Posts

D-Link Router CVE-2021-27342 Timing Side-Channel Attack Vulnerability Writeup

Image
I recently bought a new DIR-842 home router, and immediately (as any hacker would) started toying with it - I can’t call it mine until I pop a shell on it. Rather quickly I found I can enable telnet through the admin web gui, and then connect to telnet with an admin user. But that was too easy, so let’s see if we can find a bug/vulnerability. easy work getting a shell I continued looking for a bug in the router’s telnet implementation because it’s an attractive target: it’s remotely accessible, and as learned by previously connecting as system admin, it runs with high privileges. Also, instead of searching for a memory corruption vulnerability, I focused on finding a more easily exploitable logic vulnerability. CVE-2021-27342 Brute Force Protection Bypass The router’s telnet authentication is protected with an anti-brute force mechanism that limits an attacker’s password guessing speed by delaying the “access denied” response of failed logins. However, this protection’s implementation

Python2 to Python3 Hex/Str/Byte Conversion Cheatsheet For Hackers

Image
If you too have been personally victimized by Python3’s 'str' object has no attribute 'decode' exception or other string/bytes-related exceptions, I feel your agony. Trauma from such errors have stopped me from using Python3 for code handling buffers, like POCs for vulnerabilities or CTF exploits. Here’s a reference guide on how to convert between Python3’s hexstr/str/bytes/bytearray. Python3 Buffer Type Review str An immutable unicode string Created statically using quotes.  Example: mystr = “don’t forget your daily calcium” hexstring A str consisting of hexadecimal numbers (0-9, a-f).  Primarily used to convert binary data to a printable format.  Created like str, but contains only hexadecimal numbers Example: “calc” is “63616c63” bytes An immutable array of one-byte elements Created statically by putting the letter “b” before quotes Example: mybytes = b“bring all the boys to the yard” bytearray  A mutable list of one-byte elements Created through the bytearray c

uTorrent CVE-2020-8437 Vulnerability And Exploit Overview

Image
The world’s most popular torrent client, uTorrent, contained a security vulnerability — later to be called CVE-2020-8437— that could be exploited by a remote attacker to crash and corrupt any uTorrent instance connected to the internet. As white-hat hackers, my friend (who wishes to remain anonymous) and I reported this vulnerability as soon as we found it and it was quickly fixed. Now, after ample time has been given for users to update, it’s safe to disclose an overview of the vulnerability and how to exploit it. Torrent Protocol - What You Need To Know Torrent downloads utilize simultaneous connections to multiple peers (other people downloading the same file), creating a decentralized download network that benefits the collective peer group. Each peer can upload and download data to and from any other peer, eliminating any single point of failure or bandwidth bottleneck, resulting in a faster and more stable download for all peers. Peers communicate with each other using the BitTor

How I Compile Reverse Engineering Exercises For Maximum Learning And Minimum Noise

Image
Imagine if your first reverse engineering exercise was to reconstruct an encrypted IAT – if you don’t fully know what that means, that’s the point: beginner reverse engineering exercises should be clear (and fun)! Anything that can throw off the analysis of a reverse engineer, such as optimized inlined functions, shouldn’t be in beginner exercises. Secondly, I would like my exercises to run on as students' computers as possible. These are the goals I strive for when creating CyberQueens exercises, and here is how I configure my compiler to meet those goals. Ensuring A Clear And Concise Executable is Compiled To prevent the compiler from adding any unintended opcodes or logic, which could confuse aspiring reverse engineers, set all of the following build properties: To disable uninitialized memory checks (and other debugging) checks from being automatically compiled into the code , set the compilation target to Release. This can be done from VS’s main page, as seen in Fi

Windows Source Code Leaks & A Story Of Lost Source Code

Image
Disclaimer: The information presented in this blog post is for educational purposes only. When researching or just tinkering with Windows and Microsoft executables, having the source code is a great advantage. This short article is a collection of links to Windows and Microsoft code. Leaked Windows Source Code Links to leaked Windows source files: Windows XP (NT5) https://github.com/cryptoAlgorithm/nt5src Windows NT4 https://github.com/ZoloZiak/WinNT4 Windows 2000 https://github.com/pustladi/Windows-2000 Windows Research Kit https://github.com/Zer0Mem0ry/ntoskrnl Official Microsoft Published Source Code Microsoft has recently become significantly more Open Source oriented, and has even started actively developing Open Source projects and publishing some of its own code. Links to published Microsoft code: Microsoft .NET source https://referencesource.microsoft.com/ Microsoft’s Github https://github.com/Microsoft Other Resources Other resources to help you with

Guy's 30 Reverse Engineering Tips & Tricks

Image
Good morning lovely people! During April I challenged myself to tweet 1 reverse engineering tip every day. For your viewing pleasure, here I aggregated all 30 tips. Be sure to follow me @whtaguy for my latest tweets and more reverse engineering extravaganza. Leave a comment on this post or tag me on Twitter - I reply pretty quickly :) If the tweets aren't displayed properly (for example if there are no pictures), temporarily turn off tracker protection, which blocks loading the required resources from twitter Tips & Tricks Tip 1 *Reverse Engineering Tip 1/30* long branch-less functions w/many xors & rols are usually hash functions. IDA view of MD5 func: #BinReversingTips pic.twitter.com/cLSGfxNupK — Guy🏂 (@whtaguy) April 1, 2020 Tip 2 -Reversing Tip 2/30- Building on the last tip, after finding a hash function, google its constant to identify the exact hash algorithm. #BinReversingTips pic.twitter.com/MJJIBY9pde — Guy🏂 (@whtaguy) Apri

Calling Arbitrary Functions In EXEs: Performing Calls to EXE Functions Like DLL Exports

Image
 Motivation When reversing or fuzzing an executable, being able to run an arbitrary function with controlled data is extremely helpful. Through iteratively playing with the function's parameters and examining the output, we can better understand the function's logic. Background A dll (Dynamic Linked Library) with our target function would allow us to conveniently review and test the function as we wish. The only problem is that usually the function we want to examine resides in an exe, not a dll. Converting¹ an exe to a dll is a solvable challenge. After all, both an exe and a dll share the same PE (Portable Executable) file format .  So let's explore, how can we convert¹ an exe to a dll? Spoiler: there are a few more steps than just changing the extension 😉 ¹ "convert to DLL" = fundamentally behave like a DLL. I'll use this exe created from the following code and target the decode_string function for demonstration purposes throughout this post.