EXIF and PHP exploitation – The Truth

Introduction

After reading through a couple of tutorials describing the ease with which PHP can be included directly from the EXIF data within a JPEG image, I became suspicious. Surely my eyes deceive me? Is this a late April Fools’? My first point of call was Google – which provided me with a wealth of information on EXIF functions from within PHP, but very little regarding this particular vulnerability.

There was nothing for it… time to jump in and see what the fuss was about!
Continue reading EXIF and PHP exploitation – The Truth

I’m back (almost!)

The end of this week marks the completion of another academic year… hurrah! During this time of intense study, the blog has been a tad neglected in terms of updates and content. I’ve also completely forgotten the rules of English grammar and how to spell…

Nevertheless, in coming weeks expect a barrage of all things geeky (I warned you!) and dust off your PS3 for some Yellow Dog Linux demoing. In the mean time, I leave you with news that old people are being tamed by their smaller and (probably more able) feline counterparts:

MUSH!!

No time!? (in more ways than one!)

With impending exams threatening to destroy what little sanity I have left, I take a few moments to find satisfaction in the knowledge that even the best sometimes get it wrong. The past is littered with disasters that resulted from human oversight, the Titanic being a prime example. I wonder if it is unfair of me to draw a parallel between WordPress 2.5 and the doomed sea vessel?

While the latest incarnation of WordPress comes with a flashy new interface, the ability to automatically update plugins over the web and lots of nice developer tidbits, it is was slow … as … ASS! I’ve installed wp-cache but this does little to help alleviate the page load stress on each request. Let’s hope 2.5.1 is around the corner 🙂

2.5.1 Has touched down!

In other news, I’m drafting some articles on web development, Facebook applications, EXE loaders as alternatives to patching and if I get time – some notes from my adventure with YDL on my PS3!

‘Hiding’ information using ADS

Introduction

This tutorial will explore the potential for using ‘Alternate Data Streams’ (ADS) to store information on an NTFS partition. All of the steps detailed below can be accomplished directly from within Windows.

Theory

Files act as pointers to physical data on a storage medium; they are a convenience, a way of managing information on a computer as discrete units. It should be this fantastically simple – one pointer for one file – but it seems Microsoft had other ideas…
Macintosh computers use a different file system to Windows computers. It was decided that NTFS should be able to emulate some aspects of the Mac file system to improve file compatibility. As a result, it is possible to ‘attach’ data to a file in a way that is not visible to users (oh dear!).

Getting your hands dirty

  1. Load up a command-prompt Window (Start->Run->’cmd’).
  2. Create a file to run this demonstration on. In the console type: echo Hello, World! > test.txt.
    (The file ‘test.txt’ now contains 16 bytes of information. This is the default data stream)
  3. In the console, enter type test.txt to show the information in ‘test.txt’.
  4. Let’s hide some data! In the console type echo I am hidden! > test.txt:hidden.txt. Notice the colon (:) – this is very important!
  5. If you repeat step 3, you should only see ‘Hello, World!’ printed to the console. Check the properties of the file using Windows Explorer and you’ll arrive at the same conclusion, the file still contains only 16 bytes. You could even enter in type test.txt:hidden.txt to try and see the text in ‘hidden.txt’, but it will return an error. Where is the hell has the information you just entered gone?
  6. To reveal the contents of ‘hidden.txt’, type more < test.txt:hidden.txt in the console, et voila – the magically disappearing information has made a miraculous reappearance!
  7. The file ‘hidden.txt’ is now linked with ‘test.txt’. You could say that ‘test.txt’ is acting as a pointer to two data streams. Furthermore, if you copy ‘test.txt’ to another folder – ‘hidden.txt’ is copied with it!

Conclusion

The above is a basic demonstration of how ADS can be used to store hidden information. The article at governmentsecurity.org goes on to explore how an executable could be hidden within a file too. I’ve written a small batch file that attaches a user-defined message to itself (using ADS) and presents it using notepad. To remove the hidden file, you can either try the method suggested at gov.sec. or just delete the batch file itself!

Download files

ads_demo.rar – extract and run.

