Where’s Rybolov?

Posted September 29th, 2010 by

My talking schedule over the next couple of months:

October 25-27: SecTor in Toronto, talking on DDoS and a turbo talk on some of my barcode stuff.

November 8-11: AppSecDC in um… DC, talking on the internal security program for a cloud vendor.

And coming to you, if you give me a call.  =)

Similar Posts:

Posted in Speaking | No Comments »

Because Life Isn’t Random Enough

Posted September 28th, 2010 by

In the spirit of Shockwave Rider’s information-sharing worm, the charm of StumbleUpon, and this xkcd cartoon:

Making eBay Random

And based on the fact that QR codes are “teh awesome”, I have created something both wonderful, inspiring, and evil all at the same time: a Random QR Code Redirector.  Just point your phone’s QR reader app at this barcode, sitback, and enjoy the mayhem.  Sometimes you get a neat hack url, sometimes you get a funny movie, sometimes you get information about barcodes, sometimes you get something that “once seen, cannot be unseen”.  Feel free to print them out and leave them places.  =)

And ta-da, the barcode:

QR Barcode Redirector

Readme, Clickme!!!

Get a QR reader and other QR Code infos here.

“How’s it all work?”  Well, for starters I got a vanity domain at co.de (works swimmingly for software projects because, well, it’s “code”).  Then I built a database and ~15 lines of php code.  I make a weighted random select from the database and send a redirect to the browser.

Table create statement:

CREATE TABLE IF NOT EXISTS `qr_redirect_links` (
`id` smallint(3) NOT NULL auto_increment,
`url` varchar(1500) collate utf8_unicode_ci NOT NULL,
`weight` smallint(3) unsigned NOT NULL,
`comment` varchar(1500) collate utf8_unicode_ci NOT NULL,

The query code is as follows:

$con = mysql_connect(“<hostname>”,”<username>”,”<password>”);
if (!$con)
die(‘Could not connect: ‘ . mysql_error());


mysql_select_db(“random_urls”, $con);

//You could do a bunch of random select stuff in php but using the database Rand()*(1/Weight) is the easiest 1-liner I know to get a random result.

$result = mysql_query(“SELECT url FROM qr_redirect_links ORDER BY Rand()*(1/Weight) LIMIT 1;”);

while($row = mysql_fetch_array($result))
$newurl = $row[‘url’];
header( “Location: $newurl” ) ;//actually send the redirect here


I’m also collecting interesting urls, just email/twitter/whatever to me, the only rules are that they need to not harm the browser and I have final say on what meets my stringent url quality standards.

Similar Posts:

Posted in Hack the Planet | 1 Comment »

Barcode Hacking Process

Posted April 12th, 2010 by

This is something I’ve been working on in my spare brain cycles:  building a process for barcode hacking.

Limitations with barcode hacking:

  • Feedback: is hard to get and depends on the scanner and the scanner app.  In other words, you really need access to a working setup to test any kind of techniques.  This isn’t web-based SQLi where you can compare the output against other results, you have to look “inside the guts” to see if a change happened.
  • Reflections and Noise: Laser-based scanners have problems with reflection on phone screens.  This *almost* limits you to printed barcodes and reduces some of the interactivity.
  • UPC: This symbology sucks for barcode hacking because you’re limited to 12 digits, no letters are supported.

Kernels of nummieness:

  • Most modern barcodes are attached via USB and are recognized as a keyboard.
  • Read the previous sentence again.  =)  You know what to do here.
  • The USPS uses DataMatrix barcodes for postage.  These include command characters that “freak out” anything I read them on.  This has much potential, now if I can figure out how to harness this for the powers of mischief.
  • I have a Symbol 2D barcode reader, you can buy them on eBay for ~$120.

The process should run something like this:

  • Configuration injection: given the make and model of the scanner, turn on all available symbologies to increase the reader attack surfaces. These command sets are available from the manufacturer and there is a wealth of untapped firmware vulns in them.
  • Discovery test: to determine which symbologies are supported by the barcode scanner.  The goal is to get something that supports the full ASCII set.  Code 128 (1D), PDF-417, QR, Aztec, and DataMatrix are your friends here.  For discovery, you can use “all 1’s” or something along those lines.
  • Command injection: attempt to pass OS commands to the reader application and download and install a payload onto the OS via browser, ftp, etc or to gain a shell on the box.
  • Application escape: Attempt to escape out of the application and into the OS.  Then it’s just a simple matter of regular exploits *or* if you’re lucky, you’re already admin.  At least try a ctrl-alt-del and see what happens.
  • SQL injection: this you know, string concatenation that’s passed to the database.  The problem is that depending on the system, you might not get feedback so blind SQLi is harder.  “‘ or 1=1;–” probably won’t work because there isn’t really a login or when you’re scanning barcodes you’re already past that point.  I think the goal here should be command execution: add users, exec OS commands, and turn on additional services.
  • Malformed barcode: as a last resort, try fuzzing with non-standards-compliant barcodes to get either the scanner or the application to barf.

