Internet Explorer cannot open the Internet site. Operation aborted.

Recently, I have been playing with some map technologies, which I am trying to integrate with a wiki for some fun. Nothing out yet. But upon testing, I found this rather malicious nuisance that bugged me for hours yesterday.

I am using Virtual Earth APIs to do this job. The code is basically loading the map information, then paste a layer of pushpins onto the map. And this piece of code below :

<script>

/* a set of includes ... */

var map = null;
function AddMap()
{
map = new VEMap();
map.LoadMap();
}

function AddLayer()
{
var layer = new VELayerSpecification();
layer.Type = VELayerType.GeoRSS;
layer.ID = 'Foobar';
layer.LayerSource = 'mapdata.xml';
layer.Method = 'get';
map.AddLayer(layer);
}

function OnPageLoad()
{
AddMap();
alert('Added map');
AddLayer();
alert('Added layer');
}
</script>
<script>OnPageLoad()</script>

Well, nothing fancy than just sample code. Assuming my website is "http://www.website.com", when placed in the div tags, it is rumored to cause IE to throw an exception : "Internet Explorer cannot open the Internet site http://www.website.com . Operation aborted." This code works fine in Firefox, but truly not in IE. ( There were some that worked, but truly this is a problem that exists out there. ) After some googling, it seems to be some sort of IE implementation that causes this. The suggested workaround at Ryan Grant's blog was to make it an onload script. Which makes the calling :

<script>OnPageLoad()</script>

to be changed into :

<script>window.onload = OnPageLoad;</script>

Sure, it works. But at the code stopped its control flow after adding loading the map, without reaching "alert('Added Map');". I do not know how this happened and how to even google this problem ( well... "javascript" + "control flow" ? nothing really came out ). This creates a problem, it actually caused my layer script to stop function.

The workaround, by using defer script :

Change

<script>window.onload = OnPageLoad;</script>

into

<script>
if ( window.attachEvent )
{
window.attachEvent("onload", AddMap);
window.attachEvent("onload", AddLayer);
}
else
{
window.addeventListener("load", OnPageLoad, false);
}
</script>

If the script stops. No problem. We'll just do it one by one. This code works for me even when the javascript has been dynamically called and embedded between some div tags. I hope this makes the frustrated feels better.

References :
http://channel9.msdn.com/wiki/default.aspx/Channel9.InternetExplorerProgrammingBugs
http://www.viavirtualearth.com/wiki/DeferScript.ashx
http://ryangrant.net/archives/internet-explorer-cannot-open-the-internet-site-operation-aborted-google-map-api

Email Spoofing

It is something I have not done before. It came into my mind, and I decided to try it, while mourning at the death of my grand computer.

The poor victim happened to be my University's departmental mail server and a automated-registration roster that I attempted upon.

The automated script is simple, you are going to send an email with the subject title "Registration" without quotes plus some lines of text ( which is unnecessary, which I found out ), and your email will be appended to the roster.

Of course, it is very easy to use my own email to do it. It will be merely several clicks.

First to state, I am having VPN access. I have no computers at this moment to do any non-VPN access though.

I attempted at first by using a program to do it, but turned out to be more than necessary ( but it is quite interesting, anyway there was some problems and it failed sadly, but I will check it out later ). Then, I resolved to raw protocol talk and succeeded.

I also built my own mail-server ( qmail ) to test. The results are more or less the same, with some differences.

RFC 821 is a good start.

Thoughts :

1. The mail server did not check very much on the details ( was it because of VPN it assumed it is already authenticated? Possibly they put it into a list of authenticated hosts. ) ( it is the one used in horde , the link is here. ). I have not checked deeply into whether it is the mail server configuration or so.

2. There is a field that I did not go into deeply trying to spoof, but I will go into testing the difficulty to spoof it well.

3. It definitely is a perfect look from the outside but there is a single field ( above ) that leaves traces for a perfect lockdown, no good. ( As verified in ethereal easily ) Got to know how to fix that.

4. How could you spam "well" into a mail server? Again, I have not yet checked how the mail server automates spam finding.

