Author: Osanda Malith Jayathissa
Acknowledged by Eset
Share this:
Accessing the Windows API Directly
If you are into pentesting I am sure you might have heard about the IRB shell in the Metasploit framework. This will be a small post about accessing Windows API using Railgun. Using Railgun we can access different functions in DLLs during runtime in memory. We could also write our own DLLs and call them directly using Railgun. This technique is used in the Meterpreter scripts and post exploitation modules to access the API to perform automated tasks.
For demonstration I will be using a Windows 7 machine as the target and Kali as the attacker machine.
After owning the box in the meterpreter session type “irb” and from there we can start the interactive ruby shell. The “client” will be our meterpreter client. We can access common API calls like this. Suppose I want to get the system information.
[code language=”ruby”]
client.sys.config.sysinfo
[/code]
Get the user ID
[code language=”ruby”]
client.sys.config.getuid
[/code]
(more…)
Share this:
x86 Linux Egg hunter
This is a small post regarding egg hunting on x86 Linux systems. I’d highly recommend you to read skape’s paper “Safely Searching Process Virtual Address Space” . He has described his techniques for Linux and Windows systems. I will be using one of his implementations. I will use the access system call which is 33 for IA-32.
[code language=”c”]
#define __NR_access 33
[/code]
The access system call can be used the check whether the calling process can access the file.
[code language=”c”]
#include <unistd.h>
int access(const char *pathname, int mode);
[/code]
This is the x86 assembly implementation of the hunger code. It will search the virtual address space for our tag “AAAA” and begin execution of our shellcode. I am not going to explain this implementation. You can refer to skape’s document in higher detail.
Share this:
Arbitrary Download of Images
This is a bug I found in flickr.
For example think I want to download this image.
https://www.flickr.com/photos/yuliatangled/5502737663/sizes/l
[code language=”html”]
www.flickr.com/photos/yuliatangled/5502737663/sizes/l
[/code]
The owner had disabled the download option to users.
(more…)
Share this:
Hackxor SQL Injection
You can download the complete challenge VM from here. They have provided the online version of first two levels. I was interested in having a look at it. http://cloaknet.csc.kth.se:8080/proxy.jsp
There is a login page and our goal is to extract all the usernames and passwords from the database.
If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.
After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.
Share this:
Sim Editor Stack Based Buffer Overflow
Last week I bought a SIM card reader. Along with it came the software for it. It was SIM Card Editor 6.6. You can download it from here. The app is pretty cool. You can manipulate the SIM card’s data with it. However I noticed something strange in this application. When we are loading file for example suppose with 4 “A” characters we would get the output as “ªª”. Just two characters will be displayed. When I gave the input as “4141” the result would be “AA”. This time the correct output we need. What was the reason for this? From what I noticed was that when we enter “AAAA” the hex values would be “\x41\x41\x41\x41” the app will take two values each and evaluate to hex.
When we give the input as “4141” this is what happens.
So suppose we want to enter a hex string we have to just give the input. For example we want to give the application “AA” we have to give just “4141”. Taking that into consideration the rest was easy. The return address is overwritten with our buffer.
[code language=”python”]
buff = "41" * 500
with open("ex.sms", ‘w’) as f:
f.write(buff)
[/code]
Share this:
LED Segment Display on a Raspberry Pi
During my leisure time I made a LED segment display work using a Raspberry Pi. I have used a 74HC595 shift register and a LED segment display. This would be the circuit diagram.
Share this:
My ShellShockings
While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.
[code language=”perl”]
use CGI;
$cgi = new CGI;
for $key ( $cgi->param() ) {
$input{$key} = $cgi->param($key);
}
print qq{Content-type: text/html
<html><head></head><body>
};
foreach $key (sort (keys %ENV)) {
print $key, ‘ = ‘, $ENV{$key}, "<br>\n";
}
for $key ( keys %input ) {
print $key, ‘ = ‘, $input{$key}, "<br>\n";
}
print qq{<form METHOD=POST><input type="submit" value="Post Request">
<input name="postfield"></form>};
print qq{<form METHOD=GET ><input type="submit" value="Get Request ">
<input name="getfield" ></form>};
print qq{</body></html>};
[/code] >
Share this:
Paypal Partner SQL Injection
One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.
[code language=”sql”]
LoginForm[email]=-1′ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]
As we cannot continue with the above error, double query injection works perfectly.
(more…)
