Rootme No software breakpoints Cracking Challenge

Here is another very interesting challenge from Rootme. The title says ELF – no software breakpoints.

View post on imgur.com


Let’s run the file command and see.

% file ch20.bin
ch20.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The executable seemed to be striped.
Next I examined the sections in file and the .text section starts at 0x08048080

View post on imgur.com

This is the disassembly of the text section. I spent some time trying to understand the logic. Well let’s see what this is 🙂
(more…)

Newbie Keygenning 1

This is a random very old crackme I found when I was bored with assignments, which is pretty easy and thought of sharing with you. Doing crackmes one by one 😀 Download: https://www.mediafire.com/?351rp7o9qmf97js

View post on imgur.com


After opening in Olly and checking the string references we can see the congratulations string.

View post on imgur.com


After following the string we see the following disassembly.

View post on imgur.com


(more…)

Error Based SQL Injection Using EXP

Overview

This is another overflow in the DOUBLE data type in MySQL I found. You can refer to my previous post on BIGINT Overflow Error based injections if you want to understand exploiting overflows in extracting data. Also the queries are similar to my previous post. When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

mysql> select exp(709);

+-----------------------+

| exp(709)              |

+-----------------------+

| 8.218407461554972e307 |

+-----------------------+

1 row in set (0.00 sec)



mysql> select exp(710);

ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the ln and log functions of MySQL. If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to: $latex e \approx 2.71828183&bg=FFFFFF&s=1$ .

$latex ln(15) = log_ {e} (15) = 2.70805020110221 &bg=FFFFFF&s=1$
(more…)

BIGINT Overflow Error Based SQL Injection

Overview

I was interested in finding out new techniques that we can use in extracting data via MySQL errors. This is a detailed write-up which will make you understand how I made these queries. When we look how MySQL handles integers I was interested in causing overflows. This is how MySQL stores integers.

View post on imgur.com


(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html)
These overflow errors will cause in MySQL versions 5.5.5 and above only. In below versions integer overflows would result in a silent wraparound.
The data type BIGINT is of 8 bytes in size which means it’s of 64 bits. If we take the maximum signed value of a BIGINT its “0b0111111111111111111111111111111111111111111111111111111111111111”, “0x7fffffffffffffff”, “9223372036854775807” in binary, hex and decimal respectively. Once we evaluate numerical expressions on this value like adding will cause a “BIGINT value is out of range” error. 

mysql> select 9223372036854775807+1; 

ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'

(more…)

Solving Root-me Ptrace challenge

You can find the challenge from here. The challenge is to find the password for the elf 32 binary. This is how this looks at a glance.

View post on imgur.com


Let’s fire up GDB and check this out. I’ll break main and run. We can see that arguments to ptrace() function is being pushed on the stack and ptrace is being called.

=> 0x080483fe <+14>:	sub    esp,0x14

   0x08048401 <+17>:	mov    DWORD PTR [ebp-0xc],0x80c2888

   0x08048408 <+24>:	push   0x0

   0x0804840a <+26>:	push   0x1

   0x0804840c <+28>:	push   0x0

   0x0804840e <+30>:	push   0x0

   0x08048410 <+32>:	call   0x8058a70 <ptrace>

(more…)

Protonmail Stored XSS

I found out that attachments containing Javascript or HTML will get executed in the browser once you open in a new tab. The attachment can be anything simple like .html, .svg containing our payload.

View post on imgur.com


[code language=”html”]
<html>
<script>
prompt(‘XSS by Osanda Malith’);
</script>
</html>
[/code]
(more…)

Exploiting HTTP Verbs

The HTTP protocol comprises of the following verbs or methods.

  • GET
  • HEAD
  • POST
  • PUT
  • DELETE
  • CONNECT
  • OPTIONS
  • TRACE

I assume you are well aware of these, you can read more about them in detail from this RFC document.
(more…)

LFi Freak – An Automated File Inclusion Exploiter

I am sure you know about exploiting file inclusion vulnerabilities. In file inclusion situations in common we can read files arbitrarily in the system or remotely depending on the permissions. In PHP environments commonly we poison the log files or inject malicious PHP into the user agent header and load the “/proc/self/environ” file. However when we encounter file inclusion situations in PHP environments we can use the in-built PHP wrappers to make our exploitations much easier or perhaps bypass existing filters.

There are lot of LFI exploitation tools available but I’ve written this tool mainly focusing on the usage of “php://input”, “php://filter” and “data://” methods.  Even though the title explicitly conveys “LFI Freak” this can be used for RFI vulnerabilities as well. This tool is written in Python 2.7 and I have included binaries for both Windows and Linux systems. If you are running from the source or want to modify this, you need the BeautifulSoup library.

Here is a small walkthrough of the features of the tool.

To test for local or remote file inclusions you can use the option one “Automated testing”. I am using DVWA in here. To test this tool create a small vulnerable file.
[code language=”php”]
<?php
echo "File included: ".$_REQUEST["page"]."<br>";
$file = $_REQUEST["page"];
include $file;
?>
[/code]
(more…)

Dynamic Function Injection in PHP

In PHP we can pass arguments to a function dynamically during runtime. For example have look at this example.

View post on imgur.com

I have used call_user_func_array() to pass the arguments to the function. The syntax would be:
[code language=”php”]
call_user_func_array(function, param_arr)
[/code]
Since I have used $_GET we can pass the function and its arguments during runtime.

http://localhost/?func=user&args[]=Osanda&args[]=secret&args[]=abc@abc.com

(more…)

Accessing the Windows API Directly

If you are into pentesting I am sure you might have heard about the IRB shell in the Metasploit framework. This will be a small post about accessing Windows API using Railgun. Using Railgun we can access different functions in DLLs during runtime in memory. We could also write our own DLLs and call them directly using Railgun. This technique is used in the Meterpreter scripts and post exploitation modules to access the API to perform automated tasks.
For demonstration I will be using a Windows 7 machine as the target and Kali as the attacker machine.
After owning the box in the meterpreter session type “irb” and from there we can start the interactive ruby shell. The “client” will be our meterpreter client. We can access common API calls like this. Suppose I want to get the system information.

[code language=”ruby”]
client.sys.config.sysinfo
[/code]

Get the user ID

[code language=”ruby”]
client.sys.config.getuid
[/code]
(more…)