Mac OS X Hacking: InfoSecSellout’s “Rape.osx” Worm and ExploitingiPhone.com “iPhone Exploits”

24 07 2007

If you haven’t read about the latest (as of 7.23.07) Mac exploit/s then you either don’t care or haven’t looked at the intarwebs lately. I’ll give you the short version, with LOTS of links:

Engadget is aflame with comments on their posts, so far THREE, about the alleged “rape.osx” worm that a group of hackers, who call themselves “InfoSecSellOut“, posted some hints about on their blogspot blog as well as a link to a securityfocus.com notice about the “worm”, oh and a hint that they want money for having created the worm. There’s been way too much drama to map out here (death threats much?!?!), but lets just say its gotten out of hand and TMBBITW is totally neutral, we’re strictly grey hat and ALL homegrown Linux. No plans to release the code for the rape.osx worm have been revealed, not even a little bit.
HackZine has a little blurb up about a video that has popped up on www.exploitingiphone.com, which is really a redirect to a slashed Independent Security Evaluators URL. Obviously, ISE has an iPhone exploit on their hands, however they have notified Apple and have some good info up. There’s a truncated white paper out and they plan to reveal their code on August 2nd, at the Black Hat convention in Vegas.

For the Windows folks out there, you haven’t been left out. A win32 version of Safari was released, but hacked in ONE day.

And that’s everything in a nutshell since last wednessday. Now I’ll go on to explain all the information I could gather on all of these, what we like to call, Mac Hacks.

ALL of the malware/exploits/worms/whatever you wanna call them are executed via Safari. That means all three versions (mobile, desktop and Win32).

First is the most interesting, the iPhone exploit. Basically ISE has done a buttload of work, not to mention a bang up job creating this:

If you read the white paper that they have on their site, which is pretty exhaustive, you’ll find out the level of knowledge that this hack took to find and make into a shell script.

Here’s how they started, and what will probably be THE way to find new exploits for the iPhone:

Using jailbreak and iPhoneInterface, the binaries can be extracted from the device and statically analyzed, using a disassembler. Additionally, since the MobileSafari and MobileMail applications are based on the open source WebKit project, a source code audit of that package can be performed. Finally, dynamic analysis, or fuzzing, can be executed against the device. This involves sending malformed data to the device in an effort to cause a fault and make it crash. Such fuzzing can be performed against applications such as MobileSafari or against the WiFi or BlueTooth stack. (you can download the tools mentioned in the above excerpt by clicking on them, as for fuzzers and debuggers just use BACKTRACK and DBG)

NOTE: For a quick tut on how to “activate” an iPhone go HERE: http://www.pqdvd.com/blog/iphone/category/unlock-iPhone/

Get the one click “unlock” kit, via DVD Jon, for yer iPhone HERE: http://therealdonquixote.files-upload.com/393766/iphoneunlocktoolkit.zip.html

Now this is where it gets a bit tricky:

[...] in order to view memory and discover the way the execution flows in the application. However, in this case we were able to utilize the Mac OS X crash reporter. This daemon runs and monitors any programs for crashes. When one is detected it records a log of the crash, including relevant register values. These reports can then be transported to a desktop computer when syncing. The crash reports can also be downloaded directly off the iPhone using jailbreak and iPhoneInterface. While the CrashReporter provides register values and basic memory mapping information, it does not include direct access to the memory. In order to obtain this crucial information, it is possible to modify the iPhone in such a way that the applications will dump core files when they crash. This is accomplished by adding the file /etc/lauchd.conf containing the line “limit core unlimited”
to the iPhone using iPhoneInterface. Core files can be retrieved off the iPhone from the /cores directory, again using iPhoneInterface.

In order to generate valid opcodes for the iPhone, we first installed a Linux x86 to ARM cross compiler. This would compile our ARM assembly to bytecode which we could then extract into shellcode. Besides not having a debugger, developing iPhone shellcode also presented other challenges. Since we didn’t have access to an ARM processor with a debugger, we had absolutely no real way to test the shellcode besides trying it and using the core files obtained.

That’s pretty much where I gave up on trying to go at this on my own. ISE actually has two hacks for the iPhone where one collects data and the other can actually make your phone do whatever they want, dial, ring whatever. That’s all I got, but anyone is welcome to give iPhone hacking a whirl. All the files are linked up there.

Now on to InfoSecSellOut’s “Rape.osx”. To start it is supposed to be a worm which is deployed via Safari. From what securityfocus.com says, it seems to be based on mDNSresponder (yes, click to download). All that I can find out about it is that ISSO (InfoSecSellOut) was able to download a text file using their exploit. However, in reading the white paper for the iPhone hack, I saw that the real problem with Mac OS X (pick one) security is that all applications are run as “root” or with “admin” privilages. So that means that once you are in a Mac OS X machine, you can do whatever you want.

