Dec 27, 2011

What the hell is "NetCut" doing and how to prevent

NetCut is a program that will help you disconnect other computers in the same subnet of an ethernet network. You can download the program from this link: NetCut.
In this post I will describe the technical detail about NetCut and how to prevent this kind of program/attack.

I. Technical Detail About NetCut:
NetCut use a simple technique called "ARP poisoning" or sometimes called "ARP spoofing". It is a attack technique usually used to trigger an Man In The Middle attack. Before introducing the ARP poisoning, we have to know what is ARP.
ARP is the abbreviation of Address Resolution Protocol. According to wiki, "ARP is a protocol used for resolution network layer address to link layer address." That is, ARP will map the IP address of a machine to it's MAC address.
Consider the following LAN from Fig. 1:

<figure 1> Local Area Network Example

Now If Alice want to send a Packet to Bob, Alice machine will check if the MAC address of IP is exist in the ARP cache table. If it is not exist in the table, it will broadcast a ARP request asking for the MAC address of While Bob's machine receive the broadcast message, it will reply it's MAC address to Alice. Fig. 2 shows the communication process.

<figure 2> ARP communication process

After knowing the ARP, it's time to introduce the "ARP poisoning attack". Consider the following condition. What if Evil reply the ARP request before Bob when Alice broadcast the ARP request. In this scenario, Alice's machine will think that the MAC address of IP is 00:00:00:00:00:03(MAC address of Evil), instead of 00:00:00:00:00:04(MAC address of Bob). Therefore, Alice will send the packet to Evil instead of Bob.Fig. 3 shows the process of this attack.

<figure 3> ARP posioning attack
What if Evil send the ARP reply with a non-exist MAC address of the gateway, then Alice's machine will become a DoS condition. This is how NetCut disconnect other computer in the same subnet.

II. Prevention of ARP poisoning:
The best way to prevent your computer being poisoned is use a static ARP instead of dynamic. In both windows and linux system, there is a command called arp which can let you check the arp cache table and moreover change the dynamic table into static.
You can also installed some application such as arpwatch in unix and Xarp-v2 in winodws to defense this kind of attack.

III. reference website:
ARP and ICMP redirection
arp-spoofing wiki

Dec 26, 2011

What can you do when linux is not responding

Linux is a very stable system compare to windows(:P). However even it is very stable, it will still crash sometimes.
So what can you do if the system is crashed.

1. go to the tty:
Sometimes, it is the graphic mode crash but the linux kernel and other critical process are still alive.
If you have encounter this situations, There is no need to reboot your system.
Instead, you can goto tty to fix the problem.
In linux system you can go to tty by pressing [ctrl]+[alt]+[f1~f7].
The default graphic mode is in tty7, that is you can press [ctrl]+[alt]+[f7] to return to graphic mode.
A tty is a pure command prompt and you can restart the x-server from here.
ubuntu 11.10 use lightdm, so I take lightdm as an example.
type the following command:
sudo /etc/init.d/lightdm restart
that's it, and you will see the graphic mode is restarted.

2. the magical sysrq:
If your system crash and the keyboard has no respond, it's time to use the sysrq.
What is a sysrq, it is a little button on your keyboard. Normally, it is near the delete key .  If your system crash, and you can not enter the tty mode. Try the following combination keys:
[alt]+[sysrq]+[R]-> [alt]+[sysrq]+[E]-> [alt]+[sysrq]+[I]-> [alt]+[sysrq]+[S]-> [alt]+[sysrq]+[U]-> [alt]+[sysrq]+[B]
If everything works fine, your system will reboot but will save some files and safely kill the process that you are working on.
So what the hell is going on under these combination keys?
The following show you the functionality of each keys.

