Michael Brown Supermathie

## gist:9560149
Since the most likely thing I expect to trip up on tomorrow will be selinux, here are some quick notes on it for everyone else as well:

# check selinux audit log
$ sudo seaudit-report /var/log/audit/audit.log
...
Jan 14 14:46:23 (null) (null): audit(1389728783.896:402159): avc: denied { read } for pid=10210 comm=zabbix_server name=SNMPv2-MIB ino=5246 dev=dm-5 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
...

# hmmm zabbix server can't read the SNMP MIBs. What can he read?
$ sesearch --allow -R -s zabbix_t

## gist:9770293
Microsoft IVR: "What would you like assistance with?"
Me: "Office Activation"
Microsoft IVR: "I'm sorry, I couldn't hear you." *Goes back to the very beginning*
...
Microsoft IVR: "What would you like assistance with?"
Me: "Penile Dysfunction"
Microsoft IVR: "OK, I'll get someone on the line."

## client config
ipc_mode: tcp
master: orchestrator.netdirect.ca
root_dir: c:\salt
pki_dir: /conf/pki/minion
id: win7-salt
multiprocessing: False

## hb-test.py
#!/usr/bin/env python2
"""
Author: takeshix <takeshix@adversec.com>
PoC code for CVE-2014-0160. Original PoC by Jared Stafford (jspenguin@jspenguin.org).

Supportes all versions of TLS and has STARTTLS support for SMTP,POP3,IMAP,FTP and XMPP.
"""

import sys,struct,socket
from argparse import ArgumentParser

## mk_new_swap
#!/bin/bash -e

# This script adds a 512MB swapfile to the system

function get_new_swapfile() {
  for i in `seq 0 99`; do
    if [ ! -e /swapfile.$i ]; then
      echo /swapfile.$i
      return
    fi

## gist:11258633
○ → host -a updates.mailfoundry.net 208.67.220.222
updates.mailfoundry.net. 1245	IN	A	66.18.18.59

○ → host -a updates.mailfoundry.net 208.67.220.220
updates.mailfoundry.net. 402	IN	A	66.18.18.59
updates.mailfoundry.net. 0	IN	AAAA	::ffff:67.215.65.132

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                Supermathie
                / keybase.md
            
            
              Created
              September 22, 2014 20:17
            
              
                keybase.md
              
          
    Keybase proof

I hereby claim:

I am supermathie on github.
I am supermathie (https://keybase.io/supermathie) on keybase.
I have a public key whose fingerprint is B753 BD6B 2F90 7540 0F48  0008 6C07 FB30 07CF 9360

To claim this, I am signing this object:

  
## gist:146628dd7acf4d4a3600
@@ -1,48 +1,49 @@
-ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
-ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
-DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
-DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
-DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
-DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
-ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

## gist:5389349
/*
 * XDR opaque data
 * Allows the specification of a fixed size sequence of opaque bytes.
 * cp points to the opaque object and cnt gives the byte length.
 */
bool_t
xdr_opaque (XDR *xdrs, caddr_t cp, u_int cnt)
{
  u_int rndup;
  static char crud[BYTES_PER_XDR_UNIT];

## gist:7148885
Upgrading the firmware to H.08.67

From HP's site:
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=27316&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-bpj07129-4%257CdocLocale%253Den_US%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

1. Type: ftp HP_Jetdirect_IP_address
2. At the prompt for a user name/account, press Enter . (The HP Jetdirect print server will accept all passwords or blanks for the username, so in most cases just press Enter).
3. At the Password prompt, press Enter . (The HP Jetdirect print server will accept all passwords or blanks for the password, so in most cases just press Enter. However, If Telnet is enabled and an administrator password is set, the administrator password must be entered at the password prompt).
4. At the ftp prompt, type: bin
5. Type hash
	Since the most likely thing I expect to trip up on tomorrow will be selinux, here are some quick notes on it for everyone else as well:

	# check selinux audit log
	$ sudo seaudit-report /var/log/audit/audit.log
	...
	Jan 14 14:46:23 (null) (null): audit(1389728783.896:402159): avc: denied { read } for pid=10210 comm=zabbix_server name=SNMPv2-MIB ino=5246 dev=dm-5 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
	...

	# hmmm zabbix server can't read the SNMP MIBs. What can he read?
	$ sesearch --allow -R -s zabbix_t
	Microsoft IVR: "What would you like assistance with?"
	Me: "Office Activation"
	Microsoft IVR: "I'm sorry, I couldn't hear you." Goes back to the very beginning
	...
	Microsoft IVR: "What would you like assistance with?"
	Me: "Penile Dysfunction"
	Microsoft IVR: "OK, I'll get someone on the line."
	ipc_mode: tcp
	master: orchestrator.netdirect.ca
	root_dir: c:\salt
	pki_dir: /conf/pki/minion
	id: win7-salt
	multiprocessing: False
	#!/usr/bin/env python2
	"""
	Author: takeshix <takeshix@adversec.com>
	PoC code for CVE-2014-0160. Original PoC by Jared Stafford (jspenguin@jspenguin.org).

	Supportes all versions of TLS and has STARTTLS support for SMTP,POP3,IMAP,FTP and XMPP.
	"""

	import sys,struct,socket
	from argparse import ArgumentParser
	#!/bin/bash -e

	# This script adds a 512MB swapfile to the system

	function get_new_swapfile() {
	for i in `seq 0 99`; do
	if [ ! -e /swapfile.$i ]; then
	echo /swapfile.$i
	return
	fi
	○ → host -a updates.mailfoundry.net 208.67.220.222
	updates.mailfoundry.net. 1245 IN A 66.18.18.59

	○ → host -a updates.mailfoundry.net 208.67.220.220
	updates.mailfoundry.net. 402 IN A 66.18.18.59
	updates.mailfoundry.net. 0 IN AAAA ::ffff:67.215.65.132
	@@ -1,48 +1,49 @@
	-ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
	-ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
	ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
	ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
	-DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
	-DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
	-DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
	-DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
	-ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
	/*
	* XDR opaque data
	* Allows the specification of a fixed size sequence of opaque bytes.
	* cp points to the opaque object and cnt gives the byte length.
	*/
	bool_t
	xdr_opaque (XDR *xdrs, caddr_t cp, u_int cnt)
	{
	u_int rndup;
	static char crud[BYTES_PER_XDR_UNIT];
	Upgrading the firmware to H.08.67

	From HP's site:
	http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=27316&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-bpj07129-4%257CdocLocale%253Den_US%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

	1. Type: ftp HP_Jetdirect_IP_address
	2. At the prompt for a user name/account, press Enter . (The HP Jetdirect print server will accept all passwords or blanks for the username, so in most cases just press Enter).
	3. At the Password prompt, press Enter . (The HP Jetdirect print server will accept all passwords or blanks for the password, so in most cases just press Enter. However, If Telnet is enabled and an administrator password is set, the administrator password must be entered at the password prompt).
	4. At the ftp prompt, type: bin
	5. Type hash