time ago i hated vim
beacouse of Ctrl-D =] and that way used nano or pico. Now I know how to exit from vim :q!. After this bug
reported in CVE i was exited to check it out in real life. It is first bug that i have fully tested.
This bug is fixed in newest versions. Testing all nano version this bug works
on < 2.1.7 versions now on my system is latest nano version and I have
compiled many < 2.1.7 versions to test this bug.
To get your nano version run:
$ nano -V
When user is editing file nano don't check if it is edited by some
one else. When saving file it simply save it and dont check if it was modified. If file was changed by some one else
then nano will overwrite it with his text. But it can be changed to symlink that points to other file. How to use it in real life:
1) Open file with nano
2) Change file or set symlink
3) Make changes in file and save file in nano
4) See result in symlinked file
Everytning looks like
$nano text.txt
Now some one do:
$ls -s empty.txt text.txt
Nano save
whach you save in text.txt
In python it looks like:
os.remove( "text.txt" ) open( "empty.txt" , "w" ).close() os.symlink( "empty.txt" , "text.txt"Python step by step
If you are root and opening file with owner isnt you. Than owner while you
editing his file can set
symlink to some "/etc/important.conf" and you will overwrite it with some
other unrelated info. This can make some harm to your system.
How can it be exploited in real life by "small unpreviliged user". Make some interesting file
that root will interested in. Make some process that whachs nanos running in system. If nano opened file is our , symlink it.
1)Detect running nano in system
2)Check with file is opened
3)If file is yours make symlink
Nano catch
Script is only for user and dont work if you try to symlink root opened nano. It makes
all steps as described above. Change script variables for your tests:
debug = True nano = "nano-2.0.9" user = "user" sym_path="/home/user/empty.txt"Tested only with python 2.6.5
Simply be uptodated or if you using old nano dont open with privileged user unpriveleged user files.
It will save you from this bug.
Linkage:
[1] http://osvdb.org/show/osvdb/63872
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160
[3] http://drosenbe.blogspot.com/2010/03/nano-as-root.html
[4] http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup
2010-04-04 PSP snake game
When I saw ost about patapon exploit that worked on PSP FW 6.20 I was happy.
I was bought PSP-3004 for programming but i dont know that not always you can programm
your PSP, but now my dream come true
Link
Since exploit relised I started to trying it. Then I compiled everything
that is needed to programm PSP and now I have my own dirty and unfinished
version of PSP snake game. It can be started at this moment only through exploit.
Source
2010-03-16 Python Manage Lynksys Router
Good fellow asked me to write some script that will help him to turn on/off passway to
global network. There was used linksys machine for controlling such stuff
Here is some code that login, change some rulles and logout. Also pygtk script that do
it in visual way
from linksys import * ls = LinkSys( "http://192.168.1.1/" ) ls.login( "admin" , "admin" ) ls.setip( STATIC_IP , "gateway" , 10 , 66 , 66 , 66 ) ls.setip( STATIC_IP , "subnet" , 255 , 255 , 255 , 0 ) if ls.response(): print "Succes" else: print "O_O AIam BAd GUy -^-" ls.logout()Everything was writen in early 2009. I have tested at that days. Now I don't have linksys machine
to test it.
Source
2010-03-05 Linux antidebug 3
Now we will try to make disasm output whery unclear. We make jump with eax register
Programm 1
main: push lbl+1 pop eax jmp eax lbl: db 0xe8 mov eax, 4 mov ebx, 1 mov ecx, msg1 mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 int 80hOutput is same as source. Nothing changes
Dissassembler output 1
│ ....... ! main: ;xref o80482d7 │ │ ....... ! push offset_804837d │ │ 8048379 ! pop eax │ │ 804837a ! jmp eax │ │ 804837c db 0e8h │ │ 804837d ! │ │ ....... ! offset_804837d: ;xref o8048374 │ │ ....... ! mov eax, 4 │ │ 8048382 ! mov ebx, 1 │ │ 8048387 ! mov ecx, strz_I_am_running__8049568 │ │ 804838c ! mov edx, 0eh │ │ 8048391 ! int 80h │ │ 8048393 ! mov eax, 1 │ │ 8048398 ! mov ebx, 0 │ │ 804839d ! int 80hHere we add only one instruction. We get jump adress and add 1. Disasm cannot calculate adress of jmp.
