Mine the Harvest

So I checked out the X Bash 09 and it was pretty cool. Its an annual music/art festival, sort of Burning Man-esque, held at a clothing optional resort north of Tampa.

Highlights where:

* Randy’s Burning Man camp (OBE: Our of Body Experience) and his mobile art cars. One was a golf cart with a tropical themed bed (with parasol) all around it – so he could drive his bed around Burning Man. He was a cool guy and lit up his large camp dome at night with spinning floral patterns.

* A glass artist who made really beautifully patterned pieces (mostly pipes). The coloration and patterns where awesome. He did demonstrations too – while naked – which was a trip (mind that torch!)

* There were several bands and DJs but the two I found most interesting where Syncrisis and Professional Astronauts. Syncrisis played a good set, they had a good developed sound and I liked the style. Professional Astronauts sounded pretty similar to System of a Down – it was hillarious when they played “Arabian Nights” from Disney’s Aladin – you can imagine how that sounded. Both were well recieved by the crowd and you can catch them playing around the Tampa scene.

* There were some dancers after the bands who danced during DJ Chaos’ set – pretty fun to watch. One was dressed like a mange she-devil, etc.

I had hoped there would be more artists there as it seems like a great alternative venue for attracting them, but unfortunately I only saw a few (there were likely others there on other days as it was a 3 day event.)

The event was hosted by Xanthia,  she was very nice and showed me a new painting she was working on and had some other pieces around, but was not there to display her work in particular but host the event in general. Her studio is there as well and she is an artist in several media. She has some pretty cool stuff and you can check it out at:

The annual event is hosted  at  naturlist resort (The Riverboat Nudist Resort) and is clothing optional.  The croud was predominately in their 20s and 30s, with some older and youger as well. Most people were clothed, but the idea is all about self expression so many were partially or fully unclothed as well.  There was a bubble pit that got going later on and lots of people seemed to like that – it would have a dozen or so people in it at any time, and it is just behind the dance floor in front of the stage. Super sticky bubbles are hard not to like.

This was a pretty cool event and with a bit more promotion could be huge. The have camping facilities and many spaces where artists or groups to get together to do their own thing. It was great having the bands and DJs there, and it would be great to see more artists display there.

It seems we are  always reading  update notes saying:

“Fixed a potential buffer overrun condition which if exploited could result in the attacker executing arbitrary code and possibly escalating privileges.”

These exploits are extremely common, and of course patches and updates to correct such are equally common, regardless of the OS platform.

I of course had a generalized understanding of how these exploits worked – but I’ve recently decided to really dive in and greatly increase my knowledge in this area. A superficial understanding was no longer sufficient and I wanted to not only understand better, I wanted to learn how to leverage such exploits with hands on hacks.

So – I armed myself with some material, starting with “Hacking:  The Art of Exploitation” by Jon Erickson loaned by a colleague. As it turned out the first edition of this book was published in 2003. Since then there have been many changes in both gcc and recent versions of the 2.6 kernel that greatly improve stack security. Thus the sample code in the book is no longer capable of simply being compiled and executed to achieve the desired result.

I ended up learning just as much getting the first exploits to work correctly in more modern distros as from the text itself. But its all part of the educational process and I certainly understand the current kernel and gcc operations a bit better. And I was able to make the first lessons work.

Making Old Hacks Work

The best way I found to get the code to compile and run as intended was to use an older OS and Kernel in Virtual Box. I installed a basic install of Ubuntu 6.06 and used that. The 6.2.15 kernel it had allowed the exploits to run, if you tweaked it.

By disabling randomize_va_space in /proc/sys/kernel and by compiling with an earlier version of gcc (3.3 and 4.0) the results were achieved:

The exploit is a simple one, but a classic. It simply rewrites the return address by over flowing the buffer, taking control of the execution flow of the program that calls it and directing it to run a snip of shellcode. The shellcode is a self contained piece of assembly that spawns a shell. Because the program that is called is an suid root program, and runs as root, a root shell is opened.  (Note there are several suid binaries installed on most systems and a similar exploit against any of them could potentially achieve the same.)

The source for the two programs for this exploit can be found here and here.
(Ensure vuln is owned by root and has the suid bit set with chmod +s)

To Learn More

I recommend the new second edition of Hacking The Art of Exploitation by No Starch Press, which you can review here.  The new version looks like it takes more modern compiler and kernel design into account and has expanded content as well.

Current GCC and Kernel Operation

Note that more recent versions of gcc (4.2 and higher I believe) compile with stack protection enabled by default. To compile without use:

user@system:~/$ gcc-4.3  -fno-stack-protector -o exploit exploit.c

Also, you may find reading up on stack protection and the following kernel options to be helpful:

root@paracelsus-laptop:~/hacking# cat /proc/sys/vm/mmap_min_addr
0
root@paracelsus-laptop:~/hacking# cat /proc/sys/vm/vdso_enabled
0
root@paracelsus-laptop:~/hacking# cat /proc/sys/kernel/randomize_va_space
0

A while back when Linux Mint 6 XFCE (based on Ubunut Intrepid) was released and reviewed on The Linux Action Show I thought of what a good platform it could be for the OLPC. (The Linux Action show is a great pod cast by the way!) I had previously installed Ubuntu Hardy on the OLPC, but the extras the Linux Mint guys added to XFCE sounded pretty cool. Especially considering I am thinking of giving the OLPC away to someone who is a newer Linux user, having Mint as the OS was pretty appealing. And oh, my old Hardy install was utterly nuked on the SD card anyway – who knows. I might have tried to recover the partition tables with TestDisk, etc. but really – who cares. Time for a new OLPC adventure anyway!

In fact I had hardly touched my OLPC in nearly a year, since buying my Acer Aspire One – which I really love. And although the Aspire One is obviously far better performance wise, there are certain characteristics of the OLPC that I really like, such as:

Monochrome Screen Mode: This is absolutely awesome. The screen back light turns completely off saving big time power. Sunlight goes through the LCD and is reflected off a panel, making the screen extremely readable in direct sunlight. It is really fantastic and I wish ALL netbooks had this feature. It is hard to describe how legible it is, even in harsh direct light.

Battery Life: Especially when running in monochrome mode, battery life is quite good.

Mesh Networking: Interesting stuff – and oh, the wireless net supports injection. Hacking opportunities for kids the world round.

Case Design: Everything folds up to protect ports. Integrated carrying handle.

Open Firmware: Yea, it’s kind of different and fun to play with. Similar to the Open Firmware in the pre-Intel Macs, but far more fun than that was. Since we will be seeing a lot more systems using Open Firmware in the future it is good to play with it now. By by BIOS – you served us well.

Philosophy: Providing technology that would otherwise be unavailable to kids in remote places does not at all seem like a bad idea to me.

HAM Radio: I am thinking the OLPC, with the above features, seems a perfect candidate to use with packet radio. Communicate with friends after the coming apocalypse. Run it for years, and never worry about the back light burning out – you don’t need it.

(As a note: It was great seeing a few people recently at Toorcamp with their OLPCs – I saw two or three there, as well as two OLPC billboards on the trip to Seattle.)

Okay – enough extolling the OLPC virtues. How to install Linux Mint on it.

How to Install Linux Mint 6 XFCE on the OLPC

0) Pre-install Steps

0) First off, you do not need to go through exotic hoops to get this to work. Some guys have had success installing Mint onto an SD card first and then installing Hardy over the top of it and ended up with a working Mint install. Using the following method you can simply install Mint and it should work fine. (If you do want to install a vanilla Hardy, I would highly recommend using this method using compressed files instead.)

00) I suggest you update the OLPC firmware and Fedora base OS before installing Mint. Simply connecting to a wireless network and running #olpc-update as root will download all updates and update the firmware as well. (Have it pluged into AC or the firmware upgrade will be skipped.) BE PATIENT – the upgrade rsyncs several hundred megs over your wireless connection. It takes a very long time.

(continue reading…)

So a few weeks ago I found this nifty utility to create a Fedora persistent live USB stick and thought I would give it a go tonight.

It runs in a simple GUI interface and lets you select the amount of space to dedicate to persistence. You can also choose which version of Fedora to install and it will grab the needed .iso automatically – which is very nice. All in all, it looked pretty cool. And it apparently will work on the OLPC too, which is also nice.

The site describes it as:

“The liveusb-creator is a cross-platform tool for easily installing live operating systems on to USB flash drives. Works in Windows and Linux!”

Well, by “cross-platform” they apparently mean “this works if you are using Fedora already or Windows.” If you are using another Linux distro, you will encounter a few issues as it depends on some packages that are installed by default in Fedora and often are not available in other distro’s repositories.

Here is how I got this to work under Suse 11.1 The same general points may apply to other distros as well, and you will likely have to find the packages from your favorite sites – fortunately there are not many required.

How to make it work:

The README says to install python-qt4 so start with that if you don’t already have it.

Download, upzip and run liveusb-creator. Select your version of Fedora to install and the USB drive to install to. It will download the matching .iso to the working directory.

What follows are the various fixes I used for each new issue as it turned up. Note that you don’t have to download the .iso again on subsequent attempts, but you may rather browse to it – it puts .iso’s in the working directory the utility runs from.

(continue reading…)

(You can find the first post here with a bit more info.)

After the Toorcamp officials negotiated it out, the owner (collectively known as Mr. Ass-Wee-Pay) finally allowed access to the missile silo today. This made a huge difference in the whole experience at Toorcamp. Otherwise, as my brother so perfectly put it, the event was a bit like:

“Come to a hacker fest at an abandoned nuclear silo!*”

(*Silo not included)

Fortunately all this changed today, and the site was fully opened to workshops, talks and tours. Way to go Toorcamp guys!

It was utterly awesome. While camping on the surface was pretty un-enjoyable with the extreme dust and heat, the silo was completely different. The temperature was easily 25-30 degrees F less in the silo. In fact you could only stay about 2 hours before you would become uncomfortably cold and want to return to the surface. Good thing I thought ahead enough to bring a fleece pull over to the desert!

I took many, many pictures of the silo and will cull a few of the best for this blog post, and others can be found on my gallery.

The Titan Missile Silo:

The entrance was a steel and concrete hatch easily a foot think. It was propped up (literally) on supports, themselves not bolted down. The ingress / egress safety briefing included strict instructions not to touch the hatch in any way. Think of a rabbit trap made out of a box and you get the idea.

You then proceeded down a very narrow passage and flight of stairs, forcing a single person to enter. This was engineered to allow a guard to be able to hold back any number of people attempting to infiltrate the entrance. A 10 year old with a slingshot could defend this entrance.

After this, at about 20 feet down you entered the main lift tower. The elevator of course was long since removed, so you descended the five flights of stairs – sturdy and steel plated until you arrived at the bottom of the lift and the main entrance. Here tunnels ran off in four directions. Two lead immediately into the control and power domes.

The power dome (above) was massive, originally housing the generators. A section of the ceiling of this dome had been opened (after being excavated) to allow access to the facility and removal of the generators and other equipment. All other parts of the facility are still completely buried. The moss growing is due to the ceiling being open to the sky.

(Just click below to read more.)

(continue reading…)