All posts by Franklin

User Script – Channel9 Resolver

Recently, I wrote a user script to resolve download link for Channel9 site, you can simply list all available links in a Channel 9 page: http://channel9.msdn.com/

1. Install Script Extension for your Web Browser

2. Open a video page in Channel 9, for example: http://channel9.msdn.com/Blogs/Windows-Phone/Coding-Basics-and-App-Creation-Part-1-

3. Click the “Resolve” button below the video area

Channel9-1

4. Enjoy it!

Chennel9-2

Download it from GreasyFork

Be Careful With Backslash in WMI Query String

Background & Issue:

Recently, a customer encountered a issue:

He removed a volume’s drive letter which label was “AAA” in the Disk Management(Win+R -> diskmgmt.msc)

Now, getting the free space of this volume is what he wanted, as we know, each volume has GUID to identify itself, so this customer create a method to obtain volume GUID by label, it used WMI query:

internal string GetDriveGuidByLabel(string driveLabel)
{
            using (ManagementObjectSearcher ms = new ManagementObjectSearcher(String.Format("Select * From Win32_Volume Where Label = '{0}'", driveLabel)))
            {
                foreach (var mo in ms.Get().Cast<ManagementObject>())
                {
                    return mo["DeviceID"].ToString();
                }
            }
            return null;
}

The result like this: \\?\Volume{2c6c2c33-987b-11e3-8257-806e6f6e6963}\

Next, after getting the volume GUID, to retrieve the information of this volume, WMI query could accomplish this:

SELECT * FROM Win32_Volume WHERE DeviceID = '\\\\?\\Volume{2c6c2c37-987b-11e3-8257-806e6f6e6963}\\'

He created a method:

internal Int64 GetDriveAvailableSpaceByDriveGuid(string driveGuid)
{
            // The commented line below does not work - returns InvalidQuery System.Management.Exception no matter what I tried.
            using (ManagementObjectSearcher ms = new ManagementObjectSearcher(String.Format("Select * from Win32_Volume Where DeviceID = '{0}'", driveGuid)))
            {
                ManagementObject mo = ms.Get().Cast<ManagementObject>().First();
                return Int64.Parse(mo["FreeSpace"].ToString());
            }
            return 0;
}

But it didn’t work with exception as below:

An unhandled exception of type ‘System.Management.ManagementException’ occurred in System.Management.dll
Additional information: Invalid query

Troubleshoot & Solution:

At first, I used WMI Code Creator to verify WMI query string: Utility Spotlight: WMI Code Creator

The WMI query string was correct. I noticed that there were some backslashes inside the volume GUID, generally, we need to use a verbatim string literal @”…” to prevent the backslash being treated as an escape sequence in C#, like this:

ManagementObjectSearcher searcher = new ManagementObjectSearcher(@"SELECT * FROM Win32_Volume WHERE DeviceID = '\\\\?\\Volume{2c6c2c37-987b-11e3-8257-806e6f6e6963}\\'");

For this customer’s method, we need to use String.Replace() method for avoiding exception:

internal Int64 GetDriveAvailableSpaceByDriveGuid(string driveGuid)
{
            using (ManagementObjectSearcher ms = new ManagementObjectSearcher(String.Format("Select * from Win32_Volume Where DeviceID = '{0}'", driveGuid.Replace("\\", @"\\"))))
            {
                ManagementObject mo = ms.Get().Cast<ManagementObject>().First();
                return Int64.Parse(mo["FreeSpace"].ToString());
            }

            
            return 0;
}

Screenshot:
GetDriveAvailableSpaceByDriveGuid

New Exploit Vulnerability: CVE-2014-6271

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

An advisory from Akamai explains the problem in more depth, as does this OSS-Sec mailing list post.

How to check?

You can check if you’re vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words “busted”, then you’re at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Or run this command in the default shell:

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If the output includes the word “vulnerable”, okay… you’re at risk.

Patch:

This vulnerability affects Apple’s OS X – and is useful for privilege escalation – as well as Debian and other Linux distributions. Fortunately, patches are already available: http://seclists.org/oss-sec/2014/q3/650

Patch your systems ASAP!

Support List:

  1. Novel/SuSE
  2. Debian
  3. Ubuntu
  4. Mint
  5. Redhat/Fedora
  6. Mageia
  7. CentOS

After patching my system (Ubuntu 12.04 LTS):
ShellShock

Using the Bing Maps REST Services To Obtain the Route in the .NET Application

The Bing Maps platform provides multiple API options for your application including an AJAX control, a Windows Store apps control, a WPF control, REST Services, and Spatial Data Services. See more information: http://www.microsoft.com/maps/choose-your-bing-maps-API.aspx

To obtain the route data, Bing Maps REST Services is our choice: http://msdn.microsoft.com/en-us/library/ff701713.aspx

The Bing™ Maps REST Services Application Programming Interface (API) provides a Representational State Transfer (REST) interface to perform tasks such as creating a static map with pushpins, geocoding an address, retrieving imagery metadata, or creating a route.

