Tuesday, December 9, 2008

Max Headroom broadcast signal intrusion incident


I got a copy of Max Headroom TV Series to remember old times, and I decided to check wikipedia about it, and I found something really interesting, the

Max Headroom broadcast signal intrusion incident

Ohh shit yeahhh, and there is the original video for you

but first... let's see what the Chicago Tribune of November 30, 1987 said about it...

Dr. Who, the galaxy-roaming "Time Lord" of Channel 11-WTTW's series, came up against some real science a week ago Sunday night and lost. Somebody with a rare knack for electronics and a strange sense of humor took over WTTW's signal. For 88 seconds-- it must have seemed much longer --fans of Dr. Who watched Max Headroom, the high-tech TV caricature, gabbling unintelligibly and being spanked on his bare behind with a fly swatter.

Earlier the same joker had interrupted WGN-Channel 9's highlights of the Bears game with the ghost of Max Headroom. Both stations and the Federal Communications Commission are doing all they can to find this invader of the airwaves and correct him or her, not with a fly swatter.

The meeting of Dr. Who and the electronic pirate is a science-fiction fantasy in itself. To his doting fans, Dr. Who seems like a real person; to just about everybody, the video invader seems fictional-- a weirdo who uses amazing technological skill to perpetrate a silly stunt involving a parody of a parody, and now has technicians busily thinking up new ways to prevent such stunts. Scientific progress does seem to be more fun than it used to be.

This is the **Original Upload** - now with an Improved Quality!

During a broadcast of the Dr. Who episode "Horror of Fang Rock" on WTTW Chicago Channel 11, on Sunday November 22nd, 1987, at around 11:15pm, a Video "Pirate" wearing a Max Headroom mask broke into the signal and transmitted one of the weirdest, unauthorized things ever to hit the Chicago airwaves.

Earlier in the evening on the same day, during the Nine O'Clock News on Channel 9 (Yes, a completely different channel) the Max Headroom Pirate also broke in - although it was for a much shorter time and there was no audio.

Needless to say, Dan Rohn (the sports reporter) was a bit flustered.

And no, he was never caught.

My Take: The guy was probably high and/or drunk. Even with the audio distortion, his ramblings don't make much sense. Here's what I am able to make out:

"He's a freaky nerd!"

"This guy's better than Chuck Swirsky." [another WGN sportscaster at the time]

"Oh Jesus!"

"Catch the wave..." [reference to a Coke commercial at the time of which Max Headroom was a spokesperson]

"Your love is fading..."

"I stole CBS."

"Oh, I just made a giant masterpiece printed all over the greatest world newspaper nerds." [??]

"My brother [mother?] is wearing the other one."

"It's dirty..."

"They're coming to get me..."

(Note also that he appears to be wearing a [rude word deleted] on his middle finger.)

For more info you can visit:


Tuesday, December 2, 2008



So true... But, who can live without it?

Tuesday, November 25, 2008

Halting State


Charlie Stross's latest novel Halting State starts out as a hilarious post-cyberpunk police procedural, turns into a gripping post-cyberpunk technothriller, and escalates into a Big Ideas book about the future of economics, virtual worlds, the nation state and policing, while managing to crack a string of geeky in-jokes, play off a heaping helping of gripping action scenes, and telling a pretty good love story.

Here's the gimmick: Halting State opens when a virtual bank in a distributed, multiplayer world is robbed by a horde of orcs who march in and clean it out of all its prestige items and other loot, a direct frontal assault on the game-economy's integrity. The losses run to millions, which triggers an insurance audit -- led by Elaine, who's not only a forensic accountant, but also a sword-swinging LARPer who likes her espionage alternate reality games. She contracts with Jack, an extraordinary gamespace hacker who's just been made redundant from his Edinburgh gaming company, to serve as her native guide, and finds herself working alongside of Sue, a lesbian mom detective-sergeant with the Edinburgh Polis who has been called to the scene with a report of a "robbery" and is now duty-bound to pursue the matter in compliance with the tenets set out in the ISO 9000 binder for police-stations.

I've been following Halting State since Charlie and I sat in a coffee shop in the Strand in London about five years ago and talked about a novel about a "multimillion dollar heist in gamespace." It's a sticky idea, and one that a lot of us are going to end up playing with over the years -- but it's also clearly one that Charlie has had an indecent amount of fun playing with. This is his tightest-plotted novel to date, a detective story with a million perfectly meshed moving parts, and a hundred magnificent surprises that had me gasping and shouting YES (to the general alarm of the guy in the next seat on my airplane).

This is the apotheosis of Stross -- a book chock-a-block with great ten-minutes-from-now technology (big hunks of the plot hinge on anonymized digicash, onion-routers, FreeNet crypto, and GNU Radio), RPG humor straight off Phil Foglio's old Dragon Magazine strip, and an impassioned series of valentines to Edinburgh, Charlie's adopted hometown.