A faster object in_array() for PHP 5

This is a fast and effective way of find an object in an array.

As of PHP v5.2.2 objects do not have a default response to being cast to (string). To make this tutorial work with newer PHP builds, use spl_object_hash() in place of string casting.

Introduction

When a new object is created in PHP it is assigned an internal numeric id value. The only way to destroy an object (thereby deleting its internal id) is to unset() or nullify (=NULL) all references to the object from within the script. It follows that when an object is destroyed, PHP will fill the lowest id available for the next object. For example: if objects with ids 4, 5 and 6 exist – by destroying 5, the next two objects created in PHP will have id 5 and then id 7!

These rules can be exploited to provide a much faster object in_array()!

Theory

Comparison of multidimensional objects will almost always be more processor intensive than string comparison. It occurred to me that a great deal of time could be saved by identifying objects in an array as strings. However, conventional approaches using serialize() tend to exacerbate the problem further as the function itself is quite slow. The following is the proposed function with a demo on how it could be implemented.


/***
	The proposed object_in_array function.
	***/
	function object_in_array($needle, $haystack) {
		/***
		Arguments:
			(object) $needle - The object being searched for.
			(array) $haystack - The array containing objects.
		***/
		$stringArray = array_map(create_function('$in','return (string)$in;'),$haystack);
		$objectString = (string)$needle;
		return in_array($objectString,$stringArray,TRUE);
	
	}
	
	/***
	Prepare an object needle.
	***/
	$needleObject = new stdClass;
	
	/***
	Prepare a sample array including the
	needleObject.
	***/
	$objectArray = array(
		new stdClass,
		new stdClass,
		new stdClass,
		$needleObject
	); 
	
	/***
	Uncomment the block  below to perform
	an analysis of a much larger array.
	***/
	
	/*
	for($i=0;$i < 50000;$i++) {
		$objectArray[] = new stdClass;
	}
	$objectArray[] = $needleObject;
	*/
	
	/***
	Start time-stamp
	***/
	$timeStamp = get_micro_time();
	
	/***
	NOTE: The print() function is included
	in the time analysis as it doesn't contribute
	much to the overal time required.
	***/  
	print(object_in_array($needleObject,$objectArray) ? "Found!n" : "Not found!n");
	
	/***
	End time-stamp and display.
	***/
	$timeStamp = round(get_micro_time() - $timeStamp,6);
	print("Search duration: $timeStamp ms");
	
	/***
	Auxillary timing function. Sorry,
	I can't remember where I got this function
	from or I would credit the author! Google it :-p
	***/
	function get_micro_time() {
		list($microSec, $sec) = explode(" ", microtime());
		return ((float)$microSec + (float)$sec);
	}

The above can be further optimised (clean-up the temporary array, etc.) but serves to show how the array can be copied, recast and used as a search reference for objects. Modification of the above to use the conventional in_array() or foreach() looping drastically increases the duration of the search! With very little modification to the code, the function could even return the object directly and retain the same array processing speed.

A footnote…

I had previously toyed with the idea of using a single array, casting the objects to strings and storing these as the key for each item (then using array_key_exists() ). If you’re not too worried about using the array keys / don’t use them to store useful data, this latter method can be ten-fold faster than the above example!

Google Syntax Highlighter background-colour bugfix

I found the background for each line of code wasn’t expanding to fit the scroll-area properly when a wide piece of code was being viewed. This has been declared as an official bug and the workaround suggested by brucknerite works nicely.
I have made a few tweaks to his fix so that it displays properly on WordPress. I’ve attached the culprit files to the end of this post.

Download files

shcore.js – upload to /scripts
syntaxhighlighter.css – upload to /styles

* Having troubling getting shCore.js to compress using DEP. It’s probably just a simple syntax niggle, so I will investigate this when I’m less busy!

Write console text to a file (Windows cmd.exe)

Writing directly from the Windows command line to a file might not be something you need to do very often. The famous black and white console is better suited to serving system commands and file operations than being a stand-in for notepad. However, it is sometimes useful to have the option of writing multiple lines of text to a file directly from the trusty prompt.