About using the REST Services with .NET, this article is helpful: http://msdn.microsoft.com/en-us/library/jj819168.aspx

Here is my WPF sample:

XAML:

<Grid>
        <m:Map Name="myMap" 
               Center="-1.968404, 30.036240" 
               ZoomLevel="10"
               CredentialsProvider="Fill Your Key"
               Mode="AerialWithLabels" ></m:Map>

        <StackPanel Orientation="Horizontal" HorizontalAlignment="Center" VerticalAlignment="Bottom">
            <Label Content="From: " FontWeight="Bold" />
            <TextBox Width="80" Height="20" Name="fromTxb" Text="New York" />
            <Label Content="To: " FontWeight="Bold" />
            <TextBox Width="80" Height="20" Name="toTxb" Text="Seattle" />
            <Button Content="Route" Width="80" Click="RouteButton_Click" />
        </StackPanel>
    </Grid>

Using the following method to request route data from REST Services:

private void Route(string start, string end, string key, Action<Response> callback)
{
            //Culture c = CultureDD.SelectedItem as Culture;
            Uri requestURI = new Uri(string.Format("http://dev.virtualearth.net/REST/V1/Routes/Driving?wp.0={0}&wp.1={1}&rpo=Points&key={2}", Uri.EscapeDataString(start), Uri.EscapeDataString(end), key));
            //QueryURLTbx.Text = requestURI.AbsoluteUri;
            GetResponse(requestURI, callback);
}

private void GetResponse(Uri uri, Action<Response> callback)
{
            try
            {
                HttpWebRequest request = WebRequest.Create(uri) as HttpWebRequest;
                using (HttpWebResponse response = request.GetResponse() as HttpWebResponse)
                {
                    using (Stream stream = response.GetResponseStream())
                    {
                        DataContractJsonSerializer ser = new DataContractJsonSerializer(typeof(Response));

                        if (callback != null)
                        {
                            callback(ser.ReadObject(stream) as Response);
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.ToString());
            }
}

Getting the credential:

private void GetRoute(string fromloc, string toloc)
{
            string to = toloc;//"Seattle";
            string from = fromloc;//"New York";

            if (!string.IsNullOrWhiteSpace(from))
            {
                if (!string.IsNullOrWhiteSpace(to))
                {
                    GetKey((c) =>
                    {
                        Route(from, to, c, (r) =>
                        {
                            if (r != null &&
                                r.ResourceSets != null &&
                                r.ResourceSets.Length > 0 &&
                                r.ResourceSets[0].Resources != null &&
                                r.ResourceSets[0].Resources.Length > 0)
                            {
                                Route route = r.ResourceSets[0].Resources[0] as Route;

                                double[][] routePath = route.RoutePath.Line.Coordinates;
                                LocationCollection locs = new LocationCollection();

                                for (int i = 0; i < routePath.Length; i++)
                                {
                                    if (routePath[i].Length >= 2)
                                    {
                                        locs.Add(new Microsoft.Maps.MapControl.WPF.Location(routePath[i][0], routePath[i][1]));
                                    }
                                }

                                MapPolyline routeLine = new MapPolyline()
                                {
                                    Locations = locs,
                                    Stroke = new SolidColorBrush(Colors.Red),
                                    StrokeThickness = 5
                                };

                                myMap.Children.Add(routeLine);

                                myMap.SetView(locs, new Thickness(30), 0);
                            }
                            else
                            {
                                MessageBox.Show("No Results found.");
                            }
                        });
                    });
                }
                else
                {
                    MessageBox.Show("Invalid End location.");
                }
            }
            else
            {
                MessageBox.Show("Invalid Start location.");
            }
}

Screenshot(gif):
WpfBingMapsRoute

Download Sample: WpfBingMapsRoute

To get the Bing Maps Trial Key, please go to here: http://www.microsoft.com/maps/

Here are some Bing Maps resources, please refer to: Bing Maps Resources

Always Use Plain Type(e.g. char*) As Parameter For P/Invoke

Background:

Recently, a customer encountered a strange issue. He created a C++ class library with I/O operation:

Source File:

#include "stdafx.h"
#include
#include

#include "DynamicDLLToCall.h"
using namespace std;

void zlog(string fstr)
{
	FILE * debug;
	debug = fopen("zlog.txt", "a");
	ifstream iFile(fstr);
	fprintf(debug, "fsadfsdfsdfsdfdsfsdf");
	fclose(debug);
}

Header File:

using namespace System;
using namespace std;

extern "C" __declspec(dllexport) void zlog(string fstr);

Now, he want to call zlog() method in a .NET project:

[DllImport("D:/ClassLibrary1.dll")]
public static extern void zlog(string fstr);//imported func

private void Button_Click(object sender, RoutedEventArgs e)
{
            zlog("asdas");
}

Issue:
This app crashed when the zlog() function is called and the zlog.txt file was successfully created.

Troubleshoot:

At first, I tried to comment some code snippets in the zlog(string fstr) function, but this issue still existed, so I think it should be more related to the declaration of this function.

With the help from C++ expert, it may be caused by this reason: C++ doesn’t support(or fully support) ABI(Application Binary Interface) which is required to help clean the stack of the object.

What is ABI? Please refer to these references:

ABIs cover details such as:

–the sizes, layout, and alignment of data types

–the calling convention, which controls how functions’ arguments are passed and return values retrieved; for example, whether all parameters are passed on the stack or some are passed in registers, which registers are used for which function parameters, and whether the first function parameter passed on the stack is pushed first or last onto the stack

–how an application should make system calls to the operating system and, if the ABI specifies direct system calls rather than procedure calls to system call stubs, the system call numbers

–and in the case of a complete operating system ABI, the binary format of object files, program libraries and so on.

A complete ABI, such as the Intel Binary Compatibility Standard (iBCS),[1] allows a program from one operating system supporting that ABI to run without modifications on any other such system, provided that necessary shared libraries are present, and similar prerequisites are fulfilled.

——–

So always use plain type(e.g. char*) as parameter for P/invoke instead of using type within the std namespace as parameter.

The following code worked well now:

C++ declaration:

extern "C" __declspec(dllexport) void zlog(char* fstr);
1

C++ function:
1
void zlog(char* fstr)
{
 //...your code
}

In .NET application code behind:

[DllImport("DynamicDLLToCall", CallingConvention = CallingConvention.Cdecl)]
public static extern void zlog(string fstr);