|
In Memoriam Scott R. Lemon |
|
(slightly edited by fravia+)
Re-edited at the beginning of November 2006
You should understand it with a half brain
in Proxomitron, by using basic knowledge
Written by None of Your Business
Impressum
Well, the thing I am talking about needs a very basic knowledge, and the need to publish it makes me sad. I simply can't believe that I am the only person from the billions of computer-users who found this because I'm aware of my own abilities. If everybody is more stupid or less interested than me it is a lot worse world than I thought. And I had no high opinions in the first place. Also I'm not sure if I have any right to publish it, while the author - Scott - never did it. I'm watching the knowledge scene for nearly ten years now, and I feel it even worse than a windmill fight. You think you are spreading knowledge, but the tiny rays of light falling to the huge black holes of ignorance. "I don't know an I don't care...". Most of you guys don't even need this knowledge. It needs work to use it. Run before the command line tools grabs you! Fucking lazy bunch! Go fetch a 20MB mass downloader and be happy with it...I'm well pissed off, so it is quite possibly a long impressum with a very short "essay". But I owe F+ as much as to pass him the decision - if he still want to use this little work in his (yes our) windmill fight, then so be it.
Also -if I may note -the things written here could properly be called 'hacks', some parts maybe cracks, therefore I am maybe a hacker or a cracker (or maybe not). It is all about circumventing your own disabilities by finding ways to realize your own wishes.
I declare here that in the following derivative work, I kept myself to the spirit of the original program, and the wishes of Scott R. Lemon - so absolutely no bison was harmed in the process.
Fileviewer/editor (optional, try Hiew or F3 in any OFM)
Sed (well worth to learn)
Brain (absolutely neccessary)
Willpower (absolutely necessary)
Of course, you may choose any other tools you like.
First step - Search
It always pays out, even with a minimal preliminary knowledge, if you try to
explore anything around you. In our case it mostly means files on computers. With
a crap like Microsoft's OS-es, you can only guess a file's content by looking
at its extension - that is what these OS themselves do (instead of checking the
header, for example, like any decently programmed thing would do). Rename any of your
mp3 to text, and look what happens (try the same -if you never did-, with some
Linux live-distro, to see the difference). It's good to have a decent filemanager
and also good - if not much deeper - that you regularly use its file-viewing functions.
Try this function on the Proxomitron executable. Of course you are already familiar
with Proxomitron's matching commands, because you have gone through the helpfile. Let's
see if in the binary there is any string similar to the ones of those commands.
Look
inside the
file, and search -for example- for "ALERT". There is one hit, and BINGO!
Around it you can see
ALL the commands.
Well, if you look around then you perhaps figure that you actually got more commands than the one known. There is a word you can't find in the docs - "EXEC". According to its context it must be another command - an undocumented one!
Second step - Research
Let's figure out what this function would be doing. Pick some common
programming language (C, PHP, Python, Tcl...), and search its docs. You will soon find
out that in those contexts exec() is how you may call arbitrary programs to help out your
own. Like in PHP: if you wan't to create multiple/nested directory structure ("directory" -
read in newspeak for the young ones "folder"), you need to write your own lot of code.
PHP's default function only create one at a time (AFAIK not the newer ones). BUT with exec,
you can call the directory-creating function/program of the host OS, and you only need
to pass it its own parameters - PHP outsources the job.
Quick Summary
So - there is an undocumented function in Proxomitron, able to run arbitrary programs by matching a filter! Well if this works, then obviously there is an ocean of new possibilities to sail on. Seekers Ahoy!