Method One

This is suitable for creating/overwriting a file with multiple lines of text.

copy con SOME_FILE.txt
Type your text here
You can even have multiple lines!

When finished, press CTRL+Z to confirm your action (or CTRL+C to cancel) and ENTER.

If you want to append some text instead of overwriting it completely, follow as above but using:

copy SOME_FILE.txt + con

Method Two

Open up the command prompt and type:

echo SOME TEXT > SOME_FILE.txt

This method creates/overwrites SOME_FILE.txt with the text you entered before the >. It is only suitable for entering a single line of text into a file.

As with method one, it possible to append text using >> instead of > in the command.

The Easter bunny needs… BLOOD!

That dreaded time of the year has rolled around again! The merriment of the new year stretches back in the vastness of time and examinations fester themselves in thought, like some kind of unstoppable malignant force. With your future dependant on the outcome of sadistically timetabled exams, it is no wonder students gorge themselves on chocolate over Easter…

The blog still has pitifully low content, I am resolving this by drafting several C.I.Y projects, hacks and the like. Hopefully I’ll have some of them in a fit state to post this week, but if coursework and revision prove overwhelming – I might roll them back to next week and do a proper bit of quality control 😉

In the mean time, be careful over this *dangerously stressful* period (hehe!) and remember, don’t let the bunny bite!

Teeths… I has them!

Fixing Google Syntax Highlighter for WordPress

After installing the aforementioned plugin, I soon discovered the CSS was not being implemented correctly! It turned out that in my particular version of WordPress, the default style.css file contained ‘more specific’ CSS properties than the plugin. This lead to the highlighted code looking weirdness… so I fixed it!

This is a 30 second hack – open the default style.css file and search: html>body .entry ul and html>body .entry li removing the html>body part from each.

Open the ‘SyntaxHighlighter.css’ file for the plugin and change the the .dp-highlighter ol li.alt entry to look like this:

.dp-highlighter ol li.alt
{
	background-color: #fff;
	border-top: 0px;
	border-bottom: 0px;
}

Spoof your network adapter MAC address under Windows

Overriding (or spoofing) your NIC / network adapter MAC address can be immensely useful for a number of reasons when using your PC on a large network. In essence you’re creating a new identity for your box and any limitations associated with your previous MAC will no longer affect you! This tutorial will introduce some of the currently existing programs that can automate MAC address spoofing for you, as well as the necessary registry modifications to perform the task manually.

I came across MadMACs some time ago and it has become an invaluable part of my portable network security. Recently I’ve been looking to see what else is out there and found Mac MakeUp which provides a number of advanced features (integration with Wireshark, IP networking options, etc.) and has a straightforward graphical interface.

Both programs have been tested thoroughly and work a treat, but if you feel the only way to do a job properly is to do it yourself, then here is the step by step to DIY MAC spoofage:

  1. Click Start->Run and enter ‘regedt32’ (no ‘ marks) to start up the registry editor.
  2. Find the key:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    Class{4D36E972-E325-11CE-BFC1-08002bE10318}

    and you should have a list of 4 digit subkeys (0000, 0001, 0002 etc.)
  3. Leaving the registry editor window open, go to Start->Run and enter ‘cmd /k net config rdr’ (no ‘ marks).
  4. The console should list your PC and network details. Right click the start of the text next to NetBT_tcpip (the bit that looks like: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}) and right click->select ‘Mark’. Drag over the whole text (as shown in the brackets previously) and then press CTRL+C to copy to the clipboard.
  5. Go back to the registry editor and click on the first subkey (i.e. 0000).
  6. Click menu Edit->Find (or press CTRL+F). Paste in the text from the console and click ‘Find next’.
  7. It should return a result very quickly (if not – you’ve done something wrong!).
  8. Right click anywhere on the right hand side pane apart from on one of the listed items and choose ‘New->String’. Give the value the name ‘NetworkAddress’ (case sensitive, no ‘ marks) then simply double click it and enter a new MAC address!
  9. Reboot your machine and enjoy!

For more information, check this Wikipedia article on MAC addresses.