Archive for October, 2010

Port-knocking Backdoor

October 21, 2010 3 comments

In this post I’ll explain to you how to make a *unix backdoor using a “port knocking” scheme. That is, if we’ll “knock” to some TCP ports that we have initially decided, our program will open a backdoor for us (but only for us :) ).
How does the “port knocking” scheme work? The attacker decides a particular sequence of packets that will be sent to a compromised server where the backdoor is running. When the backdoor program will receive this particular sequence then it will give to the attacker the server’s shell.
Read more…

Smashing the stack in 2010 (improved)

October 15, 2010 Leave a comment


in this brief post I will show you the improvements I have made on “Smashing the stack in 2010″. First of all I have improved the bibliography in order to help the readers to learn and delve into as well as to give the credits to others researchers for their works. Then I have rewritten the section “write an exploit” in my Windows part because of lack of clarity in the previous version, now I hope it is suitable to a newbie. Last but not least I have added a new part called “Real Scenario” in which we are going to analyze real exploits, in fact it is important – to gain a real and useful knowledge – to be able to analyze a real attack even it can be complex and sophisticated. In the report I have analyzed in detail  CVE-2010-0249 (Operation Aurora exploit) and CVE-2010-2883 (the Adobe cooltype sing table exploit), they are good examples of attacks through memory corruption vulnerabilities. I know that thare are a lot of analyses especially for CVE-2010-2883, but we know the paradigm “learning by doing” :) anyway if you want to read other good works I suggest you the following VUPEN (a great analysis!) and jduck (on Metasploit blog).

Smashing the stack in 2010 (improved) : download

Table of contents (of the new part):

IV Real Scenario 75
8 Attacks and memory corruption 75
9 Memory corruption in practice 76
10 Examples of real attacks 77
10.1 Theory: Heap Spraying . . . . . . . . . . . . . . . . . 77
10.2 CVE-2010-0249 – Internet Explorer 6, 2010 – Graziano.  . 78
10.3 CVE-2010-2883 – Adobe Acrobat Reader, 2010 – Graziano  . 84

As usual feel free to contact me to ask questions, to give a feedback, to point an error out to me or just to chat or you can find me on irc ( chan #hacklab or on freenode chan #corelan ) :)

Happy hacking!! (again :P )

Bash http_proxy: from a user environment to sudo one

October 14, 2010 8 comments

Hi. Sometimes you can’t connect directly to internet, because you have to go through a proxy (i.e. working environment).
Did you ever have to set up an http proxy on linux shell in order to (i.e) download a new package or manually update your distribution with a packet manager?
If so, you need to be a superuser. If you use the “sudo” command, you will probably stumbled across the inability to export variables from the user environment to the “sudo” one.
Read more…

Categories: Bash, GNU/Linux Tags: , , ,

Win32 API: Passing Socket with IPC method

October 13, 2010 1 comment

Hi. In this post I talk to you how to correctly pass a socket created in a parent process to a child process in Microsoft 9x systems.
If you have ever written a multi-process concurrent server in a Unix environment, you may have noticed that the passage of the socket between parent and son processes takes place directly. That is, the child inherits the variables of his parent, also including the file descriptor associated with the socket.

Read more…

Hello World! – Brain mode

October 12, 2010 5 comments

Hi. How can we write an “hello world!” in brain-mode?
When we want to greet someone, the brain is activated and set as a greeting a phrase known to us: in our case, “hello world!”.
Read more…

Categories: Bullshit, C/C++ Tags: ,

Ricoh Drivers for Ubuntu 10.10

October 12, 2010 Leave a comment

If you try to compile r5u870 driver for Ricoh webcams under Ubuntu 10.10 you’ll fail due to a recent renaming of some functions in the linux kernel.

