x86 Linux Egg hunter

This is a small post regarding egg hunting on x86 Linux systems. I’d highly recommend you to read skape’s paper “Safely Searching Process Virtual Address Space” . He has described his techniques for Linux and Windows systems. I will be using one of hisĀ implementations. Ā I will use the access system call which is 33 for IA-32.

[code language=”c”]
#define __NR_access 33
[/code]

The access system call can be used the check whether the calling process can access the file.
[code language=”c”]
#include <unistd.h>
int access(const char *pathname, int mode);
[/code]

This is the x86 assembly implementation of the hunger code. It will search the virtual address space for our tag “AAAA” and begin execution of our shellcode. I am not going to explain this implementation. You can refer to skape’s document in higher detail.

(more…)

Hackxor SQL Injection

You can download the complete challenge VM from here. They have provided the online version of first two levels. I was interested in having a look at it. http://cloaknet.csc.kth.se:8080/proxy.jsp

There is a login page and our goal is to extract all the usernames and passwords from the database.

View post on imgur.com

If you try injecting the login form, none of the injections would work. But there was this text called ā€œNo account?ā€ when you click it you get this message.

View post on imgur.com

After logging with demo:demo we are taken to ā€œproxypanel.jspā€ which displays source, target and date.

View post on imgur.com


(more…)

LED Segment Display on a Raspberry Pi

During my leisure time I made a LED segment display work using a Raspberry Pi. I have used a 74HC595 shift register and a LED segment display. This would be the circuit diagram.

View post on imgur.com


(more…)

My ShellShockings

While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.
[code language=”perl”]
use CGI;

$cgi = new CGI;

for $key ( $cgi->param() ) {
$input{$key} = $cgi->param($key);
}

print qq{Content-type: text/html

<html><head></head><body>
};

foreach $key (sort (keys %ENV)) {
print $key, ‘ = ‘, $ENV{$key}, "<br>\n";
}

for $key ( keys %input ) {
print $key, ‘ = ‘, $input{$key}, "<br>\n";
}

print qq{<form METHOD=POST><input type="submit" value="Post Request">
<input name="postfield"></form>};
print qq{<form METHOD=GET ><input type="submit" value="Get Request ">
<input name="getfield" ></form>};

print qq{</body></html>};
[/code] >

Paypal Partner SQL Injection

One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.

[code language=”sql”]
LoginForm[email]=-1′ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3
[/code]

View post on imgur.com

As we cannot continue with the above error, double query injection works perfectly.
(more…)

Reverse Engineering 101

This is a very basic tutorial on reverse engineering your first executable in Windows. This is a short application which Iā€™ve written just for this purpose, just a simple program which came to my head.
[code language=”c”]
#include <windows.h>
#include <stdio.h>
/*
Name: Ultra Newbie CrackMe
Copyright: 2014
Author: Osanda Malith
Date: 30/12/14 07:51
Description: This a very basic crack me just for demonstration purposes.
*/

void
enc (char cipher[], int shift) {
int i = 0;
while (*(cipher+i)) {
if ((*(cipher+i) + shift) >= 65 && (*(cipher+i)+ shift) <= 90) *(cipher+i) += shift;
else *(cipher+i) += shift – 25;
i++;
}
}

int
main () {
int i;
char msg[] = {0x53, 0x45, 0x43, 0x52, 0x45, 0x54, ‘\0’}, *in;
int key = 6+3;
enc(msg,key); printf("Coded by Osanda\nhttp://osandamalith.wordpress.com\n\n");
printf("Enter Pass\n");
in = (char *) malloc(20);
scanf("%s", in);
if(!strcmp(in,msg)) MessageBox(NULL,TEXT("Access Granted :)"),TEXT("Info"),MB_OK | MB_ICONASTERISK | MB_RIGHT );
else MessageBox(NULL,TEXT("Try Again"),TEXT("Info"),MB_OK | MB_ICONERROR | MB_RIGHT );
return 0;
}

[/code]
Iā€™ll divide this tutorial in to two tasks. Task one is finding the pass. Task two would be patching the application so that any given user input would trigger the ā€œAccess Grantedā€ message box.
Before we start what is reverse engineering? Let me put it in this way. We write applications in high level languages such as C, C++, Delphi, etc. and they are gone through a process called compiling and converted into machine code. We write programs in different languages but regardless, the computer wonā€™t understand any of them. The closest language to the CPU which it would understand after assembling and linking would be the assembly language. Reverse engineering is the process of engineering an application once it is compiled into machine code. This is vastly used in malware analyzing, breaking protections in software, exploit development, adding more functionality into applications. There might be more than these few.

(more…)