Programm 2
Like in first programm disasm think that we push correct adress and disasm it. And our byte 0xe9 is used
for disasm output. That nice.
main: push lbl pop eax inc eax jmp eax lbl: db 0xe9 mov eax, 4 mov ebx, 1 mov ecx, msg1 mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 int 80h
Dissassembler output 2
│ ....... ! main: ;xref o80482d7 │ │ ....... ! push offset_804837d │ │ 8048379 ! pop eax │ │ 804837a ! inc eax │ │ 804837b ! jmp eax │ │ 804837d ! │ │ ....... ! offset_804837d: ;xref o8048374 │ │ ....... ! jmp 804883ah │ │ 8048382 add [ebx+1], bh │ │ 8048388 mov ecx, 8049568h │ │ 804838d mov edx, 0eh │ │ 8048392 int 80h │ │ 8048394 mov eax, 1 │ │ 8048399 mov ebx, 0 │ │ 804839e int 80h
Now we add nop instruction after every line of our code. It doesnt have any imapct on programm work.
Programm 3
main: push lbl pop eax inc eax jmp eax lbl: db 0xe9 mov eax, 4 nop mov ebx, 1 nop mov ecx, msg1 nop mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 jmp lbl2+1 lbl2: db 0xe9 int 80hDisasm output now is very nice. Output isnt very good. For first time when you view this output it is very unclear
about what exactly is done by this code.
Dissassembler output 3
│ ....... ! main: ;xref o80482d7 │ │ ....... ! push offset_804837d │ │ 8048379 ! pop eax │ │ 804837a ! inc eax │ │ 804837b ! jmp eax │ │ 804837d ! │ │ ....... ! offset_804837d: ;xref o8048374 │ │ ....... ! jmp 804883ah │ │ 8048382 add [eax+1bbh], dl │ │ 8048388 add [eax+49578b9h], dl │ │ 804838e or [eax+0ebah], dl │ │ 8048394 add ch, cl │ │ 8048396 cmp byte ptr [eax+1], 0bbh │ │ 804839d add [eax], al │ │ 804839f add [eax], al │ │ 80483a1 jmp 80483a4h │ │ 80483a3 jmp 98950475h
Here is one more way how to make unclear jumo to other place. We using function
and inside function we change return adress by 1.
Programm 4
Thats also works fine. Disasm dont know real return adress ans and use 0xe8 as he think is better.
main: call fun db 0xe8 mov eax, 4 mov ebx, 1 mov ecx, msg1 mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 int 80h fun: pop ebp inc ebp push ebp ret
Dissassembler output 4
│ ....... ! main: ;xref o80482d7 │ │ ....... ! call sub_804839c │ │ 8048379 ! call 8048836h │ │ 804837e ! add [ebx+1], bh │ │ 8048384 ! mov ecx, strz_I_am_running__8049568 │ │ 8048389 ! mov edx, 0eh │ │ 804838e ! int 80h │ │ 8048390 ! mov eax, 1 │ │ 8048395 ! mov ebx, 0 │ │ 804839a ! int 80h │ │ 804839c ! │ │ ....... ! ;----------------------- │ │ ....... ! ; S U B R O U T I N E │ │ ....... ! ;----------------------- │ │ ....... ! sub_804839c: ;xref c8048374 │ │ ....... ! pop ebp │ │ 804839d ! inc ebp │ │ 804839e ! push ebp │ │ 804839f ! ret
Source
2010-02-26 Linux antidebug 2
This is dirty solution it checks programms argv[0] name with your defined name
when running debuger such as gdb or ald name is chaned to fullpath name
user defined name from terminal is './main'.
