Skip to main content

Posts

Showing posts from 2018

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br

Effective AFL Fuzzing 1: Better Harness

American Fuzzy Lop a.k.a AFL is a great fuzzing tool, however to make it work effectively , we need to make to take to take care of certain aspects. This post I will discuss about 'Harness' Today I will show the approaches I took which led to an improved fuzzing results. Well I didn't get any successful crash during the short period of run but however the results improved - paths, map coverage, etc I decided to fuzz the following application called "inih", which is an .ini file parser written in C Link to Code in Github : https://github.com/benhoyt/inih The first code I used is a sample provided from a sample example which is provided in the sample directory. Modification 1 : None. I just tried to compile the sample test application and fuzz it Code 1 :  Result 1 : Well we can see "odd, check syntax". It means that AFL is not able to find new paths, also we can see that the cycles are increasing but no new paths detected. So I decided

Reverse Engineering a Router Firmware

I have an old TP Link Router and I thought if its possible to reverse the firmware and see if there are anything interesting or not. I grabbed the firware from the website and downloaded it locally root@vultr:~/tplink_rev# wget https://static.tp-link.com/resources/software/TL-WR740N_v1v2_100910.zip --2018-09-19 16:46:26--  https://static.tp-link.com/resources/software/TL-WR740N_v1v2_100910.zip Resolving static.tp-link.com (static.tp-link.com)... 23.67.166.40 Connecting to static.tp-link.com (static.tp-link.com)|23.67.166.40|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2902988 (2.8M) [application/x-zip-compressed] Saving to: ‘TL-WR740N_v1v2_100910.zip’ TL-WR740N_v1v2_100910.zip                 100%[=====================================================================================>]   2.77M  --.-KB/s    in 0.01s 2018-09-19 16:46:26 (220 MB/s) - ‘TL-WR740N_v1v2_100910.zip’ saved [2902988/2902988] Uncompressing the zip file we get a PDF fi

Why do we need Egg Hunters ?

In this post I am going to show you few examples of buffer overflow and why we need egghunters in certain scenarios For these examples I am going to turn of all security features and compile our code with few unsafe operation flags. Set the system with ASLR disabled - echo 0 | sudo tee /proc/sys/kernel/randomize_va_space Allow stack smashing - Compile the program with -fno-stack-protector Make stack executable - Compile the program with -z execstack  Lets get started with some simple vulnerable code Scenario 1 #include<stdio.h> #include<string.h> void main(int argc,char **argv){         char buffer[500];         strcpy(buffer,argv[1]);         printf("%s",buffer); } dibyendu@ubuntu:~/Desktop/b0f$ gdb -q ./b0f.o Reading symbols from /home/dibyendu/Desktop/b0f/b0f.o...(no debugging symbols found)...done. (gdb) r $(python -c 'print "A"*100+"B"*200+"C"*300+"D"*400+"E"*50

SLAEx86 : Coding a custom TCP Reverse Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode. So how does TCP Reverse exploit shell work ? In a TCP Reverse shell exploit shellcode is more effective than bind shell. It might happen the victim firewall may block the incoming connection. So instead of opening the port at the victim side we will open a port at the attacker side. We ask the victim machine to connect back to us on successfull execution of the shellcode. So we on attacker side will listen for an incoming connection and when the attacker connect to the listening port,  on the victim side it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands. So there are few points I need to make clear while I write this post 1. The code that I have written went through  lot of  debugging

SLAEx86 : Coding a custom TCP Bind Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode. So how does TCP Bind exploit shell work ? In a TCP Bind Shell Exploit Shellcode, the exploit listens for an incoming connection and when the attacker connect to the port on which the exploit runs , it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands. So there are few points I need to make clear while I write this post 1. The code that I have written went through  lot of  debugging and modification and I am still modifying ( to minimize , to remove bad characters like  PUSH 0x0 can introduce bad characters so I replaced them with something that had the value NULL and then pushed them to on stack like PUSH ECX ) 2. Some code which I have written might look absurd (for example mov eax,ed

Privilege Escalation Tricks : Shell Escape and Executing Shell Commands Via GDB

Often during penetest or CTFs you might need to execute shell commands but due to limited privileges you cannot and certain time you need to escape restricted shells, . In such scenario certain techniques comes handy. Like Using NMAP   Using Vi Editor Using Find Command Yesterday while I was playing with GDB , I found a way by which we can achieve similar results. Here you can see , I can invoke system commands from the gdb shell. Further more you can get a nice shell as well  Thanks for reading ! 

ASM to ShellCode and Shellcode to ASM

As i have started a journey into vulnerability research and exploitation, i thought of sharing some topics which I found very confusing initially. So i will try to detail as much information as possible. So we will begin by writing a simple helloworld assembly code. The code will do the following Print HelloWorld and Exit Now you may wonder why do I have to write a code that exits ? If such is the case then you might probably have written good amount of code in high level language. The compilers of high level languages takes care of it i.e writing the extra code in the object file like the exit code. Internally every operations like read , write , exit and so on requires some low level calls to kernel. These calls are called SysCalls. So if you are programming using high level language like C and C++ , then you don't need to write codes to make the syscalls because due to the abstraction layer that hides the excessive code that is required to code. The compiler takes care

SANS HOLIDAY HACK 2017 : PART 5

If you have not read the 1st Part then read it here. http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs. 6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at  http://eaas.northpolechristmastown.com . Visit the system and retrieve instructions for accessing  The Great Book  page from  C:\greatbook.txt . Then retrieve  The Great Book  PDF file by following those directions. What is the title of The Great Book page? We can find the about the IP of the internal host from the NMAP scan on the compromised machine from PART 2 of this series. nmap -PS80 -v 10.142.0.1/24 --open Let us connect to the Alabaster's system again using SSH followe

SANS HOLIDAY HACK 2017 : PART 6

If you have not read the 1st Part then read it here. http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs. Challenge 8) Fetch the letter to Santa from the North Pole Elf Database at  http://edb.northpolechristmastown.com . Who wrote the letter? On doing an nmap scan on  internal network using the compromised Alabaster's system, we can find the edb server We will connect to Alabaster's machine again and use SSH Port forwarding to port 80 to get access to the web application. Also we will edit our hosts file to make sure we can point at edb.northpolechristmastown.com Now we can access the application Once we do this we can try logging with alabaster's credentials, but it doesn't work. Looking at the intercepted requests , we s