[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client…

Yet Another HeartBleed.

This Heartbleed Information Disclosure Vulnerability has pretty much been covered all over the internet today (8th April 2014).  As a one-page-stop summary, please read below: An online site exists to check vulnerabilities: http://filippo.io/Heartbleed/ Source Code available at: https://github.com/FiloSottile/Heartbleed A python script (thats much better): http://s3.jspenguin.org/ssltest.py A second version of above code with STARTTLS Support: https://gist.github.com/takeshixx/10107280 A good breakout of why the bug exists is here: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html Watching twitter has been entertaining, login.yahoo.com has been leaking user…

ATM In-Security in 2013

Introduction With the recent SecTor security conference in Toronto Canada, once again ATM security flaws have risen to the top of the agenda.  ATM flaws have become wide-stream knowledge since Barnaby Jack showed off his ‘Jackpotting‘ attack.  ATM flaws have once again become a hot-topic since the late Barnaby’s demise two weeks prior to this years Blackhat conference (USA 2013) where he was going to present about Pacemaker flaws.  Barnaby…

New WiFi Pineapple; From Britain with Love!

Introduction Since approximately around the time of our posting Blue for the Pineapple (6 months ago). Hak5 Pineapple Team have disappeared underground to produce the new Mark 5 Pineapple. A customised board that is cheaper to produce and more easily affordable. The Mark 5 has 2x WiFi cards (Atheros 9331 & RTL8187 (famously known as an Alfa)), with SMA connectors. Twice the RAM & ROM (16MB & 64MB), with the…

Vulnerability Development: Buffer Overflows: How To Bypass Non Executable Stack (NX)…

Hey, Leading on from my previous post where I discussed a method know as ‘ret2reg’ (return to register, or in our case a simple jump to esp) for bypassing ASLR, today I am going to discuss a method known as ‘ret2libc’ (return to libc) to allows us to circumvent the non-executable stack protection. When exploiting stack based buffer overflows generally speaking you overwrite past the vulnerable buffer and in turn…

Vulnerability Development: Buffer Overflows: How To Bypass ASLR…

Hey, So this is the second post in the series of vulnerability development posts I plan to make. Today we are going to focus on a simple technique used to bypass Address Space Layout Randomization (ASLR). All examples of code have been compiled on a machine with the following specifications: dusty@devbox:~/Code/ASLR$ lsb_release -a; uname -ar; gcc –version; gdb –version Distributor ID: Ubuntu Description: Ubuntu 10.10 Release: 10.10 Codename: maverick Linux…

Fun with System() and I/O Redirection…

Hey, I have seen a few wargame levels now that require you to do funky stuff with IO redirection and thought it would make an interesting blog post. For more information about IO redirection please see: BASH: IO Redirection I don’t know whether you’re familiar with the late Unreal IRCd source being backdoored? More information can be found here: Unreal IRCd Backdoor Well the hackers had placed a system() function…

Python cPickle: Allows For Arbitrary Code Execution

Hello All, I was passing some time playing one of our new wargames at Smash The Stack called Amateria and came across something I’ve not really looked at before, Python’s cPickle library it allows for some interesting fun when unpickling untrusted data over a socket or any network communication. Basically cPickle is a library that enables Python to perform object serialization. Pickling and unpickling are the terms used in the…

Vulnerability Development: Buffer Overflows: RET Overwrite…

Hello all, my name is Mike Evans and I’m a security consultant here at Pentura. The other day I was asked by a certain Spanish someone if I could contribute to the blog ;-). At first I wasn’t too sure what to write about, however after a while I decided to write about Vulnerability Development as this is an area of research I am very passionate about. Now this is…