Wednesday, September 30, 2009

unixdump UNIX-socket sniffer available

Update:
Released new version (0.42) since 0.41 (not avail anymore)
crashes when accessing udmp device afer rmmod.
(The dynamically assigned major number was not updated
for unregistering.) Thanks to myself for reviewing my own
code :)

Ok, its finally avail here.

Do not run it inside an xterm or otherwise its
like sniffing all tcp traffic remotely on a ssh shell.
BTW ssh. Due to my ssh timing/packet-size patch
I've been called a Iran circumvention developer.

Really funny wording. I like to add that to my
resume.
And right in time while typing
they play LOA with Love to let you down.
What do you want more?

Tuesday, September 29, 2009

When const really means const

Who cares about const? Its never enforced anyways!?

Except in Linux kernels built with gcc 4.x (maybe even
before?). If you declare a pointer member const
(the thing it points to, not the pointer itself), like
proto_ops in the socket struct, the pointee will be placed in a
RO location which means you cant redirect socket operation
functions like recvmsg(). You have to make the right PTE
writable in order to redirect the functions.
Rootk^H^H^H^H^HCertain debugging LKMs like my unixdump
require to redirect some functions in order to record
whats sent across sockets. unixdump works like tcpdump
for inet sockets. The version which is available now was
written in 2006 for the 2.6.16 kernel and doesnt work with
recent/current ones (and its dirty and hackish anyways).
Thats why I ported it within the last days to current kernels.
It will be uploaded soon.
The way you can modify const members changed in current kernels;
in fact is is easier than before b/c a new function lookup_address()
is exported and you do not need to walk the PGD down.


Tuesday, September 22, 2009

GCC -fmudflap

Programs compiled with -fmudflap are given protection by GCC
against overflow conditions etc. The GCC then adds a runtime
to track&check operations on arrays etc..
To specify runtime behavior, you can pass various
options via the $MUDFLAP_OPTIONS environment variable.
If we look how the mudflap runtime is
handling these options, we have:

...
case viol_gdb:

snprintf (buf, 128, "gdb --pid=%u", (unsigned) getpid ());
system (buf);
...


Note, that mudflap is made for security reasons. For programs
like network servers or setuid binaries.
I made a bugzilla entry into the GCC bugzilla since this
should be changed somehow :)

Monday, September 21, 2009

Small improvement for inotify

The inotify tool got a small improvement yesterday, so you
can pass -r (recursion) to it. It now also allows you to recursively
watch newly created/modified/deleted/accessed files/dirs
in newly created subdirs of the watched directory.
This already showed me some differences between man versions :)

Monday, September 14, 2009

un-evil code

I had incredible dl statistics for gc.cc (see last posting). Even
better than for exploits, years ago when I was publishing them.
Seems to me I should switch completely to write robust and boring
application code which is much more appreciated by the public.

Nevertheless, since there have not been reports about
crash containing major bugs or alike, I removed the beta-test
password from the directory.




Friday, September 4, 2009

C++ local_scope<> template

If you write a lot of code (and I know, some of the readers
actually do :), depending on your style, you often run
into situations where you allocate some ressource like
fopen()ing some files or allocing memory and later
you realize some error-condition and you properly need
to fclose()/free() all the stuff in the right order
and depending on what was allocated yet.
This leads to a lot of copy-n-paste code and often
plain wrong code or even better security breaches :)

If you like C++, you can have a look here to avoid
all these problems.

You can register FILE pointers, file-descriptors or
memory regions to a local_scope<> template and it
automatically closes/releases ressources when you leave scope
(also in right order).It is as easy as

local_scope<int> fd(open("/tmp/x2", O_RDONLY), close);

and you can use fd afterwards like you'd normally use
your descriptor. If you need to return due to some
other error condition, the file is closed when the
scope is left.Other ressources like lock's etc could easily
be added by extending local_scope<>.