Exploiting Same Origin Method Execution Vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which…

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client…

[IRCCloud] Inadequate input validation on API endpoint leading to self denial of service and increased system load

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to: {“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”} I thought,…

Execute Shellcode, Bypassing Anti-Virus | InteliSecure

Hello, I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity. As I’m sure you’re all aware, the standard Metasploit…

Proxmark3 vs Ultralight C

There have been no secrets this week while I’ve been trying to add Mifare Ultralight C support to the Proxmark. Ultralight C cards are HF (13.56MHz) tags that are part of the Mifare family.  This week has been an interesting learning process, and it has corrected some misconceptions I had about the card.  For those interested you can follow my progress at http://www.proxmark.org/forum/viewtopic.php?id=1946.  But I will summarise my findings below: Ultralight C…

Proxmark3 vs Kantech ioProx

Earlier today we released a patch into the Proxmark3 community for initial support of the LF 125kHz ioProx tags from Kantech.  Current operations are FSK-demodulation and card/tag cloning. Not much is revealed about this type of tag, and only limited data can be found on its data sheet.  Kantech state that readers/cards are compatible with standard 26-bit Wiegand and Kantech Extended Secure Format (XSF). But it is difficult to find…

Ubertooth – Bluetooth Sniffing Updated for 2014!

Earlier I noticed this tweet on my twitter feed: Ubertooth release: https://t.co/cCYHNf34Yc I know it’s been a long time coming, I promise not to leave it so long next time. — Dominic Spill (@dominicgs) February 20, 2014 So I thought I would walk you through the update, which has improved Operating System support, improved Bluetooth Low Energy (BTLE) support, and GitHub integration to make community development easier….

NDProxy Privilege Escalation (CVE-2013-5065)

Introduction In the last few days everyone is raving about CVE-2013-5065, a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC for CVE-2013-5065. Exploit POC: #include “windows.h” #include “stdio.h” void main(){ HANDLE hdev=CreateFile(“\\.\NDProxy”,GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0 , NULL); if hdev==INVALID_HANDLE_VALUE){ printf(“CreateFile Failed: %d/n”,GetLastError()); } DWORD InBuf [0x15] = {0}; DWORD dwRetbytes…

What is 2G, 3G, 4G?

Introduction With all the recent fuss over 4G / LTE.  Pentura thought a nice blog post highlighting the changes and developments of mobile infrastructure would be interesting for our readers.  Below is a high-level description of the 2G, 3G, 3G-Femto and finally 4G networks. 2G 2G (GSM/GPRS) is the initial backbone for all mobile infrastructure.  At the front end it comprises of a Radio Tower (BTS) , and the Base…

What is SIGTRAN? SS7? SCTP?

Introduction SIGTRAN is the name, derived from signaling transport, of the former Internet Engineering Task Force (IETF) working group that produced specifications for a family of protocols that provide reliable Datagram service and user layer adaptations for Signaling System 7 (SS7) and ISDN communications. The SIGTRAN protocols are an extension of the SS7 protocol family. It supports the same application and call management paradigms as SS7 but uses an Internet Protocol (IP) transport called Stream Control Transmission Protocol (SCTP). Indeed,…