Blend an Iain Banks thriller with a copy of Count Zero, throw in the Tokyo Games Show and a Bourne movie (and possibly a Bourne shell) and you've got something approximating Halting State. This is a book that will change the way you see the way the world works.

You can find a copy of this book in #bookz at undernet


Sunday, November 23, 2008

Minority Report Interface for real


Oblong Industries is the developer of the g-speak spatial operating environment.

The SOE's combination of gestural i/o, recombinant networking, and real-world pixels brings the first major step in computer interface since 1984; starting today, g-speak will fundamentally change the way people use machines at work, in the living room, in conference rooms, in vehicles. The g-speak platform is a complete application development and execution environment that redresses the dire constriction of human intent imposed by traditional GUIs. Its idiom of spatial immediacy and information responsive to real-world geometry enables a necessary new kind of work: data-intensive, embodied, real-time, predicated on universal human expertise.



Tuesday, November 11, 2008


Ok, since this moment I decided I'll post everything in English.
I hope you understand, and if you don't bad for you...
but if you don´t understand this, I don't know why I'm writing it hehe

Trojanin´ imported Python programs

Python programs use .py as file extension, and its an interpreted
language, but to speed up load times in programs importing lots of
libraries, Python automatically creates a .pyc file that its a bytecode
platform independent compiled file.

So when you are importing a file into your code, Python will use file.pyc
instead of file.py if it exist in the same directory.

Python engine compares the "last modified" time in the .py file against a
timestamp stored in the .pyc header to know if it can use the .pyc or if
there were some changes and now should recompile the source.

.pyc file header

> bytes 0-3 magic number
> bytes 4-7 timestamp (mtime of .py file)
> bytes 8-* marshalled code object

The first 3 bytes basically identify the Python version that generated the
.pyc, then we have the timestamp, and then the object code, that would
be our program.

Yeah, I know its pretty fooking funny that these guys only check a
timestamp to know if they have a valid .pyc

So, lets do an experiment

Lets create a program called "lib.py" that will print the word "Clean" when

And lets write caller.py that will import lib and print "caller executed"

import lib
print "caller executed"

When you run caller using "python caller.py" you will see the following output:

caller executed

And Python will create a pre compiled version of lib.py called lib.pyc.

Next time we use caller.py Python will import lib.pyc instead of lib.py.

So, lets have some fun, we will create a rogue lib to replace lib.pyc, in
this case our malignant lib will print "BAD BAD BAD" (Yeahhhhh it's
extremely bad, don´t be afraid)

And when we compare both .pyc files using an hex editor...

00000000 6D F2 0D 0A F2 D9 19 49 63 00 00 00 00 00 00 00 00 01 00 00 m......Ic...........
00000014 00 40 00 00 00 73 09 00 00 00 64 00 00 47 48 64 01 00 53 28 .@...s....d..GHd..S(
00000028 02 00 00 00 74 05 00 00 00 63 6C 65 61 6E 4E 28 00 00 00 00 ....t....cleanN(....
0000003C 28 00 00 00 00 28 00 00 00 00 28 00 00 00 00 74 1E 00 00 00 (....(....(....t....
00000050 2F 64 6F 77 6E 6C 6F 61 64 73 2F 73 73 73 73 73 73 73 73 73 /downloads/sssssssss
00000064 2F 70 74 2F 6C 69 62 2E 70 79 74 01 00 00 00 3F 01 00 00 00 /pt/lib.pyt....?....
00000078 73 00 00 00 00 s....

00000000 6D F2 0D 0A BD D9 19 49 63 00 00 00 00 00 00 00 00 01 00 00 m......Ic...........
00000014 00 40 00 00 00 73 09 00 00 00 64 00 00 47 48 64 01 00 53 28 .@...s....d..GHd..S(
00000028 02 00 00 00 73 0B 00 00 00 42 41 44 20 42 41 44 20 42 41 44 ....s....BAD BAD BAD
0000003C 4E 28 00 00 00 00 28 00 00 00 00 28 00 00 00 00 28 00 00 00 N(....(....(....(...
00000050 00 74 1E 00 00 00 2F 64 6F 77 6E 6C 6F 61 64 73 2F 73 73 73 .t..../downloads/sss
00000064 73 73 73 73 73 73 2F 70 74 2F 6C 69 62 2E 70 79 74 01 00 00 ssssss/pt/lib.pyt...
00000078 00 3F 01 00 00 00 73 00 00 00 00 .?....s....

So we need to modify the .pyc header to match the original timestamp, in
this case that's done modifying the 5th byte.

If we execute lib.py we will still get "clean" as output, but all the
programs importing lib will end up using our trojaned version lib.pyc that
will output "BAD BAD BAD".

