Execute Shellcode, Bypassing Anti-Virus | InteliSecure

Hello, I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity. As I’m sure you’re all aware, the standard Metasploit…

ATM In-Security in 2013 | ATM Security Flaws & Vulnerabilities

Introduction With the recent SecTor security conference in Toronto Canada, once again ATM security flaws have risen to the top of the agenda.  ATM flaws have become wide-stream knowledge since Barnaby Jack showed off his ‘Jackpotting‘ attack.  ATM flaws have once again become a hot-topic since the late Barnaby’s demise two weeks prior to this years Blackhat conference (USA 2013) where he was going to present about Pacemaker flaws.  Barnaby…

Linux Exploit Suggester

Background Many moons ago I stumbled across a broken script on an incident response job.  The Hackers uploaded numerous exploits and scripts in an attempt to compromise a Linux RedHat server.  Among these files was a broken script (that did not work) that would suggest possible exploits given the release version ‘uname -r’ of the Linux Operating System. This gave me an idea; create my own that actually works…. As…

Linux – Execute a Non-Executable

This blog post, is a small walkthrough of tackling an odd exploitation problem, on a Linux web server, that is running a chroot-jail, that was compromised via an SQL injection. The post will walk you through the process of copying binaries using copy and paste, how to execute non-executables, in addition to breaking out of chrooted environments. More info on chroot jails can be found here: http://www.cyberciti.biz/tips/rhel-centos-apache-chrootjail-virtual-hosting.html

Vulnerability Development: Buffer Overflows: How To Bypass Non Executable Stack (NX)…

Hey, Leading on from my previous post where I discussed a method know as ‘ret2reg’ (return to register, or in our case a simple jump to esp) for bypassing ASLR, today I am going to discuss a method known as ‘ret2libc’ (return to libc) to allows us to circumvent the non-executable stack protection. When exploiting stack based buffer overflows generally speaking you overwrite past the vulnerable buffer and in turn…

Vulnerability Development: Buffer Overflows: How To Bypass ASLR…

Hey, So this is the second post in the series of vulnerability development posts I plan to make. Today we are going to focus on a simple technique used to bypass Address Space Layout Randomization (ASLR). All examples of code have been compiled on a machine with the following specifications: dusty@devbox:~/Code/ASLR$ lsb_release -a; uname -ar; gcc –version; gdb –version Distributor ID: Ubuntu Description: Ubuntu 10.10 Release: 10.10 Codename: maverick Linux…

Fun with System() and I/O Redirection…

Hey, I have seen a few wargame levels now that require you to do funky stuff with IO redirection and thought it would make an interesting blog post. For more information about IO redirection please see: BASH: IO Redirection I don’t know whether you’re familiar with the late Unreal IRCd source being backdoored? More information can be found here: Unreal IRCd Backdoor Well the hackers had placed a system() function…

Python cPickle: Allows For Arbitrary Code Execution

Hello All, I was passing some time playing one of our new wargames at Smash The Stack called Amateria and came across something I’ve not really looked at before, Python’s cPickle library it allows for some interesting fun when unpickling untrusted data over a socket or any network communication. Basically cPickle is a library that enables Python to perform object serialization. Pickling and unpickling are the terms used in the…

Ophcrack and Konboot

Floppies, CD-ROM’s and USB Drives Oh my! I’m going be doing a bit of an insight to physical  password attacks as in sat in front of your computer. I’m going to show you two tools, those tools are Ophcrack and Konboot the reason I have chosen these two is because firstly it’s incredibly easy to use these tools and also the two have different features of the common goal (compromising…