5. How can this be extended to general spamming and how is industrial spamming done? As mine is extremely naive. ( Yes! Definitely! )

XSS in small places

Today I was idle waiting for my windows XP to install. Writing some code and then, and suddenly I came to two places on the internet ( one is my friend's page and one is a blog ) which is vulnerable to malicious attacks. I am a pretty novice one so please feel free to discuss should you feel interested.

The first one is a Local File Include Vulnerability in a php script that did not sanitize the input properly ( well I am guessing that he did not even do so ). So I am free to read anything on the server. Though, there are magic quotes on, how can I get around them? I tried using urldecoding schemes but to no success. More to try soon.

The second one is an XSS vulnerability on the input fields of a profile, which will show public. This allows malicious users to secretly send cookies away to a server for collection. Of course, the server is actually performing some sanitizing using ( seemingly ) the default magic quotes of PHP at some places. But for the place I exploited most easily seems to contains no sanitizing ( that nothing was escaped ). I will look further into it.

OOT - I caught the attention of the administrator of the blog and he deleted my account after like a few minutes when he discovered my account to be so suspicious. Hah. That is bad.

Unknown SATA error

The error message :

[17223237.380000] ata3: command 0x25 timeout, stat 0xd0 host_stat 0x61
[17223297.380000] ata3: translated ATA stat/err 0xd0/00 to SCSI SK/ASC/ASCQ 0x47/00

Now, my server stalls at such states or so. I have no idea what it is. If any of you happens to know I would appreciate it. Meanwhile I will go onto finding the solution to the problem.

Updated : 11 April 2007

It was a problem due to the SATA - controller . It is the faulty component. It is of type 3124. Look out for this defective design.

Undefined Operations in GCC

Schedules have been tight.

Recently, a friend of mine showed to me very naive code.

#include "stdio.h"

int main()
{
int count = 0;
while ( count < 8 )
{
printf("%d %d",count,count++);
}
return 0;
}

Simple, and I was tricked into answering :

0 0
1 1
2 4
...

Well, not quite true, it turned out it is evaluated from right to left in C ( printf is a procedural call, after all ). It caught me really off guard for such a problem. After researching awhile, PERL seems to react the same. But not for PHP. No tests for JAVA and javascript yet. All of the tests are done on an IntelX86 machine.

Now that makes me think what could be the cause of such eerie results. No idea. I thought it could have been compiler differences, conventions. I talked this with a friend of mine, and interesting we find that the gcc compiler with the -Wall option on, yields this :

a.c: In function `main':
a.c:8: warning: operating on `count' may be undefined
a.c:8: warning: operating on `count' may be undefined

Well, he later gave me a link of this :
http://www.ddj.com/dept/cpp/184403851/

Problem solved? Guess so...? I still cannot answer what is for PERL and PHP though.

Ubuntu USB device name

Due to serious hardware failures, all my computers went down. Now it is only down to a live CD... Ubuntu here.

The USB is my only storage after all. It, however, did not appear at /dev/sda1 instead at /dev/sdd1 . How did I discover it? Simple, at first :

$sudo dmesg

However, that is not good enough.

$sudo fdisk -l
Device Boot Start End Blocks Id System
/dev/sdd1 * 1 1956 500720 e W95 FAT16 (LBA)


That's better. You can then :

$sudo mkdir /tmp/mnt
$sudo mount -t vfat /dev/sdd /tmp/mnt

You need to specify the USB virtual file system, which I found mine to be vfat ( some guessing only, unfortunately ). And that is all.


By the way, there is an auto-mount feature.

Accelerated Death

Recently, all my 4 computers went down. I would like to share one of the death of my computers so as to alert you visitors.

One of my hard disk, which is ran on Debian Sarge, starts to pop error messages out unstoppingly.


The error probably came from extremely frequent random disk write on the hard disk 2 months ago. I wrote a crawler and save the contents to the hard disk directly at lightning speed for days. This probably inflicted a heavy load on the hard disk. Bad.

The correct way should have been putting them into memory and writing into the hard disk at a buffer, not piece by piece like what I do. ( I have been rushing the project within days, which drove me to do it the bad way )

Anyway, remember this is a bad style for coding. Now, are SQL databases different?