Running python caller.py as output we get

caller executed


If we have +w in the directory where the imported .py files are, or we
are in some crappy windows box, we can place a trojan written in Python
and it will be executed each time the file is imported.
Some of you will think that in a well configured environment that will be
extremely rare to find, but in development environments it's much easier
to find +w directories with utility scripts, or with tests automation
scripts in QA environments, and in those cases this kind of trick can be
easily used to impersonate some other user.

Best thing is that if someone decides to inspect the .py file the source
code will be intact, so it wont arise suspicion.

Hope you like it, any ideas or comments are appreciated


Saturday, November 1, 2008

When Fembots go bad


The Doll is a short film about death, desire, and robots; made for boutique lingerie label Lascivious in 2007 by moving image company Wyld Stallyons.
Lascivious approached Wyld Stallyons in late 2006 with the idea of producing a collaborative short film which would act as a viral campaign for them, and also a promotional piece for Wyld Stallyons.
Inspired by the infamous Real Doll sex toys, a token dollop of Greek myth, and countless teenage evenings watching straight-to-video sci-fi b-movies of dubious quality, Wyld Stallyons quickly developed a concept based around the idea of a mail order sex robot, delivered in parts. Once assembled, the robot becomes sentient and takes a shine to its owner's lingerie, with fatal consequences.

Official webpage: http://www.wyldstallyons.com/work/thedoll/
HQ widescreen version (20 MB): http://www.wyldstallyons.com/video/thedoll/video.flv

Thursday, October 30, 2008

Scylla v1.0b

Sometimes when you are exploiting a path traversal, you can't find a file, that could be frustrating.
Scylla will let you generate Triton exploit paths to scan for a target file in multiple locations.

You'll need java 1.6 to use it, so it will work in any box except for MacOS 10.4.9... Shit happens
when you depend of a monopoly

If you have any suggestion, bug reports, money, girlz or whatever PM me or send me a mail.

I hope you find this tool useful guys.

md5sum: 8cbf46a3a563bce13226dbba661fb551
sha1sum: ac4a0faad310658cd3dc603abe26a0bb391d2801



Scylla - Triton paths generator
Coded by APX, Buenos Aires 2008
th4 f00k1ng c0wb0ys c0d1ng t3am
apx.808 [@] gmail.com


1 - Intro
2 - Use
3 - Thanks
4 - Version history

[1 - Intro]

It's common in path traversal exploits to have problems
finding a file, httpd.conf anyone?
Well, the aim of this app it's to solve this issue.
Scylla will create a Triton exploit paths list to scan with
the different locations to search that you specify.

[2 - Use]

-Load the xploit data manually or using the "import" option
to import from a Triton exploit file.

-Add the tag "<PATH>" to the place you want Scylla to add
the posible locations. Also, don't forget that Scylla won't make
the traversal, so you'll need to provide the ../ be it in your
locations file or in the xploit path field, the same happens with
the poison byte. YOU are the one who exploits, Scylla just will
make easier a repetitive task.


Xploit path: /cgi-bin/vuln.php?file=../../..<PATH>

-Load a file with the posible locations of the file you are
looking for.

-Select a destination file.

-Push "generate".

-Now load the file with Triton and start scanning.

NOTE: Be careful how you use this because can be

Keep your simultaneos bots count low and
scan multiple sites if possible.

[3 - Thanks]

I would like to thanks Ange, Rudelgurke and my
fellow fooking cowboy Ex0rphine for your testing help.

[4 - Version History]

25-07-2008 - Project starts.

29-07-2008 - v1.0b starts being beta tested.

01-08-2008 - v1.0b Released to public.

Backdoor Port Scanner

1 - Intro

Scanning heavily filtered networks its a slow process because when
the target host drop the packages and don't send any reply Nmap
should wait the time out and then retry 10 times before marking the
port as filtered.

Calculating correctly RTT (Round Time Trip) and ABW (Available bandwidth)
values can improve Nmap timming considerabily, but a port scan fast or
slow still will be noisy.

So the idea is to do a port scan without doing it.

2 - The technique

The basic idea is using a traversal exploit or a web shell to get the files


and then feed them to the tool bpscan that will parse the results and show
them in a human readable way.

The same can be done with tcp6, udp6 and raw files for IPv6 and raw sockets.

3 - What info can we get doing it

What a better way than seeing some examples

We can use it as a normal port scanner, as you will see bpscan will resolve
the service name.

Port Service
21 ftp
25 smtp
80 http
3306 mysql
5560 Unknown
37237 Unknown
37297 Unknown

Or we can use the "a" flag to see all the results from the dump without removing
the duplicates.


This last example its resumed or it will be too long.

We can see the IP and port of the remote end.
If we have filtered ports we will be able to know what IPs are allowed to bypass
the firewall, spoof anyone?
The are the TCP_LISTEN state ports.