NOTE: Many linux OS’s use mDNSresponder as well, so be on the lookout. However, most people do know not to login as root on their linux machine, right?

I have no code, no apps, nothing on rape.osx other than the code for mDNSresponder. I do have some code for the first Mac virus, the Leap.A virus, as well as some other info I gathered in order to further the purposes of writting worms/viri/malware for Mac OS X.

DOWNLOAD HERE: MAC_osX_Malware_Data_Sourc_codes_papers..zip

The file contains the following:

macosxhacklist

As for the Win32 version of Safari, what were people thinking?!?!? Porting, what is essentially an open source Mac app to Windows? Yeah, no one is going to hack that. Stick to FireFox with all the JS, Flash, AD, PopUp, bad shit blocking extensions that you can shake a stick at.

And that’s all she wrote for now folks.

Keep on keepin on hackers of all hats. I’ll keep you updated.

*Sources – Noted and linked throughout the article, accepting VX CHAOS FILE SERVER where I get ALL my super sweet viri source codes and all the best viri, malware, trojans, RATs, you name it and AZAG has got it!!





Linux Command Line Refernce Card – PDF Download

7 06 2007

Linux Command Line Tips – From PixelBeat will whisk you away to a really helpfull list/table of linux commands that are good to have on hand. Note: The commands with the bullet or DOT in front of them, are safe to cut and paste into your console. I made a quick PDF of the html table, so everyone can have a copy even when your not connected to the net.

DOWNLOAD: Linux_Command_Ref-Sheet.pdf

And yes, I first saw the link on Lifehacker. I wish they had more linux articles. I just made the switch myself and Lifehacker has little to offer in the way of linux. Oh well. Thanks for the info though!!

Of course all credit goes to the peeps over at http://www.pixelbeat.org for making a great ref card for us n00bs ;)

Good On Ya M8s!!

I’ll repost the table after the jump so anyone can cut and paste into their own document. Read the rest of this entry »





How To: Export Video From Your Set-Top Box To Your Mac via Hackszine.com

5 06 2007

This hack is so simple I am humbled to stupidity in its presence.

Follow the link to see the extremely brief and easy to follow tutorial with download links!!

HERE: How To: Export Video From Your Set-Top Box To Your Mac [via] Hackszine.com

Enjoy, you macheads you!!





Breaking News: Leetupload.com Viri and Exploit Database is Up and Running!!!

4 06 2007

For all those who haven’t been following the progress of leetupload.com, lets just say that its a repository for everything hacktastic that has ever or will ever exist on the net. For those who have been following leetupload, and signed up to be a member, the viri and exploit db is ready to plunder!!!

NOTE: If you haven’t signed up for membership and you feel all left out and benchwarmery inside, follow this link: http://www.leetupload.com/signup_form.php

On to the good news!!

Here’s the email I got today (with a couple edits for my sake):

The database of Virii and Exploits is finally up! This is a proud day for leetupload.com.

If the first time you load the database is slow, just give it some time. From thereafter, it should be smooth sailing.

In other news: As of yet, we currently have 503 members, so keep them coming!

To login, click here: http://www.leetupload.com/login.php And then select which database you prefer; “Exploits” or “Virii.”

I thank you, the community, for supporting leetupload.com, and hope that all of you enjoy the database.

Oh we will more than enjoy the new database, leetupload!! We will wallow in it like a gamer wallows in their newly opened Wii or someother such person or thing that enjoys wallowing in something kewl!!

Thanks leetupload!!

For those of you who haven’t signed up to be a member, I highly suggest you do so immediately. Sign up for both the DB and the Forums so you can feel all cool an shit!! CLICKY to sign up





On, “45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2″: *THE* HD Key To Rule Them All?

31 05 2007

So, this key, the one in the title, appears to be the key to rule all hd dvd keys.  Or is it?  It was actually posted may 23rd on Freedom To Tinker in a comment?!?!?  Yeah, you can use it as the key to decrypt alot of new HD discs but will it end  any need to work further on cracking AACS craptastic codes?  (Note this is the new HD key, not the one that was widely published and all fuxxored on d!gg.)

My only other source is this forum: DOOM9

Moving on, because this key was supposedly found one day after it was “put into action” by the powers that be, I’m gonna explore how the key was so rapidly extracted.

First, I’m gonna guess, just for shits and giggles.  Perhapse someone simply brute forced a prefab “wordlist” or 16 value hex number sets?  Since I refuse to go HD (either format) I have no way of really knowing if this is even plausible, cause I can’t test it out myself.  I also don’t have an XBOX 360 with the external HD-DVD drive handy to experiment with either.  So its fair to say that my first inclination is a pure shot in the dark… or is it? (see arnezami’s method of finding a Volume ID later on in the post)

Second, I’ll ask Google.  Well … so far its not an answer but it appears that someone bought this domain: http://455fe10422ca29c4933f95052b792ab2.com/ …which is funny as hell cause there is no content, its just pure net real estate hilariousness.

