Nth Dimension/blog:: Negatively discriminating against idiots since 1995!

0day | authors | blog | contact | downloads | faq | index | links | projects | services

latest

2010-01-11 19:36:18

0x3e3e7f56 ^ 0x585f163a = "fail"

By Tim Brown

On a job recently, I was asked to look at a Sarian GSM router, specifically the configuration files for the device. This was interesting as it had a number of obfuscated strings which were clearly credentials but for which I didn't know the plain text values. A quick Google allowed me to pull up a document from Juniper on how to configure their devices to establish an IPsec tunnel with one. You'll document had an example configuration file for the Sarian which gave the default credentials in both plain and obfuscated form. Returning to the configuration I had been given, it was clear that my device had different credentials which left me with a bit of a problem. Having noticed that the obfuscated and plain text strings were of the same length, which is indicative of a stream cipher, I decided to check whether the algorithm used by Sarian was xor based or whether it was in fact using a more secure stream cipher. The below perl code shows how I did this:...[more]

2009-12-10 02:02:25

SSHatter 1.0 is coming...

By Tim Brown

Well, it's taken a while (lots of other interesting stuff to keep me busy) but I'm pleased to announce that SSHatter 1.0 is almost ready for release. I tagged a private 0.9 release last night and assuming no major bugs are identified I'd expect that 1.0 will be released over the weekend. So what can you look forward to in SSHatter 1.0? Well, I've taken a long hard look at what other tools exist (notably keimpx by one of my colleagues which aims to take the pain out of large Windows networks). The upshot is that SSHatter 1.0 as been rebuilt for exploitation. Take a look at the session below which should give you some idea of what to expect:...[more]

2009-09-23 05:09:42

Notes from a HAR (2009)

By Tim Brown

Last month myself and a number of my team had the distinct pleasure of attending HAR 2009. Since a lot of good folk missed it, here are some notes I made on my personal highlights of the conference....[more]

2009-07-18 03:35:41

The lifecyle of a NASL #1

By Tim Brown

One of the things that keeps me interested in OpenVAS, apart from the beer is writing new NASLs. I write them for several reasons, either to check for a vulnerability myself or a colleague has found, for interesting vulnerabilities others have reported or in many cases to check for issues where an advisory isn't appropriate but where a trivial issue may exist for which the manual check might be forgotten....[more]

2009-03-27 16:54:10

Analysing PinSentry

By Tim Brown

Since Ahead Of The Times took their PinSentry apart, I thought it was about time to share my analysis thus far of the numbers it generates:...[more]

2009-03-17 00:06:53

Shellcode for setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux

By Tim Brown

There are many people that know more about the black arts of low-level exploitation than me. Fact. Shell code isn't that novel and that with only 30 or 40 bytes to play with chances are high that someone else will have done it first. Fact. However, in the spirit of learning, I proudly present my first working(?) shellcode. It's a small chunk of AT&T style assembly for the x86_64 architecture running GNU/Linux which calls first setuid(0) and secondly execve("/bin/sh") for use in local exploits. I've attempted to document each and every line of code, so maybe it will be of some use to others that are yet to embark on this journey....[more]

2009-02-23 23:11:08

Exploiting preg_replace (an oldie but a goodie)

By Tim Brown

Calling preg_replace($pattern, $replacement, $subject) et al, where $pattern and $replacement are under user control should be considered dangerous. Witness the following:

<?php
preg_replace("/" . $pattern . "/", $replacement, $subject);
?>

Our attacker passes a $pattern of "(.*)/e\x00", a $replacement of "system('\1')" and a $subject of "id". The following results:...[more]

2009-02-17 00:58:46

pwn3d

By Tim Brown

Sometimes life can be fun...

That's the result of unauthenticated XSS, command injection and privelege escalation against one poor vendors (poor) product....[more]

2009-02-12 08:19:01

Hunting squid

By Tim Brown

So after the latest squid advisory I thought I might take a look at it to see if there were any other gems waiting to be found.

So since I'm lazy, I ran cppchecker on the code base which found this gem in squid_kerb_auth.c within the gethost_name function:...[more]

2008-10-26 17:33:00

Exploiting MS08-067 (or not)

By Tim Brown

So having spent a good portion of the last 24 hours trying to get a handle on reliably exploiting this vulnerability, I've drawn a blank. Two things have me stumped, one quite trivial and one that I'm going to have to leave for my betters. Because I'm using rpcclient as my transport to send data to the Server service I have to rely on that for the encoding. In practice this means that in the best case I can only control two out of 4 bytes of my %eip overwrite (namely 0x00__00__) because my input to rpccli_srvsvc_NetPathCanonicalize() gets unicode encoded further down the RPC/CIFS stack. Secondly (and this is the killer right now), the stack appears to vary considerably between exploit attempts. I've been playing with exploiting it under Windows 2K on WMware and every time it appears I've got the offset right to control %eip, I repeat it once more for luck and the damn thing moves. Combine this with the fact that Windows will likely reboot if the Server service crashes and I'm interested to see whether reliable exploits are released....[more]

© Nth Dimension Web Master, 2006
[del.icio.us - Post this page to del.icio.us] [twitter - Post this page to twitter]