GDB Argument Standard Input

There might be someone who just have trouble forcing in long arguments during hacking, and googling for hours without something useful. I asked myself "I don't think people are trying to put arguments into their program each time manually while gdbing? Even if the arguments are thousands of characters long..."

This is tested in GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)

Attempted Solution 1 :
#gdb ./a <>

Nope, this will fail definitely.

Attempted Solution 2 :
# gdb
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
(gdb) ./a <>

Nope, this will fail too.


So after asking for directions, thanks to Zekta and Tom, we have the 2 solutions below.

Solution 1 :
gdb -x args.in ./a

args.in is a file containing the gdb commands :
For example :
============================
set args args1 args2 args3 args4
============================

Solution 2 :
(gdb) r `cat arguments.in`

arguments.in is a file containing the arguments to be input


There is also a solution called xargs, but I have never tried. It's well worth a try, both of the ways are kind of bruteforce. Anyway, it works, that's it, and is automated.

Escape Characters in Shellcode

> sh: unexpected EOF while looking for matching `''
sh: syntax error: unexpected end of file

> sh: unexpected EOF while looking for matching ``'
sh: syntax error: unexpected end of file


If you are passing some shellcode as arguments through a program in a predefined , you might encounter a problem as above. No big deal. This problem can be simulated by opening a /bin/sh and then entering a ` or ' character, then sending an EOF character ( CTRL + D ).

Now :

sh-2.05b# \`
sh: `: command not found
sh-2.05b# \'
sh: ': command not found
sh-2.05b#

Just locate the hexadecimal code for such characters, and escape it ( adding a backslash ). The problem will be solved.

Mixed Graph Euler Circuit

This is a graph orientation problem. Please search for the keyword for more details.

This problem determines whether a mixed graph has an eulerian circuit, and asks to print a solution.

1) Instantiate two graphs, G_undirected and G_directed. Storing undirected and directed edges independently.
2) First freely assign all undirected edges in the graph to be one direction
3) Then, calculate the in degree and out degree differences of each vertex.
4) Create two new vertices s, t.
For each vertex u , indegree[u] > outdegree[u] ,
Create an edge ( u , t ) = indegree[u] - outdegree[u] .

For each vertex u , indegree[u] < outdegree[u] , Create en edge ( s , u ) = outdegree[u] - indegree[u] . 5) Perform maximum flow from s to t. If total flow equals that going out from s or going into t , Euler Circuit exists. 6) Lastly, merge the flow graph with the directed graph portion. Perform a euler circuit ( DFS ) to print the euler circuit.

Pseudocode as follows : ================================================================ // Graph setup
Original Graph G ;
Hide all directed edges ;
Assign all undirected edges a single direction ;

For each vertex v :
{
if ( indegree[v] - outdegree[v] > 0 )
create an edge with ( v , tank ) of capacity ( (indegree[v]-outdegree[v]) / 2 )
if ( indegree[v] - outdegree[v] < face="courier new"> create an edge with ( source , v ) of capacity ( (outdegree[v]-indegree[v]) / 2 )
}

total_flow = maximum_flow(G);

if ( total_flow == out_flow(source) || total_flow == in_flow(tank) )
{
// there is eulerian circuit
Assign the directions of the undirected edges as in the flow graph and merge with the original directed edge only graph.
Circuit = get_euler_circuit(G);
print_path(Circuit);
}

================================================================



Follow ups :

I'll just update this with a more verbal explanation.
Actually, when you are forcing a direction in 2), you are trying to then link the vertices with uneven in and out indegrees, and trying to "dampen" the difference each iteration if a flow is possible by reversing the edges used to flow. ( so the in degree of a vertex - 1 and out degree of a vertice + 1 , making it more even ), eventually it reaches a state where all vertices in degree equals out degree.

All vertices in-degree == out-degree.
Done!

By the way, this graph is assumed to be connected.


Problem Source :
http://acm.uva.es/p/v107/10735.html

Let's global!

Today, I and Zektonic were working on a program to be exploited by us only. We incorporated a few techniques to make the experience tough, even for us. The details will come out after the assignment is due.