a. [alt]+[sysrq]+[R] : turn your keyboard into ascii mode, it enables your keyboard to send message to the kernel directly.
b. [alt]+[sysrq]+[E] : send SIGTERM signal to all the process except the init process.
c. [alt]+[sysrq]+[I] : send SIGKILL signal to all the process except the init process. This will kill all the processes except the init process.
d. [alt]+[sysrq]+[S] : sync the buffer pool to the hard disk, in case to lose datas.
e. [alt]+[sysrq]+[U] : remount all the mounted-filesystem to read-only.
f. [alt]+[sysrq]+[B] : reboot the system.
p.s while using the combinations, use it slowly. :P
That is, after using the first combination, wait about 5 secs and then use the second one and so on. If you use the combinations too quick it is no difference than press the power key. 
The recommend wait time is:
R--1 sec-- > E--30 sec --> I-- 10 sec --> S --5 sec --> U -- 5 sec --> B

If you want to know more detailed about the sysrq the following link has a very good explanations.
English version:
Magic sysrq
Chinese version:

Ubuntu 11.10 Notes

It's been a really long time that I haven't write a new post. My school work is fucking busy.
I have installed ubuntu 11.10 for a while. I decided to write some note about the installation and configuration process.

Installing ubuntu 11.10 is quite easy, just put the disk into the computer, follow the steps and yes you have installed your ubuntu 11.10.

1. video drivers:
I'm using ATI video cards, and meet some problem while using the default video drivers.
There are many solution of this problem. I just post the solution I used:
First, go to AMD official website and download the video device dirver.
The one I'm using is ""
and type the following command and reboot, and the video driver is installed.
mkdir ati-11.11;
cd ati-11.11
sh --buildpkg Ubuntu/oneiric
dpkg -i fglrx*.deb
aticonfig --initial -f

If you still meet some problems, the following websites maybe a good place
to search your solutions.
ubuntu install guide
ubuntu+gnome shell+ati driver
gnome shell doesn't work properly

2. Installing some applications
   a. upgrade the app: type the following command and upgrade the applications that already install in the system.
   sudo apt-get update && sudo apt-get upgrade

   b. install the restricted packages: this will enable you to play some popular music/video formats such as mp3 and so on. Type the follwoing command:
   sudo apt-get install ubuntu-restricted-extra

   c. enable full dvd play back: After that you can watch videos from dvds.
   The instruction is too long, so I post the original link and you can follow the instructions from those websites.
   install libdvdcss
   15 things I did...

   d. and more: There are still more applications you may want to installed. Reference this link:
   Best applications and tweeks ....

This is pretty much about it.

Dec 9, 2011

wargame competition Taiwan

You can download the questions in the following link:

However the archive file is encrypted, if u want the key please send me an email.

Description of each questions is listed in t.txt files.

Nov 28, 2011

ubuntu 11.10 plus plasma widget

I recently install the ubuntu 11.10. I spent some time to get used to the unity interface.
But the unity shell is lack of widgets and therefore I decided to install the plasma-desktop to my ubuntu. :P

1. install the package by the following command:
   apt-get install plasma-desktop plasma-scriptengine-python
2. create launcher to start the plasma desktop:
   type gnome-desktop-item-edit ~/Desktop --create-new
   and it will popup a dialog box.
   select "application" in the type field,
   filled "plasma-desktop" or whatever u like in the name field,
   filled "plasma-desktop" in the command field,
   and press ok.
   P.S u can also create a launcher to stop the plasma by filled the command field with killall plasma-desktop.
3. Let plasma looks better in unity
   a. System Settings > Application Appearance > Widget Style > GTK+
   b. System Settings > Workspace Appearance > Desktop theme > Get new theme
   c. Search for ‘Ambiance’
   d. install it and use it.
   e. remove the bottom panel if u don't like it.
4. Use the nautilus as default folder manager
   control center(system setting) > file associations > inode > directory [ then add: "nautilus --no-desktop" ]
   or you can just install dolphin if u don't like the nautilus.

That's it enjoy!!

reference website:

Nov 12, 2011

setting linux as a gateway

Since my school project need to set up an ethernet environment. I need to create an internal network under virtualbox. The first step is to setup the gateway inside a virtualbox. After google for a while, I finally setting up my linux as a gateway.
Environment :
linux distribution: alpine linux 2.3
kernel version:    3.0
virtualbox network adapter setting:
     1. host-only network=> eth0 for internal network.
     2. bridged network => eth1 for internet.
the connection state is like the following figure:
<<internet>>----------<<alpine linux>>------------<<internal>>
            eth1 pppoe                 eth0 NAT

The reason why I use alpine linux instead of other distribution is that it is tiny but contains the utilities that to set up my environment.
alpine linux download link:
alpine linux installation guide:

I'll write down all the steps that I configure the internet.
1. package requirement
2. configure the network interface
3. setting up the iptables
4. enable packet forwarding
 1.package requirement:

rp-pppoe => pppoe client side program
iptables => firewall
ppp  => ppp deamon
that's all. 

