Archive for the ‘Reverse Engineering’ Category

Upgrading a Compaq Presario C700 Notebook Computer

Friday, November 16th, 2012

This is intended to be a short set of notes on successful hardware upgrades to a C700 series (C771US specifically) Compaq Presario laptop.

SSH tunnel through HTTPS

Thursday, March 12th, 2009

Many people at corporate jobs find themselves behind a firewall which only allows outgoing traffic to destination ports 21 (ftp), 80 (http) and 443 (https). To access one’s network at home, the workaround is to run the SSH server at home on port 443 instead of the usual port 22, then use the SSH client to create a tunnel so that arbitrary traffic will be sent through your home machine instead of through the firewall.

Some people who are even unluckier find themselves behind a firewall which does layer 7 packet inspection, meaning that traffic outgoing to a destination port of 443 that does not look like HTTPS traffic will be dropped by the firewall.

Fortunately, PuTTY combined with proxytunnel will allow the passing of non-HTTPS traffic through this type of firewall. It is accomplished through a “triple-proxy” method, where a connection is made to your HTTPS proxy web server at home through your restrictive corporate proxy, then an SSH session is tunneled through the HTTPS connection, and then the SSH connection acts as a proxy for the network traffic that is not permitted to pass through the corporate network. All traffic is encrypted and completely unidentifiable by packet inspection as anything other than a normal encrypted HTTPS session.

CNN and the Turner Media Plugin on Linux with Firefox

Wednesday, November 28th, 2007

If you get an “Unsupported Platform” error when trying to play CNN Videos, follow these instructions.

Follow the link to and follow the instructions there.

Remember when you configure UserAgentSwitcher to fill in the AppName as Netscape and the Platform as MacPPC or you will get the same error again.

Hacking 3ware’s management utility for setuid programs

Tuesday, March 27th, 2007


If you do any of these hacks, be sure that you do NOT install the tw_cli program itself setuid root; use sudo, or another wrapper that filters user access to running tw_cli as root. If you do not take appropriate precautions, any user will be able to run tw_cli, bugs and all, and have all the powers of root while doing so!

Problem and solutions

3Ware’s management utility for their RAID cards under Linux is called tw_cli. I have found that it may be desirable to script certain activities in the tw_cli. One such instance required writing a setuid wrapper program so that a non-root user could invoke tw_cli as root (a sudo setup would be similar). But the tw_cli program unfortunately does a getuid() check against root (the precise system call according to strace(1) is getuid32()). Since in a setuid environment the effective user ID is root but the real user ID is non-root, this check fails and tw_cli refuses to run. Aside from getting 3ware to change this call to geteuid(), the user would be out of luck.

Actually, we are not totally out of luck. tw_cli is stripped, which makes binary analysis difficult, but it is statically linked. This aids analysis because all of the code is included in the binary. On IA-32, Linux system calls are invoked by moving the system call number into eax and executing int $80. The actual system call is performed by a macro in the C library which does exactly this; when statically linked, this code will reside in the binary image.

What I did was to search for a word move placing getuid32()’s system call number into the eax register immediately followed by an int $80. getuid32()’s system call number can be found by checking the Linux kernel source code; all the system call numbers are defined as __NR_syscall. __NR_getuid32 is 199, which is $C7. The op code for a 32-bit move to eax is $B8. So, since IA-32 is little endian, this instruction is B8 C7 00 00 00. The INT instruction has an opcode of $CD and an 8-bit argument ($80 in this case). So the hex string to search for is B8 C7 00 00 00 CD 80. Well wouldn’t you know, there it is. And only one instance! It must be our culprit.

Now, what to change it to? We want to change this call to geteuid32(). Luckily, getuid32() and geteuid32() have the same arguments (none at all) and the same return type, so this hack is trivial. __NR_geteuid32 is 201 ($C9), so just change the move to B8 C9 00 00 00 and save the file. Now your tw_cli works as a setuid program.

A better way to do this might be to skip this call altogether. tw_cli operates on the 3ware device node, which has its own UNIX permissions, so… the tw_cli program does not really even need this check. Since the return value of the system call (the UID number) is placed in eax, we could make this hack just pass every time by changing the move to B8 00 00 00 00, and changing the CD 80 to 90 90 (nop nop). Then the program’s behavior will be controlled by device and file permissions as expected, instead of being controlled by a crude root check.