Third Step - proof of concept: codes
By trying out a little this-and-that, and running Filemon in the background, one finds that "$EXEC" works only in the replacing part - so it is still difficult/worthless to exploit it (I guess). See the next code snippet - A Proxomitron filter:
Name = "EXEC direct" Active = FALSE Multi = TRUE URL = "*" Bounds = "<html>" Limit = 256 Match = "<html>" Replace = "<HTML>$EXEC(scandisk.exe)"
If you wan't to map the behaviour of this function, try EXEC onto a dummy. Like alice - see Filemon's log:
( 00:37:46 Proxomit:FFFBEABF ) FindOpen C:\PROGRAM FILES\PROXOMITRON\ALICE.* NOTFOUND FindOpen C:\WINDOWS\SYSTEM\ALICE.* NOTFOUND FindOpen C:\WINDOWS\ALICE.* NOTFOUND FindOpen C:\WINDOWS\ALICE.* NOTFOUND FindOpen C:\WINDOWS\COMMAND\ALICE.* NOTFOUND Attributes C:\PROGRAM FILES\PROXOMITRON\ALICE NOTFOUND Attributes C:\WINDOWS\SYSTEM\ALICE NOTFOUND Attributes C:\WINDOWS\ALICE NOTFOUND Attributes C:\WINDOWS\ALICE NOTFOUND Attributes C:\WINDOWS\COMMAND\ALICE NOTFOUND(You'll see this differently in all different flavours of Windows. There is a lot to learn from it, btw... but I'll let you work on your own a little :-)
So without changing anything (like the path), IF we have an executable somewhere on the places we see in Filemon - Proxomitron will be willing to start it. Of course now all of you are aware and begin to guess how many things something lik ethis can accomplish. Our long-beloved command-line tools can now be integrated to our powerful browsers, through Proxomitron, extending their functions.
You should start wget -or curl- to spider from a given webpage. Or pass to mencoder a "streamed" media, in order to save it in any different format to your HD. Perhaps use this for remote administration, making your own html from pdfs 'on-the-fly'.
IF you are willing, you could build an output formatting frame, and watch all the outputs/logs inside your browser - already html formatted (or if you lazy, you can just put it between 'pre' tags).
Well all these nice exploits need some code, code that has to be written, so? What are you looking for?
Go, START WORKING ON IT!
Also don't forget some common sense - don't harm anybody with the help of this hidden function... because if you do, then maybe on a silent still night I'm coming for you...
Farewell.
Notes
...
...
Some technical additions
Proxomitron's exec function passes no parameters. So you can't simply pass an url
to wget or whatever - it takes the first word (hopefully wget), and runs the program
in itself.
Not that this could bother anybody with a half brain :-)
There are at least two
solutions to this problem. One of them is patching the binary, after some reversing. The
other is to use Proxomitron's ability to write to file(s), and make it generate a batchfile with
all with the fancy parameters, then run that one. I picked the second, and made a kinda
Proxomitron-Shell. See it for yourself, but remember - programs wich needs further input
may be waiting you with an open console (without correct handling - read the batch-faq).
The code is mostly proof-of-concept, I made it with a modified setup - the config-set
contains only my filter - it may get messed up if you use a big config file. Also the thing
uses frames - check your rules if you merge this filter to your own ones. It starts up with an
error - because there is no input in the form, but... ...damn I don't care! Try it, look
at it, start working on it, or forget it. If nobody has missed this until now, then maybe nobody in fact
needs it.
There is a half-made command-history - youdid read it. Now go and finish it!
Proxomitron Shell
Part of my solution is a sed version - sedmod, just fetch it from the net if needed. If you
decide to cripple this undocumented function, you should try
sedmod "s/EXEC/NULL/g" Proxom~1.exe>Patched.exeWith other versions of sed you can hex-patch also, and you can do it also with Proxomitron itself. If you have dealt with the problem of making Proxomitron filtering a binary, by changing its MIME-type or by renaming it to html, the next filter will just do the thing:
Name = "Patching Proxomitron's undocumented EXEC to nothing" Active = TRUE URL = "*Program%20Files/Proxomitron/Proxomitron.htm" Limit = 23 Match = "(([%00])\1EXEC)\2$ALERT(This filter's function is to cripple the undocumented\n 'EXEC' funcion from Proxomitron 4.4 or 4.5.\n It is assumed that you load your file with \p=*Program%20Files/Proxomitron/Proxomitron.htm")" Replace = "\1\1\1\1\1"
Well. all right - there is another proof-of-concept code built on this function. A vigenere
decipher. Just an example. It is ugly, but it works. Anybody can modify it in order
to use something harder, like PGP.
So If you want you can have a PGP-hardened messageboard.
Vigenere decipher using Proxomitron
Appendix:
Sedmod - you need it for both codes examples
Command line vigenere, you need it to use the second code example
(By Winston -- Feedback: email:tune_proxomitronIGNOREUPPERCASE____AT____IGNOREUPPERCASEhotmail.com)