2.configure the network interface
   2.1. the internal network:
      configure the /etc/network/interface
      add the following line to the file.
auto eth0
iface eth0 inet static
      the address, netmask, network and broadcast can be changed according to you network setting. 

   2.2.pppoe configuration:
      pppoe-setting => to start pppoe configuration. 
      After setting up type 
      pppoe-connect => connect to the internet via pppoe. 
      You can check the result by typing:
      ifconfig | less

3.setting up the iptables:
   type the following command to set the iptables rules:      
   iptables -A FORWARD -o eth1 -i eth0 -s -m conntrack --ctstate NEW -j ACCEPT
   iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
   iptables -A POSTROUTING -t nat -j MASQUERADE

4.enable packet forwarding:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    cat /proc/sys/net/ipv4/ip_forward => check the result.

reference website:

Oct 31, 2011

shell code 6(reduced the shellcode size)

The size of shellcode is very important. Therefore I list some of the tricks that can reduce the shellcode size and moreover rewirte our shellcode to reduce the size.

Instead of using movl $constant , %register, use xor, mul and lea instead. The instruction of moving constant to register cost five bytes, but xor, mul and lea only cost 1 to 3 bytes. This can reduce many size of the shellcode.

The following is a quick example for the exit system call.
This is the original one that I write in the previous articles.
int main() {
  __asm__("movw $1, %eax;\
           movw $0, %ebx;\
           int $0x80;");
  return 0;
The size of each instruction is
mov $1, %eax      => 5 bytes.
mov $0, %ebx      => 5 bytes.
int $0x80         => 2 bytes.
total bytes          12 bytes.

However if rewrite the shellcode into the following code:
int main() {
  __asm__("xorl %ebx, %ebx;\
           leal 0x1(%ebx), %eax;\
           int $0x80;");
  return 0;
The size of the shellcode become:
xorl %ebx, %ebx      => 2 bytes
leal 0x1(%ebx), %eax => 3 bytes
int $0x80            => 2 bytes
total size              7 bytes

yes, reduce 5 bytes of the shellcode. :D
another example of reducing the shellcode:
int main(){
        __asm__("jmp 0x20;\                 #2bytes
                 popl %esi;\                #1bytes
                 movl $4,%eax;\             #5bytes
                 movl $1,%ebx;\             #5bytes
                 movl $0x7,%edx;\           #5bytes
                 movl %esi,%ecx;\           #2bytes
                 int  $0x80;\               #2bytes
                 movl $1,%eax;\             #5bytes
                 movl $0,%ebx;\             #5bytes
                 int  $0x80;\               #2bytes
                 call -0x37;\               #5bytes
                 .string "Run Han"\
        return 0;
This code is the write system call that I wrote in the previous article.
The code size of this shellcode is 46 bytes long.
rewrite the shellcode
__asm__("jmp 0x20;\                 #2bytes
                 popl %ecx;\                #1bytes
                 xorl %ebx, %ebx;\          #2bytes
                 mul %ebx;\                 #2bytes
                 leal 0x4(%eax),%eax;\      #3bytes
                 leal 0x7(%edx),%edx;\      #3bytes
                 int  $0x80;\               #2bytes
                 xorl %ebx, %ebx;\          #2bytes
                 leal 0x1(%ebx), %eax;\     #3bytes
                 int  $0x80;                #2bytes
                 call -0x37;\               #5bytes
                 .string "Run Han"\       #7bytes
The code size is reduce to 34 bytes long.
P.S the mul instruction will save the result to %eax and %edx, therefore the %eax and %edx is now being set to zero. 
The push trick and relative jmp/call trick both can get the address of the data, but sometimes using the push trick in the right condition can reduce some bytes of the shellcode.
consider the following example in shell code 3:

int main(){
        /* relative jmp/call trick */
        __asm__("jmp 2f;\n\
                 pop %esi;\n\
                 movl %esi, %ebx;\n\
                 movl $0, %ecx;\n\
                 movl $162, %eax;\n\
                 int  $0x80;\n\
                 movl $1,%eax;\n\
                 movl $0,%ebx;\n\
                 int  $0x80;\n\
                 call 1b;\n\
                 .long 0x00000002,0x0;\n\
        return 0;
The above code is 42 bytes.
int main(){
        /* push trick */
        __asm__("push $0;\n\
                 push $2;\n\
                 movl %esp, %ebx;\n\
                 movl $0, %ecx;\n\
                 movl $162, %eax;\n\
                 int  $0x80;\n\
                 movl $1,%eax;\n\
                 movl $0,%ebx;\n\
                 int  $0x80;\n\               
        return 0;
The code size is 30 bytes.
By using the push trick, we reduced 12 bytes of the shellcode. Nice!!!

The 0x66 prefix or 16bit/8bit mov instruction.
If the constant value is smaller than 0xffff using the 0x66 prefix or movw instruction in gnu assember. In this way, it can reduce one more byte of the shellcode.
If the constant value is smaller than 0xff using the movb instruction  since it only cost two bytes.
Rewrite the previous example:
int main(){
        /* push trick */
        __asm__("push $0;\n\
                 push $2;\n\
                 movl %esp, %ebx;\n\
                 xorl %ecx, %ecx;\n\
                 mov  $162, %al;\n\
                 int  $0x80;\n\
                 xorl %ebx, %ebx;\n\
                 leal 0x1(%ebx), %eax;\n\
                 int  $0x80;\n\               
        return 0;
The size of the above code is reduce to 19 bytes.
Reduce 11 bytes of the code.
Now the wait system call and exit system call only cost 19 bytes instead of 42 bytes.

These tricks is very useful in some conditions, enjoy. :D

Oct 14, 2011

Dennis Ritchie R.I.P

#include <stdio.h>

int main(void){
         printf("Rest in piece Dennis Ritchie, father of the C language, great programmer and a true hacker. You changed the whole world.\n");
         return 0;

Oct 8, 2011

SimpleOS source code

I finally upload my OS source code to the github. The following is the link:

Recently I'm very busy because the school work. When my school work is finished, I will post some article about the source code, from the booting process to the protected mode in detailed. :P

Aug 13, 2011

Simple OS - note

While I was working on my simple operating system project. I found something interesting.
Almost all the x86 system boot up in 16-bit real mode. And the way to enable the protected mode is quite easy.
As osdev wiki suggest, using the following instruction can take us from real mode to protected mode.
mov  eax, cr0   ; switch to pmode by
or al,1         ; set pmode bit
mov  cr0, eax
But there are one thing that bother me a lot, since our code is still in the real mode, 
how can we use the 32-bit register and instructions.
After google for a while I found a very helpful website that completely solved my question.
answer in stackoverflow 
answer in nasm forum 
The answer is that
When intel introduced 32-bit code - they used the same opcodes! 
When using 32bit register in 16 bit real mode, assembler will place a prefix in front of the instruction. (0x66 according to the nasm forum) This tell the cpu that I'm using 32-bit register
in 16-bits real mode.

I take some picture to verified the result.
My environment is ubuntu 10.10 and gcc 4.4.5
I' using qemu and gdb to verified the result.

As you can see, there are 0x66 prefix in front of the mov eax, 0 instruction.

Aug 9, 2011

compile qemu under ubuntu

For some reason, I have to build qemu from the source code.
This is some note of how to do this.

My environment:
ubuntu 10.10
gcc 4.4.5

download the source code of the qemu from the following link.
I choose version 0.15

install some require libraries and tools.
sudo apt-get install build-essential checkinstall 
sudo apt-get install zliblg-dev libSDL-dev

extract the tar.gz.
tar -xvf qemu-0.15.0.tar.gz

cd to the directory and configure.

build the source code.

install the qemu. You can use make install, but I recommend using the checkinstall.
It is easier to manage the code u build.
(Since I can't find the uninstall tag in the Makefile of qemu. Therefore, I use checkinstall instead of make install.)

sudo checkinstall -D --install=no
sudo dpkg -i $package_name
-D will create a debian package for the debian distribution.
If u want to build rpm , just use -R instead of -D 
dpkg is the utility to install a deb package. If u want to uninstall a package use -r.

reference website:

Jul 4, 2011

Shell code 5(execve system call)

This article is mainly reference by this website:
smash the stack for fun and profit
This time I'll use execve system call to remove a file called "test".
Before started, let's see how execve works in c.
the man page of execve
#include <unistd.h>
       int execve(const char *filename, char *const argv[],
                  char *const envp[]);

As you can see, there are three formal parameters in execve system call.
1. the filename is the file you want to execute.
2. argv  is  an  array  of argument strings passed to the new program.
3. the last one is not important in our shellcode, so I will not explain it in detail.
Let's write a simple C program which use the execve system call.
#include <unistd.h>
int main(){
        char *argv[]={"/bin/rm","./test",NULL};
        return 0;
compile the program and execute with the following command.
1.gcc -o exe.out execve_pre.c
2.touch test 
P.S the touch command is to create a empty file.
3. ./exe.out

And you will see the "test" is being removed.

Now turn this into the inline assembly.
char *argv[]={"/bin/rm","./test",NULL};
int main(){
        __asm__("movl $0xb,%eax;\
                 movl argv,%ebx;\
                 movl $argv,%ecx;\
                 movl $0,%edx;\
                 int $0x80;\
                 movl $0x1,%eax;\
                 movl $0x0,%ebx;\
                 int $0x80;\
        return 0;
Compile and execute it.
The result is the same as the previous example.
However, as I mentioned before, I don't want the data outside the shellcode.
Therefore, I need to write the data into the shell code. 
And the way I get the address of the data is still the same, the relative jmp/call trick.
The following is the code looks like:

int main(){
        __asm__("jmp 2f;\n\
                 xor %eax,%eax;\n\
                 popl %esi;\n\               
                 movl %esi,%ebx;\n\
                 leal 0x8(%esi),%esi;\n\
                 pushl %eax;\n\
                 pushl %esi;\n\
                 pushl %ebx;\n\               
                 movl $0xb,%eax;\n\
                 movl %esp,%ecx;\n\
                 xorl %edx,%edx;\n\
                 int $0x80;\n\
                 movl $0x1,%eax;\n\
                 movl $0x0,%ebx;\n\
                 int $0x80;\n\
                 call 1b;\n\
                 .string \"/bin/rm\";\n\
                 .string \"./test\";\n\
                 .byte 0x0,0x0,0x0,0x0;\n\
        return 0;
In order to create a structure like
char *argv[]={"/bin/rm","./test",NULL};
I use the stack to store those data.
1. we get the address of "/bin/rm" by the relative jmp/call trick and pop to the %esi.
2. copy the content of the %esi to %ebx.
3. leal 0x8(%esi), %esi => %esi += 8;
   After the instruction, %esi now point to the "./test"
4. push 0, address of the "./test" and address of the "/bin/rm".
P.S since the stack grows down, push the parameter in reverse order. The memory layout is list in figure 1.
<figure 1>
low ------------------------------------------ high
|address of "/bin/rm"| address of "./test" | NULL
| %ebx               | %esi                | %eax

After doing the above steps, then I can move the parameter to the register which the int $80 need.
1. since the %ebx alrealy contains the address of the structure, there is no need to set it again.
2. movl %esp,%ecx; 
store the address of the structure to the %ecx. This instruction is equal to execve(argv[0],argv,NULL);
3. xorl %edx, %edx
store the NULL pointer to the %edx. This instruction is equal to execve(argv[0],argv,NULL);
And now it's time to compile the source code and execute it.
Use objdump to copy the machine code to the new source file. (If you have no idea how to use it see the previous post of the shell code)
/* This is the shellcode */
char shellcode[] =

void main() {
   int *ret;
   /* overflow the return address */
   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;
Compile the source code, use execstack to enable the executable stack and execute it, you will see the result is what we expected.

