webstersprodigy.net

This is an update to http://webstersprodigy.net/2010/07/07/pydbg-reverseme-solution/. I change a register now to circumvent the isdebuggerpresent call. import sys import ctypes from pydbg import * from pydbg.defines import * print "This is a very stupid keygen that uses a debug method and grabs the key from memory" print "prints out the valid key, and writes it [...]

Last week I wrote a keygen here: http://webstersprodigy.net/2010/06/22/reverseme-windows-keygen/. This is an almost identical problem, but the binary has been patched to allow debugging (I may do this programmaticly as well, but not yet). I wanted to solve this with programmatic debugging. Here is the exe: Ice9pch3. The code simply sets a breakpoint and prints the [...]

This one was challenging for me, and took me several hours, but was fun. I got caught up on certain parts that may not have been too difficult, but, yeah… http://crackmes.de/users/tripletordo/ice9/ You can download the executable here Ice9.zip. The first thing I noticed is probably the ‘trick’ which was simply a call to isdebuggerpresent. I [...]

http://crackmes.de/users/d0min4ted/keygenme_by_d0min4ted/ In case the link goes away, here is a zip of the executable. crackme I cheated on this one and used reflector. This was an excuse for me to try reflector out… so I started with that in mind. The Checking code ends up being in crackme->WindowsFormsApplication4->Form1. You can deduce what most the buttons do. [...]

To get back into the groove, I decided to try a crackme. After searching far and wide, I can’t seem to find where I got this from, other than crackmes.de.  One of my favorite sites. Crackme.zip <– here it is in case it’s deleted. And the solution is, with no analysis: #include <iostream> #include <string> using [...]

The title sort of explains it. description = [[ Attempts to check if a login page exists on the port. ]] — — @output — 80/tcp open http — |_ http-login-form: HTTP login detected — HTTP authentication information gathering script — rev 1.0 (2010-02-06) author = "Rich Lundeen <mopey@webstersprodigy.net>" license = "Same as Nmap–See http://nmap.org/book/man-legal.html" [...]

POC XSRFs that only allow POST is not as straightforward as the GET. I use something like the following for situations like that. <html> <head></head> <body> <script> function poststuff() { var site = document.getElementById("posturl").value; var post_data = document.getElementById("postparam").value; alert("site: " + site); alert("pdata: " + post_data); var xmlhttp=new XMLHttpRequest(); xmlhttp.open("POST", site, true); xmlhttp.onreadystatechange = function [...]

The code is pretty self explanatory. It searches through a .nessus file and spits out matching hosts.

Kind of an annoying problem, but sometimes nikto runs out of control. This is made worse by nessus, which can have a lot of nikto instances running at once.

This is a stupid script to scan a class b network. I only wanted a detailed scan of hosts that exist (which I generated with a ping scan). I also wanted this information separated by file.

http://www.milw0rm.com/exploits/9410

http://kenshoto.com/vtrace/ Documented commands (type help <topic>): ======================================== alias     bpedit  detach  ignore      meta    resume    stepi    vstruct alloc     bpfile  dis     lm          mode    script    struct   writemem attach    break   eval    maps        ps      search    suspend autocont  bt      exec    mem         python  server    syms    bestname  call    fds     memdump     quit    signal    threads bp        config  go      memprotect  reg     snapshot  var So this looks [...]

The gnu Privacy handbook has a ton of useful information, but I thought I’d make a quick reference for the gpg usage I use most. Especially because I was just an idiot and lost my gpg private key (though I do remember the passphrase) – this time there will be a backup! List all keys [...]

I am doing some research that involves a *lot* of google searches. Because this research involves a significant number of directed queries, it seems logical to hide this information as much as practical. If there is a web host who notices sequential names in a Google referer URL repeatedly, this might raise suspicion or alter behavior which could skew results. Similarly, it is desirable to hide IP information from both the web host (for similar reasons) and possibly even search engines.

This is an oldie but goodie. I’ve seen format string bugs in the past, and have even exploited a few using the “magic formula”. Today, I thought it would be a good time to actually sit down and figure out how they work. The below link is an excellent resource to anyone learning about these: http://www.cgsecurity.org/Articles/SecProg/Art4/

For the security class I’m teaching we recently had a box to pwn. Problem is, they would sometimes get the address wrong and crash the virtual system. I probably would have just distributed the vdi, but not all of them have machines robust enough to run a vm, so I had to set something up.

This is a progress report related to Disclosure.

“The pixels in the above image are numbered 0..99 for the first row, 100..199 for the second row etc. White pixels represent ascii codes. The ascii code for a particular white pixel is equal to the offset from the last white pixel. For example, the first white pixel at location 65 would represent ascii code 65 (‘A’), the next at location 131 would represent ascii code (131 – 65) = 66 (‘B’) and so on.

Defcon 16 was a lot of fun. There were a lot of fun challenges, but my favorite was probably the wargames revereme in open capture the flag.