Friday, October 26, 2012

SQLite3 class in Python

For my working, i created class using sqlite3 to manipluate database:

#!/usr/bin/python
import sqlite3, sys
class database:
    'Database sqlite3 class'
    def __init__(self, name):
        self.name = name
        self.create_database()
    def create_database(self):
        self.conn = sqlite3.connect(self.name)
        self.c = self.conn.cursor()
    def query(self, query):
        try:  
            r = self.c.execute(query)
            self.conn.commit()
            return r
        except sqlite3.Error, e:
            print "Error %s:" % e.args[0]
            sys.exit(1)
    def query2(self, query):
        try:  
            self.c.execute(query)
            r = self.c.fetchall()
            return r
        except sqlite3.Error, e:
            print "Error %s:" % e.args[0]
            sys.exit(1)
    def check_database_exits(self,table_name):
        re = self.query2("SELECT name FROM sqlite_master WHERE type='table' AND name='"+table_name+"'")
        if (len(re) > 0):
            return True
        else:
            return False
    def insert_table(self,table_name,data):
        sql = "INSERT into "+table_name+" values ("          
        for item in data:
            if type(item) == int:
                sql = sql + str(item) + ","
            else:
                if type(item) == str:
                    sql = sql + "'" + item + "'"+ ","
        sql = sql[:-1] + ")"
        self.query(sql)
    def get_row(self,table_name,key,value):
        if type(value) == int:
            sql = "SELECT * FROM "+table_name + " WHERE "+key+"="+str(value)
        else:
            if type(value) == str:
                sql = "SELECT * FROM "+table_name + " WHERE "+key+"='"+value+"'"
        re = db.query2(sql)
        return re
    def delete_row(self,table_name,key,value):
        if type(value) == int:
            sql = "DELETE FROM "+table_name + " WHERE "+key+"="+str(value)
        else:
            if type(value) == str:
                sql = "DELETE FROM "+table_name + " WHERE "+key+"='"+value+"'"
        db.query(sql)
    def update_row(self,table_name,key,kvalue,nkey, nvalue):
        if type(nvalue) == int:
            sql = "UPDATE "+table_name + " SET " + nkey + "=" + str(nvalue)
            if type(kvalue) == int:
                sql = sql + " WHERE " + key + "=" + str(kvalue)
            else:
                if type(kvalue) == str:
                    sql = sql + " WHERE " + key + "='" + kvalue + "'"
        else:
            if type(nvalue) == str:
                sql = "UPDATE "+table_name + " SET " + nkey + "='" + nvalue + "'"
                if type(kvalue) == int:
                    sql = sql + " WHERE " + key + "=" + str(kvalue)
                if type(kvalue) == str:
                    sql = sql + " WHERE " + key + "='" + kvalue + "'"
        self.query(sql)

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.  

Python - Multithread to read one file

Today, i am working with python. I need write script to read one file, and get line by line, per line deliver one thread process ( total 10 threads). I want solution, so i chose working with thread and queue.
In python, when procsess initializate, this process will be assigned with queue, and working with this queue. We will put data ( in this case is line) to queue. Process will read from queue, so, all processes can read one file, not overlap :D

import threading
import Queue

#Number of threads
n_thread = 5
#Create queue
queue = Queue.Queue()

class ThreadClass(threading.Thread):
    def __init__(self, queue):
        threading.Thread.__init__(self)
    #Assign thread working with queue
        self.queue = queue

    def run(self):
        while True:
        #Get from queue job
            host = self.queue.get()
            print self.getName() + ":" + host
        #signals to queue job is done
            self.queue.task_done()

#Create number process
for i in range(n_thread):
    t = ThreadClass(queue)
    t.setDaemon(True)
    #Start thread
    t.start()

#Read file line by line
hostfile = open("hosts.txt","r")
for line in hostfile:
    #Put line to queue
    queue.put(line)
#wait on the queue until everything has been processed
queue.join()

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.  