Actually the execve system call is very dangerous. The above is just using the /bin/rm to remove a file, what if someone use /bin/sh to create a new shell, the consequence is unpredictable.
After verified the result, let's now combine the whole code together.

 * The inline assembly mix all the code together.
 * It will print a message,
 * wait 2 seconds and
 * remove a file called test.
int main(){
        __asm__("jmp 2f;\n\
                 popl %esi;\n\
                 movl %esi, %ecx;\n\
                 xorl %ebx, %ebx;\n\
                 mul %ebx;\n\
                 inc %ebx;\n\
                 movb $0x4, %al;\n\
                 movb $0x8, %dl;\n\
                 int  $0x80;\n\
                 xorl %eax, %eax;\n\
                 pushl %eax;\n\
                 movb $0x2, %al;\n\
                 pushl %eax;\n\
                 movl %esp, %ebx;\n\
                 xor %ecx, %ecx;\n\
                 movb $0xa2, %al;\n\
                 int  $0x80;\n\
                 xorl %eax, %eax;\n\
                 leal 0x9(%esi),%esi;\n\
                 pushl %eax;\n\
                 movl %esi, %ebx;\n\
                 leal 0x8(%esi), %esi;\n\
                 pushl %esi;\n\
                 pushl %ebx;\n\
                 movb $0xb, %al;\n\
                 movl %esp, %ecx;\n\
                 xor %edx, %edx;\n\
                 int $0x80;\n\
                 xorl %ebx, %ebx;\n\
                 leal 0x1(%ebx), %eax;\n\
                 int $0x80;\n\
                 call 1b;\n\
                 .string \"Run Han!\"\n\
                 .string \"/bin/rm\";\n\
                 .string \"./test\";\n\
                 .long 0x0;\n\
        return 0;

There is nothing much to tell of the source code. I use some instruction to reduce the code size, I will talk about reduce the code size in the next article.
And now compile the source code and use objdump to generate the shellcode.
char shellcode[] =
"\xeb\x39"      /*relative jmp*/
"\x5e"          /*pop %esi*/
"\x89\xf1"      /*movl %esi, %ecx*/
"\x31\xdb"      /*xor %ebx, %ebx*/
"\xf7\xe3"      /*mul %ebx*/
"\x43"          /*inc %ebx*/
"\xb0\x04"      /*mov $0x4, %al*/
"\xb2\x08"      /*mov $0x8, %dl*/
"\xcd\x80"      /*int $0x80*/
"\xb0\x02"      /*xor %eax, %eax*/
"\x50"          /*pushl %eax*/
"\xb0\x02"      /*movb $2, %al*/
"\x50"          /*pushl %eax*/
"\x89\xe3"      /*movl %esp, %ebx*/
"\x31\xc9"      /*xor %ecx, %ecx*/
"\xb0\xa2"      /*mov $0xa2, %al*/
"\xcd\x80"      /*int $0x80*/
"\x31\xc0"      /*xor %eax, %eax*/
"\x8d\x76\x09"  /*leal 0x09(%esi),%esi*/
"\x50"          /*push %eax*/
"\x89\xf3"      /*mov %esi, %ebx*/
"\x8d\x76\x08"  /*lea 0x8(%esi), %esi*/
"\x56"          /*push %esi*/
"\x53"          /*push %ebx*/
"\xb0\x0b"      /*mov $0xb, %al*/
"\x89\xe1"      /*mov %esp, %ecx*/
"\x8d\x51\x04"  /*lea 0x4(%esp), %edx*/
"\xcd\x80"      /*int $0x80*/
"\x31\xdb"      /*xor %ebx, %ebx*/
"\x8d\x43\x01"  /*lea 0x1(%ebx), %eax*/
"\xcd\x80"      /*int $0x80*/
"\xe8\xc2\xff\xff\xff"  /*relative call*/
"Run Han!\x0"

void main() {
   int *ret;
   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

compile it , use execstack to enable the executable stack and execute it. After that you will see the program first print a message, wait about two seconds and remove a file called "test".