#include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/types.h> int main( int argc , char **argv ) { pid_t pid,ppid; FILE *f; char str[128]; char spid[10]; //openfile and write ppid f = fopen( "pid.txt" , "w" ); pid = getpid(); fprintf(f,"%d ",pid); fclose( f ); f = fopen( "pid.txt" , "r" ); fscanf( f , "%s" , spid ); fclose( f ); strcpy( str , "cat /proc/" ); strcat( str , &spid[0] ); strcat( str , "/cmdline"); printf( "[%s]\n", spid ); system( str ); printf("\n"); }
Dirty function that makes dirty solution at one place
int badppid( const char *real_name ) { pid_t pid,ppid; FILE *f; char str[128]; char spid[10]; f = fopen( "pid.txt" , "w" ); pid = getpid(); fprintf(f,"%d ",pid); fclose( f ); f = fopen( "pid.txt" , "r" ); fscanf( f , "%s" , spid ); fclose( f ); strcpy( str , "cat /proc/" ); strcat( str , &spid[0] ); strcat( str , "/cmdline > name.txt"); system( str ); f = fopen( "name.txt" , "r" ); fscanf( f , "%s" , str ); fclose( f ); if ( strncmp(str,real_name,strlen(real_name)) != 0 ) { return -1; } return 0; }
Source
2010-02-23 Linux antidebug 1
When ptrace is used for programm debugin then only one ptrace can be attached to programm
when we trying run ptrace with PTRACE_TRACEME then we get -1. I tested with gdb,ald. Also this method should
work with IDApro
#include <stdlib.h> #include <stdio.h> #include <sys/ptrace.h> long int ptraced() { return (ptrace(PTRACE_TRACEME, 0, 0, 0) == -1); } int main() { if ( ptraced() ) { printf("Ptraced!\n"); } return 0; }
Source
2010-01-24 Linux Local Descriptor Table
If 0x80**** adreeses is default nope. You can setup your own. Compiler will not see them
but you can do it. Setup LDT and you will see it.
use32 mov dword [0] ,"Hall" mov dword [4] ,"Ball" mov dword [8] ,"Mall" mov dword [12],0x00000000yes everything starts from 0x0
#include <stdlib.h> #include <stdio.h> #include <sys/syscall.h> #include <sys/types.h> #include <asm/ldt.h> char new_segment[16]; int main() { int r; struct user_desc *ldt; ldt = (struct user_desc*)malloc(sizeof(struct user_desc)); ldt->entry_number = 0; ldt->base_addr = ((unsigned long)&new_segment); ldt->limit = 16; ldt->seg_32bit = 0x1; ldt->contents = 0x0; ldt->read_exec_only = 0x0; ldt->limit_in_pages = 0x0; ldt->seg_not_present = 0x0; ldt->useable = 0x1; printf("Start\n"); r = syscall( __NR_modify_ldt, 1 , ldt , sizeof(struct user_desc) ); if ( r == -1 ) { printf("Sorry\n"); exit( 0 ); } asm("pushl %ds"); asm("movl $0x7, %eax"); /* 0111: 0-Index 1-Using the LDT table 11-RPL of 3 */ asm("movl %eax, %ds"); asm(".byte 0xc7,0x5,0x0,0x0,0x0,0x0,0x48,0x61,\ 0x6c,0x6c,0xc7,0x5,0x4,0x0,0x0,0x0,\ 0x42,0x61,0x6c,0x6c,0xc7,0x5,0x8,0x0,\ 0x0,0x0,0x4d,0x61,0x6c,0x6c,0xc7,0x5,\ 0xc,0x0,0x0,0x0,0x0,0x0,0x0,0x0"); asm("popl %ds"); printf("End\n"); printf("Segment [%s]\n",new_segment); free( ldt ); return 0; }asm(".byte ... ") is code.bin
Compile:
fasm code.asm code.bin
gcc main.c -o main
Source