Finding and Exploiting Same Origin Method Execution vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which…

[IRCCloud] Inadequate input validation on API endpoint leading to self denial of service and increased system load

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to: {“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”} I thought,…

Execute Shellcode, Bypassing Anti-Virus…

Hello, I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity. As I’m sure you’re all aware, the standard Metasploit…

RFID Wallets/Sleeves. How much Security do they provide?

With the increasing amount of RFID technology creeping into everyday life.  Just how much data can be obtained from your wallet?  At Pentura we undertook a small experiment where using standard off-the-shelf products, we would attempt to obtain personal information leaked from RFID enabled devices: UK Passport UK Bank Cards Debit/Credit Access Control Tokens Our experiment used standard unmodified off-the-shelf RFID equipment: 13.56MHz ACR-122U Reader Proxmark3 with LF antenna Proxmark3…

NDProxy Privilege Escalation (CVE-2013-5065)

Introduction In the last few days everyone is raving about CVE-2013-5065, a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC for CVE-2013-5065. Exploit POC: #include “windows.h” #include “stdio.h” void main(){ HANDLE hdev=CreateFile(“\\.\NDProxy”,GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0 , NULL); if hdev==INVALID_HANDLE_VALUE){ printf(“CreateFile Failed: %d/n”,GetLastError()); } DWORD InBuf [0x15] = {0}; DWORD dwRetbytes…

New WiFi Pineapple; From Britain with Love!

Introduction Since approximately around the time of our posting Blue for the Pineapple (6 months ago). Hak5 Pineapple Team have disappeared underground to produce the new Mark 5 Pineapple. A customised board that is cheaper to produce and more easily affordable. The Mark 5 has 2x WiFi cards (Atheros 9331 & RTL8187 (famously known as an Alfa)), with SMA connectors. Twice the RAM & ROM (16MB & 64MB), with the…

Linux Exploit Suggester

Background Many moons ago I stumbled across a broken script on an incident response job.  The Hackers uploaded numerous exploits and scripts in an attempt to compromise a Linux RedHat server.  Among these files was a broken script (that did not work) that would suggest possible exploits given the release version ‘uname -r’ of the Linux Operating System. This gave me an idea; create my own that actually works…. As…

… Green For The Anti-Pineapple

Background Following on from the previous Post (Blue for the Pineapple…). I now want to introduce the Anti-Pineapple! Your probably asking the question “How do you create an Anti-Pineapple?” The answer is quite simple; by conducting a review of the security measures installed on the Pineapple device itself; it should be quite easy to create a list of possible scenarios and counter-measures.

Blue For The Pineapple ….

Background The WiFi Pineapple, was a device coined by the Hak5 (www.hak5.org) Team back in 2008. Originally it was a hacked Fon/Fonera AccessPoint (AP) with Karma patches applied to hostapd. Back then Digninja (Robin wood) called it Jasager (http://www.digininja.org/jasager/), it was called this because the AP software answered “Yes” to all WiFi Beacon Frames; if a WiFi client was looking for the SSID BTOpenzone the Pineapple(or Jasager) would reply “That’s…

Vulnerability Development: Buffer Overflows: How To Bypass Non Executable Stack (NX)…

Hey, Leading on from my previous post where I discussed a method know as ‘ret2reg’ (return to register, or in our case a simple jump to esp) for bypassing ASLR, today I am going to discuss a method known as ‘ret2libc’ (return to libc) to allows us to circumvent the non-executable stack protection. When exploiting stack based buffer overflows generally speaking you overwrite past the vulnerable buffer and in turn…