But lets dig deeper, shall we?  Lets plug this hint “uv=00000047″, from the comment by BtCB, into Google. (pause for effect)

Okey dokey, now we are in business.  It would appear that a curios fellow who goes by the name arnezami over at DOOM9 FORUMS has some simple instructions on how to grab a Volume ID for HD-DVD.  And it follows:

Finding the Volume ID

How did I find the Volume ID?

There are essentially two ways (now). I used the USB sniffer (with the xbox 360 HD DVD) because I knew I didn’t have to bother with the (possibly obscured/wiped) memory of the software player.

  1. Download USB sniffer 1.8 then unzip and start it.
  2. Select the “USB Mass Storage Device” (I use the xbox 360 HD DVD drive) and click install.
  3. Unplug the HD DVD drive (the usb cable) and replug it again. It will be recognized by windows and the sniffer starts logging.
  4. Insert the Disc into the drive while the sniffer is.. well sniffing. Then start WinDVD and immediatly quit when the video (even the first black screen) starts. Then click ‘Close’ on the sniffer.
  5. You now have a huge log file (60+ MB or something). Open it in WinHex (pressing F7 for ascii only) and search for the ascii string (not hex search!) “00000000: 00 22 00 00″ including the spaces (but excluding the quotes of course ).
  6. There was only one occurence of this in the whole file. So it has to be the Volume ID. Tata!

Btw: I used WinDVD but the above should also work for other players.

A different method (but less reliable I think) is to use WinDVD’s memdump.

  1. Open WinDVD’s memdump in WinHex
  2. Hex search (with WinHex) for 002200004000 or alternatively 0020202020200000. **
  3. There you will (usally) find the Volume ID. But I’m not sure this will always work. There may be more than one occurance. You can check if the last 16 bytes (of the 36 beginning with 0022) are random since that would have to be the MAC. If its not random you haven’t found it yet so you should go on searching until you do.

arnezami

PS. Almost forgot: make sure you remove the last 16 bytes from the Volume ID log (which is the MAC) like I did in my first post. This is because in theory they might be able to track down your drive with that part… (you don’t want that). The Volume ID itself is for everybody the same (with the same movie) so that won’t reveal anything about yourself .

Seems like a plan, but if you look further you can just use these little apps posted in the same forums by a person named ape:

hddvd_vukeyfinder.zip and for Blu Ray use bdkeyfinder.zip

But wait there’s more…

Well here is something to play with.

fetchvid.exe

For me it works with WinDVD (which is the most sensitive I believe) and the Xbox 360 HD DVD. My sweet spot is a time value between 390 and 420. I usually set it at 410 which works perfectly (btw time is measured in nr of AGID retrieval attempts counted from the moment the player accesses the drive).

Just try it and play with it a bit.

Remember: this program does not use the private key. It just “watches” the drive carefully and then pretends to be the software player.

It works for HD DVD only atm.

Screenshot:

Regards,

arnezami

PS. This is experimental programming. There could be bugs in it.

And that is all she wrote folks.  Yes this is the latest key to rule them all for AACS DRM craptakery and that was a little peek into how it was uncovered.  There should be HUGE applause for anrezami et all for all the hard work they did.  Just reading everything really gave me a pretty solid grasp of how AACS Encryption/DRM works.  Congrats to all the peeps at DOOM9 who worked very hard on getting all this info together.  All credit goes to them.

Of course SOMEBODY had to make some money off of all arnezami, BtCB and the rest of DOOM9′s hard work, and it looks like slysoft has borrowed arnezami and friends cracking methods to offer AnyDVD HD that will rip allmost any HD DVD or Blu Ray Disc without you having to do a damn thing.  I wonder if at least arnezami is getting a cut of the profits?  One lives in hope.

Anyhew none of this is native to linux but you can probably run most of it in WINE or convert the c++ aps to python.  Since AnyDVD doesn’t REALLY rip any HD disc then you might even consider just using the methods used by arnezami and the apps he and his friends over at DOOM9 created.

I made a little software pack for everyone so you don’t have to download everything seperately, except the slysoft app of course: HDandBDcrakingFiles.rar

Big Ups To All That Showed Big Hollywood That DRM is Useless.

Keep information free,

TheRealDonQuixote

As it turns out you  don’t need to do a damn thing because according to

Follow the Jump to find arnezami’s sweet description of AACS encryption, if you want to understand everything that is…

Read the rest of this entry »








Follow

Get every new post delivered to your Inbox.

Join 44 other followers