Uncategorized

Egg Hunting Fun

In this vacation IĀ thoughtĀ of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreterĀ reverse_tcpĀ shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.

Download the vulnerable Kalbri server: http://www.exploit-db.com/wp-content/themes/exploit/applications/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip

I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.

I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.

As I mentioned earlier this is very brief Ā write up. Ā The offset is at 515 bytes . Our plan is toĀ overwriteĀ the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside theĀ memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.

(more…)

Acknowledged by Oracle

Finally I was mentioned in Oracle forĀ reporting a double query SQL injection vulnerability and 2 reflected XSS bugs bypassing filters.
I was mentioned in their On-Line Presence Security Contributors under the Credit Statement:
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
Also mentioned in the Common Vulnerability Reporting Format (CVRF) document over here:
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1865183.xml

Oracle Oracle

Acknowledged and Rewarded by Zendesk

I really wanted to get my name in the Zendesk website. At first when I saw the number of security researchers I got amazed and taught I would never be able to find anything. But I didn’t give up. I was able to find DOM XSS in the main website šŸ™‚ I did not test their interface even just read all their arguments clearly and was able to find a poorĀ sanitationĀ in theĀ JavaScript code.

Read more about their policy:Ā http://www.zendesk.com/company/responsible-disclosure-policy

Zendesk swag is still on the way šŸ˜‰ Thank you guys very much ! <3

croped

update: Ā On 16th of October IĀ receivedĀ the Zendesk swag. šŸ˜‰

size

Acknowledged by Attack-Secure

images

Attack-secure is a leading real world penetration testing course provider. They have a special White Hat program for reportingĀ vulnerabilities. Ā So I was able find a security issue related to a plugin used by the server. Also got rewarded by their penetration testing course Samurai Skills. Read more info on:

http://attack-secure.com/whitehat
attacksecure

Thank you very much for the Thanks and the reward! šŸ™‚