However, during studying the variable allocation. We discovered something very eerie. Look at the two tables below, generated by a very similar program, taking note of the location of the variables of the right table ( in1 , in3 , in4 ) :

gcc version 4.1.2 20061020 (prerelease) (Debian 4.1.1-17) Kernel 2.6.8-2-386	gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) Kernel 2.4.20-8smp
int main(){ int a; int b[10]; int c[10]; char d; char e[10]; char f; int g; printf("%p\n",&a); printf("%p\n",&b); printf("%p\n",&c); printf("%p\n",&d); printf("%p\n",&e); printf("%p\n",&f); printf("%p\n",&g); }	int main(){ int in1; int in2; char b1[16]; int in3; char b2[16]; int in4; char b3[16]; printf("in1 %p\n",in1); printf("in2 %p\n",in2); printf("in3 %p\n",in3); printf("in4 %p\n",in4); printf("b1 %p\n",b1); printf("b2 %p\n",b2); printf("b3 %p\n",b3); }
0xbffff890 0xbffff868 0xbffff840 0xbffff83f 0xbffff835 0xbffff834 0xbffff830	in1 0x80483ce in2 0xbfffed28 in3 0x80482a6 in4 0x40015a38 b1 0xbfffed00 b2 0xbfffece0 b3 0xbfffecc0

Follow ups ( 2007/1/30 00:51 ) :
After re-entry into the system, I reviewed the source code. As seen above, the difference turns out to be the reference operator ( & , the ampersand ).

If you do not understand, look at this modified program and it's output.

Source :
int main(){
int in1;
int in2;
char b1[16];
int in3;
char b2[16];
int in4;
char b3[16];
in1 = 5;
printf("in1 %d %p\n",in1,in1);
printf("in2 %d %p\n",in2,in2);
printf("in3 %d %p\n",in3,in3);
printf("in4 %d %p\n",in4,in4);
printf("b1 %d %p\n",b1,b1);
printf("b2 %d %p\n",b2,b2);
printf("b3 %d %p\n",b3,b3);
}

Output :
in1 5 0x5
in2 -1073745912 0xbffff008
in3 134513318 0x80482a6
in4 1073830456 0x40015a38
b1 -1073745952 0xbfffefe0
b2 -1073745984 0xbfffefc0
b3 -1073746016 0xbfffefa0


Do the values in the output look obvious? They are exactly uninitialized variables you often see in C programs.

APT loop

Today, I was trying to install Damn Small Linux for some experiments. It is truly a dedicated LiveCD tool. It is even lacking "apt-get" and "make". Also, there is a APT-get loop in the packages. The first one is easy, just make sure your computer has network support and

right-click anywhere -> Apps -> Tools -> Enable Apt

done.
Afterwards, it is suggested you switch to another apt-source. The default might not be optimal speed. For me, it works :

http://ftp.jp.debian.org/debian/ unstable main non-free contrib

Then, get "make" as well.



The latter one is a little bit trouble.

E: This installation run will require temporarily removing the essential package e2fsprogs due to a Conflicts/Pre-Depends loop. This is often bad, but if you really want to do it, activate the APT::Force-LoopBreak option. E: Internal Error, Could not early remove e2fsprogs

The APT man entry in my DSL is missing, and is my other server. Tough luck, I tried googling on the net and found a solution at ( http://gnuru.org/?node_id=953 )

apt-get -o APT::Force-LoopBreak=yes install make

Just input this command, and boo! Done!

SYSTEM_PROCESS struct

Learning Windows Kernel lately. The two struct below seems very similar. However, it turned out they serve different purposes. The one to be used for keeping track of process nodes was the right one. Having the wrong file would not BSOD the computer, but probably cause a crash.
(My mistake caused me lost a 1GB file in the memory buffer.)

The funny ( but of no value ) thing is to keep everything hidden in this way :

SystemInformation->NextEntryDelta = 0;

struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; // win2k only struct _SYSTEM_THREADS Threads[1]; };

/* Defined in ntdll.h */ typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; BYTE Reserved1[48]; PVOID Reserved2[3]; HANDLE UniqueProcessId; PVOID Reserved3; ULONG HandleCount; BYTE Reserved4[4]; PVOID Reserved5[11]; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER Reserved6[6]; } SYSTEM_PROCESS_INFORMATION;

Reference : Rootkits : Subverting the Windows Kernel