Wednesday, October 10, 2012

Format String Attacks to maniplulate information anywhere in memory

By manipulating programs that misuse the printf and related command, an attacker can Read arbitrary information from memory. And, maniplulate information anywhere in memory. So, an attacker can have complete control over victim process
The right way: printf("%s",buffer);
The wrong way: printf(buffer);
If program is implemented in "wrong" way, an attacker can place input into the string that will be interpreted as a string format
So, an attacker can print memory, stack. In easy way to understand that

main()
{
    char user_input[100];
    char buffer[100];
    int x = 1;
    ....
    /* get user input*/
    ...
    snprintf(buffer, sizeof buffer, user_input); <==== Oh, forgot the format string, the user input will be interpreted as the format  
}

Attacker enter "%x %x %x" into user_input, becomes: snprintf(buffer, sizeof buffer, "%x %x %x");. And buffer now contains the next three hexadecimal value on the strack, so, we can read the stack
But, we can rewriting memory location. Attacker enters "\xde\xad\xbe\xef%d%n" into user_input, becomes: snprintf(buffer, sizeof buffer, "\xde\xad\xbe\xef%d%n");

If the snprintf function is called, the stack like that:

Bottom of Memory
-------------------------------------------
| Return Pointer        |
-------------------------------------------
| Pointer to Buffer        |
-------------------------------------------
| sizeof buffer        |
-------------------------------------------
| Pointer to user_input     |
-------------------------------------------
| int x ( value 1)        |
-------------------------------------------
| buffer ( 100 char)        |
-------------------------------------------
...
-------------------------------------------
| Value to change          |
-------------------------------------------

Character \xde\xad\xbe\xef are written to the string. It is address of value to change
Bottom of Memory
-------------------------------------------
| Return Pointer        |
-------------------------------------------
| Pointer to Buffer        |
-------------------------------------------
| sizeof buffer        |
-------------------------------------------
| Pointer to user_input     |  <= \xde\xad\xbe\xef%d%n
-------------------------------------------
| int x ( value 1)        |
-------------------------------------------
| buffer ( 100 char)        |
-------------------------------------------
...
-------------------------------------------
| Value to change          |
-------------------------------------------

It will be copied to buffer, so first 4 bytes of buffer become: deadbeef, it is address of value to change
Because of the "%d". the value of x ( that is number 1). is written into buffer
-------------------------------------------
| Return Pointer        |
-------------------------------------------
| Pointer to Buffer        |
-------------------------------------------
| sizeof buffer        |
-------------------------------------------
| Pointer to user_input     |  <= \xde\xad\xbe\xef%d%n
-------------------------------------------
| int x ( value 1)        |
-------------------------------------------
| buffer ( 100 char) = deadbeff|
| value of x (1)        |
-------------------------------------------
...
-------------------------------------------
| Value to change          | <= 0xdeadbeff| here
-------------------------------------------

snprintf then see "%n". %n make it write the number of character printed, in this case is 5 ( 4 of address value, 1 of x value). But where will it write ? In the memory space pointed to by its next argument.
It pointed to int x ( after read %d and write to buffer). So, next argument is next value on the stack, first 4 bytes of buffer. So, it write to address deadbeef, it is value want to change
-------------------------------------------
| Return Pointer        |
-------------------------------------------
| Pointer to Buffer        |
-------------------------------------------
| sizeof buffer        |
-------------------------------------------
| Pointer to user_input     |  <= \xde\xad\xbe\xef%d%n
-------------------------------------------
| int x ( value 1)        |
-------------------------------------------
| buffer ( 100 char) = deadbeff|
| value of x (1)        |
-------------------------------------------
...
-------------------------------------------
| value 5             | <= 0xdeadbeff| here
-------------------------------------------

So, we just wrote the number 5 into memory location 0xdeadbeef

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more. 

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...