In particular:

usb_buffer_alloc() is renamed to usb_alloc_coherent()
usb_buffer_free()  is renamed to usb_free_coherent()

For more information:

To avoid this problem, make this substitution in the usbcam_util.c file that can be found here: ttp://

Categories: GNU/Linux Tags: , , ,

Something about AMQP

October 11, 2010 Leave a comment


If you haven’t heard nothing about Enterprise Messaging i suggest you  read the related wikipedia’s article In this article I will introduce the Advanced Messaging Queuing Protocol and some of his concepts.

Before all why talking about AMQP?  Because is the first open standard for the Enterprise Messaging; in a enterprise environment the integration is necessary and an open solution is needed especially because this kind of solution should be leveraged from any language and platform; JMS doesn’t do it very well because of his java dependence and his terms of license: JMS-like interface cannot legally be provided for non-Java platforms.

Continuing talking about AMQP, it supports this kind of message distributions:

  • Store-and-forward with many writers and one reader
  • Transaction distribution with many writers and many readers
  • Publish-subscribe with many writers and many readers
  • Content-based routing with many writers and many readers
  • Queued file transfer with many writers and many readers
  • Point-to-point connection between two peers

This standard is thought to have small and modular model therefore his task is splitted in two main roles, Exchange and  Message queue. This choice made available three main features:

  • The ability to create arbitrary exchange and message queue types
  • The ability to wire exchanges and message queues together to create any required message-processing system
  • The ability to control this completely through the protocol.

A Message queue is a storage entity, it can store messages in memory or in disk  and must provide messages to consumers applications, is described by some proprierties:

  • private or shared
  • durable or transient
  • permanent or temporary

The standard does not define directly entities like  Store and Forward queue or Pub-Sub queue, these entities are created trough Message queue’s attribute.

The Exchange entity takes messages from Applications Messages Producer and routes them to the Message Queue according to criteria called “bindings”. Bindings are therefore the relationship between Exchanges and the and Messages queues.

These are the basic concepts you need to know about AMQP model, in the next post i’ll  introduce you to qpid, an apache’s software project that fully respect this standard and we’ll try it with some source code examples.

Debian Release Name

October 9, 2010 Leave a comment

Hi. Today Today I leardned about the relationship between the name of the Debian’ releases and the names of the characters of “toy Story”. So I want to explain it to you.
The names of the Debian’ releases come from “Toy Story”, the famous Pixar’s film (link). This is true since the release 1.1, released in the 1996. By this time, Bruce Perens had taken over leadership of the Project from Ian Murdock and Bruce was working as system programmer at Pixar.
Read more…

Categories: Bullshit, GNU/Linux Tags: , ,

inet_ntop() for Win32

October 9, 2010 3 comments

Like 4 years ago I made a little project for the operating system 2 class. I had to write an application capable of handling multiple file transfers for both Win32 and Linux. During the coding of the socket-side of the application I encountered an awkward problem: why the hell win32 does not have a compatibility function for the inet_ntop()?

Only recently, for Vista and 7, Microsoft introduced the InetNtop() function:

If you have to write something that needs to run on XP too (that still seems to be the most used operating system for home users: ) just try this code :)

const char* inet_ntop(int af, const void* src, char* dst, int cnt){

	struct sockaddr_in srcaddr;

	memset(&srcaddr, 0, sizeof(struct sockaddr_in));
	memcpy(&(srcaddr.sin_addr), src, sizeof(srcaddr.sin_addr));

	srcaddr.sin_family = af;
	if (WSAAddressToString((struct sockaddr*) &srcaddr, sizeof(struct sockaddr_in), 0, dst, (LPDWORD) &cnt) != 0) {
		DWORD rv = WSAGetLastError();
		printf("WSAAddressToString() : %d\n",rv);
		return NULL;
	return dst;

Timeout on Named Pipes

October 8, 2010 1 comment

Hi. In this post, I will show you how make a timeouted namedpipe with the WIN32 API: the msdn’s manual doesn’t explain how to do it.
The named pipes are an IPC’s method by which we can send data to an other process (like a son process).
Read more…


Get every new post delivered to your Inbox.