BTW, all the kids with their barcodes that say “‘ or 1=1;–” crack me up because they’re being barcode skiddies and don’t understand how barcodes are really used.  =)

SQLi Test

SQL Injection Bogus Example by ME!  Only you can stop the stupidity.

Similar Posts:

Posted in Hack the Planet, Technical | 1 Comment »

QR Code Temporary Tattoos Howto

Posted February 10th, 2010 by

So it started with an idea.  How cool would it be to get everybody to install a QR code reader and read temporary tattoos off each other?  Anyway, at Shmoocon I walked around with a bag of QR temporary tattoos much to the delight and chagrin of the hackers assembled therein.

The howto:
#1 Get a barcode generator. I use zint, it’s my favorite tool for generation.  For those of you on Ubuntu or Debian, I have packages built for you.  And give the zint guys some money while you’re at it, they use the funds to buy standards and make zint work with every symbology known to mankind.

#2 Get a layout program. I use Inkscape.  Key here is that it has to be able to import .svg files and be able to flip images horizontally.

#3 Get printable temporary tattoo paper. It’s not really cheap, but I found kits on tattoofun.com.  The kit consists of waterslide temporary tattoo paper, adhesive sheets, and an instruction sheet.

#4 Make .svg Barcodes! I load up zint and toss some text at it, then use the QR symbology.  Some examples:

  • sms:7035551234 body:Greetz from teh Internetz
  • MATMSG: TO:shredder@guerilla-ciso.com; SUB:Test; BODY:This is a test. Please reply if received.;;
  • MECARD:N:Wizzleteague, Stinky;ADR:1234 Main St, Arlington, VA 22202;TEL:+17035551234;EMAIL:shredder@guerilla-ciso.com;;
  • Hi, I’m Quine. I haz a RAGE! https://twitter.com/quine
  • I went to Shmoo and all I got was the flu
  • BTW, if you want to pay me to make QR tattoos for promotion events, drop me an email.

Zint Main Screen

#4.5 Add in QR error correction. The more error correction you use, the more data in the barcode so the smaller the blocks are.  However, some error correction compensates for distortion and glare.  IIUC, Zint automagically adds in 20% error correction.  I’m not sure what the magic number here is because it depends on the size of the printed barcodes.

Zint Error Correction

#5 Export barcode from zint. SVG is awesome to save as because you can scale the barcodes up as much as you want and they won’t get all pixelated-looking.  You can grab a ton of the barcodes I made here.

Save as SVG

#6 Import barcode into inkscape.  File=>Import then select the .svg file you want.  Since the barcodes are svg, you can scale them awesomely.  For mine, I set up guidelines so I could lay out rows proportionately.  Be sure to lock the object proportions or you’ll get hideously warped QR monstrosities that nothing can read.  You can grab my sheet of barcodes here.

Lock Aspect Ratio in Inkscape

#7 Make “The Big Flip” and print.  Inkscape-specific: Edit=>Select All   followed by   Object=>Flip Horizontal.  Then print the page on the glossy side of the slide water paper.

#8 Add the sticky.  It’s a bit like laminating a map only the adhesive is way more forgiving.  Poke some pin-holes in the adhesive sheet and smooth out all the bubbles.

#9 Cut, peel, stick, wet, pull, read, lol.  You can get a reader here, but the important bits: iTunes Store: Barcodes.  Android: Barcode Scanner.

Lessons Learned:

Laser barcode scanners don’t work because the film is reflective.  Photo-based barcode scanners (ie, most mobile scanners) work pretty well.

You have to make the barcodes bigger than I did.  Mine were .75x.75 inches and due to the glare on the paper and some distortion due to putting them on skin, they were hard to read.  I think maybe 2×2 inches are optimum.

Hackers don’t like informational urls in their tattoos: “I got an add for ZXing, this sucks”.  I think random goofy phrases and skin pwnage would work better than informational urls.

Some people (Quine) weren’t happy with a grab-bag random url and needed their own custom witty saying.  I felt the rage, it has now been fixed.

You can’t read the barcodes until they’re on the skin because of the horizontal flip.  Before you do the flip, print out the barcodes on regular paper.  You can read these easily enough.  Then flip the finished barcode sheet over after you’ve printed it and you can match up the barcode with the non-flipped sheet.  Even better if you use your computer monitor as a lightbox.

QR Temporary Tattoo

Similar Posts:

Posted in Hack the Planet, Odds-n-Sods, Technical | 6 Comments »

Barcode Hacking

Posted January 13th, 2010 by

A little presentation I did for NoVA Hackers.  Basic intent was to be more workshop than something more formal and to give everybody the tools to do their own experimentation at home.

I even inspired Jack to write a blog post.

Caveat: this has nothing to do with FISMA or Government InfoSec.  =)

Links in the Presentation:

Links of interest:

Similar Posts:

Posted in Hack the Planet, Speaking, Technical | 6 Comments »

Visitor Geolocationing Widget: