webstersprodigy.net

POC XSRFs that only allow POST is not as straightforward as the GET. I use something like the following for situations like that.

<html>
<head></head>
<body>
<script>
function poststuff() {
var site = document.getElementById("posturl").value;
var post_data = document.getElementById("postparam").value;
alert("site: " + site);
alert("pdata: " + post_data);
var xmlhttp=new XMLHttpRequest();
xmlhttp.open("POST", site, true);
xmlhttp.onreadystatechange [...]

The code is pretty self explanatory. It searches through a .nessus file and spits out matching hosts.

Kind of an annoying problem, but sometimes nikto runs out of control. This is made worse by nessus, which can have a lot of nikto instances running at once.

This is a stupid script to scan a class b network. I only wanted a detailed scan of hosts that exist (which I generated with a ping scan). I also wanted this information separated by file.

http://www.milw0rm.com/exploits/9410

http://kenshoto.com/vtrace/

Documented commands (type help <topic>):
========================================
alias     bpedit  detach  ignore      meta    resume    stepi    vstruct
alloc     bpfile  dis     lm          mode    script    struct   writemem
attach    break   eval    maps        ps      search    suspend
autocont  bt      exec    mem         python  server    syms   
bestname  call    fds     memdump     quit    signal    threads
bp        config  go      memprotect  reg     snapshot  var

So this looks pretty promising… a call function to call things right [...]

The gnu Privacy handbook has a ton of useful information, but I thought I’d make a quick reference for the gpg usage I use most. Especially because I was just an idiot and lost my gpg private key (though I do remember the passphrase) – this time there will be a backup!
List all keys
gpg –list-keys
print [...]

I am doing some research that involves a *lot* of google searches. Because this research involves a significant number of directed queries, it seems logical to hide this information as much as practical. If there is a web host who notices sequential names in a Google referer URL repeatedly, this might raise suspicion or alter behavior which could skew results. Similarly, it is desirable to hide IP information from both the web host (for similar reasons) and possibly even search engines.

This is an oldie but goodie. I’ve seen format string bugs in the past, and have even exploited a few using the “magic formula”. Today, I thought it would be a good time to actually sit down and figure out how they work. The below link is an excellent resource to anyone learning about these: http://www.cgsecurity.org/Articles/SecProg/Art4/

For the security class I’m teaching we recently had a box to pwn. Problem is, they would sometimes get the address wrong and crash the virtual system. I probably would have just distributed the vdi, but not all of them have machines robust enough to run a vm, so I had to set something up.

This is a progress report related to Disclosure.

“The pixels in the above image are numbered 0..99 for the first row, 100..199 for the second row etc. White pixels represent ascii codes. The ascii code for a particular white pixel is equal to the offset from the last white pixel. For example, the first white pixel at location 65 would represent ascii code 65 (‘A’), the next at location 131 would represent ascii code (131 – 65) = 66 (‘B’) and so on.

Defcon 16 was a lot of fun. There were a lot of fun challenges, but my favorite was probably the wargames revereme in open capture the flag.

Windows reverseme – nothing tricky, just a sort of complicated validation process. The easiest thing in the world is to get this thing to validate. Just run it and put a breakpoint at 00401288, and look at the value in 00406749. That’s it! You’re validated.

This is a way to make files ‘unmodifyable’ or ‘undeletable’ amongst other things in Linux.

Now here’s something I always always have to look up because I always forget…

To execute javascript in a URL type something like

javascript:alert(document.cookie); Remember though, and easier way to modify all information sent from you is a simple local proxy, like paros. Whatever you do, don’t use telnet unless you’re super extreme.

This was pretty easy.
Here is a download to the executable
Hardcoded serial is:
“Reversing raises knowledge!”
This could have potetially been guessed eventually with a hex dump, but I noticed it when setting a break point at
0×00401462 and doing a registry dump (eax points to the string). That address is the start of a loop that compares
the hardcoded [...]

Holy shinanigans, Batman! This one gave me quite a scare. http://www.milw0rm.com/exploits/5092. There’s a hot fix here if you have any accounts with multiple users (ie progeny, skynet – but those are fixed). http://ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c).

Well, I didn’t know this was possible. First published in phrack, and can be viewed at http://doc.bughunter.net/rootkit-backdoor/kernel-patching.html
I guess that pokes a hole in my careful ideas about ids systems (I guess another one, there are holes on top of holes). Not this particular rootkit of course, but the fact that you can potentially manipulate the kernel by modifying kernel memory. Very tricky.