But wait, lets see the same but with remote service resolution...


The first one haves a high port that resolves to must-p2p, it is the random
assigned port to connect to the 80 for sure, same with the IP connecting to the
But... the last one is interesting, we can see our target is connecting to a
remote mysql... nice
This is useful to get a better understanding of our target and its network map.

4 - The tool

The tool its coded in Perl, I made it for personal use but decided to share it.

It's use is easy, check the manual.

-h Shows this really useful help
-i Defines the input file, if isn't defined, bpscan will use stdin
-f Sets the flags

Valid Flags:
a Shows all the entries, including the remote ip and port where the socket connects
r Resolve remote service

bpscan -i=tcp.txt -f=ar
cat /proc/net/tcp | bpscan

5 - Conclusion

Ok guys I hope you find it useful.
I would like to thanks to Rudelgurke for his helpful info on Linux and BSD inner workings.
Please any comment, suggestion or idea, contact me at apx[dot]808[at]gmail[dot]com

6 - Download


7 - Extra

For a few comments I received I think there are some guys who don't really understand what is the tool for.
So, this is like 5 great reasons to use bpscan.

1 - If you only have a traversal xploit, you can search for open ports to discover new attack
2 - If you have a web shell, you can get the same results using netstat, but you'll need to parse
the info by yourself and you cant get only once each open port like a "select distinct".
3 - bpscan will see the ports from behind, so if you have an open port behind a firewall you'll see
it too.
4 - If you see an incoming connection to a port you can't connect, seeing its IP can allow you to
guess the firewall rule, or discover a trusted host.
5 - You can see your target outgoing connections, and for what service are those for, so you can
gain a better understanding of your target's network map, other targets or new attack vectors.




Tuesday, October 28, 2008

Lightning Hash Cracker

Estuve probando el LHC de Elcomsoft.
Basicamente es un password cracker que usa tecnologia CUDA para generar hashes MD5 a los palos.

English mode on: (I'm warned you about it)

Basically the Nvidia chip is a parallel procesor for mathematical operations. And this would be used like in 386 times, when some machines had a mathematical co processor.

In the above graphic you can see that it kills a normal processor performance in math ops, thats because the chipset is specifically designed to do the same math ops at really high speed in different data simultaneously.

Ok, some guys realized they could use that processing power to do other things instead of calculating doom 3 monsters, but they needed to use the normal graphics API , and that was a pain in the ass.

But Nvidia guys created a new API, just to use the parallel processing power of the board for simulations, or in this case, to generate hashes, the API is called CUDA (Compute Unified Device Architecture).

Actually I don't know what those commies registered, but using that API, ANY math op that is applied to multiple data, can be accelerated.

Bueno ahi arriba esta algo que habia posteado hace un tiempo, 30 de octube del 2007, que copado casi un año fue...
Bue, la idea es que en ese entonces los rusos como de costumbre ya tenian toolz privadas para bruteforcear MD5, nosotros nos creemos piolas pero cuando nosotros vamos los rusos ya estan de vuelta hace rato, algun dia capaz que me pongo a hablar sobre esto...

Veamos un grafico de hashes/segundo que nos entrega la tecnologia CUDA dependiendo que placa tengamos...

Y ahora mojemosnos un poco

Aca en esta pagina se pueden bajar 4 free el LHC http://www.elcomsoft.com/lhc.html
Yo lo estube probando un rato, tengo una Nvidia 8600 GTX y camina lindo tengo un average de 70.5 M hashes con un Intel Core2Duo 8400E.
Les cuento que por mas que usa la GPU le pega un castigo considerable al CPU tambien...

Friday, October 24, 2008



Tenia creado este blog de hace un par de meses pero nunca me dignaba a escribir algo.
Que pueden esperar?
Bueno como el nombre lo dice, mis delirios, desvarios, limes cerebrales. Generalmente van a ser sobre "inseguridad informatica" como a mi me gusta llamarle, o alguna cosa que me parezca que vale la pena compartir.

Creo dentro de todo que mi español es bastante bueno, asi que no van a encontrar ninguna burrada extrema, excepto porque no uso acentos en ningun lado, tambien es probable que a veces postee cosas en ingles... Y bue, me da paja escribir lo mismo en dos idiomas asi que defaulteo a ingles.

Sobre mi nick...
Se dice "eiphex" o "apex" depende que tan yanki quieras sonar, pero segurisimo no se dice "a pe equis"asi como deletreandolo en español que apesta.
Cuando me lo puse estaba muy cebado con el tema "Come to daddy" de Aphex Twin, tiempo despues se me dio por hacerme el fashion y resumirlo a 3 letras, les dejo el famoso video, es una lima, por eso me gusta tanto hehe

Bueno chau


Testing 1,2,3
El gato volador

hit counter script