Buffer Overflow in HexChat 2.9.4

6 minute read Apr 6, 2013 Comments
A buddy of mine, Mulitia, and I were talking about 0-days, and he mentioned finding one in Hex-Chat, a popular IRC client. It was super low severity, but still neat. If you entered “/server " followed by 20,000 random characters, the application died. I decided to try to make a working exploit out of this for fun. I contacted HexChat, by initialling going into the #hexchat channel on irc.freenode.net and trying to find a security contact.

Multiple Hover.com Security Issues

5 minute read Feb 28, 2013 Comments
I’m a customer of Hover for my domain name needs. However, that will be changing because I don’t believe that they take issues seriously. The first security issue I was browsing their site, looking for a new domain, and being the constant tinkerer I am, I entered a single quote into the textfield. I noticed an error, and eventually crafted this url: https://www.hover.com/domains/results?q=%27%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E There’s nothing magical in that URL, however it demonstrated a real vulnerability in their code:

XBMC Traversal Metasploit Module

3 minute read Feb 25, 2013 Comments
Background I was talking in Intern0t several months ago. AcidGen, from IOActive mentioned that he found a bug in XBMC. I use XBMC quite a bit at home, on various platforms, since it’s extremely wife-friendly. I hit him up, and we started talking. We had a nice Skype conversation, where we discussed possible platforms that were affected, and future exploits that we’d like to find. Since I had a jailbroken Apple TV 2 and RaspberryPi, I told him that I could test those platforms and help out.

HSTS Metasploit Module

4 minute read Feb 21, 2013 Comments
I have been working as a security consultant for a few months now, and one finding that is on almost every webserver I come across, is the lack of an HSTS (HTTP Strict Transport Security) implementation. This is understandable, since HSTS is still fairly new. In fact, before starting at Accuvant, I had never heard of it either! However, since most browsers support it now, I wanted to be able to report on it.

OverTheWire Monxla Part 3

7 minute read Nov 26, 2012 Comments
Continuing from the last post, we are now logged in as a user. The next step on the PDF from the agent, that we can access, is the Notes Service. I started analyzing the source code, and noticed that the text that says “yes” or “no” in the table is actually an image being rendered from the hasnotes.php file. I started tinkering with that file, and found that it was vulnerable to SQL injection.

OverTheWire Monxla Part 2

3 minute read Nov 25, 2012 Comments
In the previous post, I showed how to get the PDF that outlines the services running on the Monxla VM image. This article will continue where that one left off. Firstly, the PDF explains that there are 2 virtual hosts enabled on the machine. To configure my machine for these virtual hosts, I added these lines to my /etc/hosts file: 192.168.188.134 nasenko.otw 192.168.188.134 honeylink.otw There are 2 sites immediately available to you:

OverTheWire Monxla Part 1

2 minute read Nov 24, 2012 Comments
I had a twitter follower recently inform me that OverTheWire had a new wargame up and running. I was immediately excited and downloaded it. Several days later, I actually was able to start tinkering with it. I booted up the image, and proceeded to do some preliminary nmap scans. I found a few services runinng: mandreko$ nmap -sV -p1-65535 -T4 192.168.188.134 Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-15 10:28 EST Nmap scan report for 192.

OverTheWire Natas Level 15

3 minute read Nov 14, 2012 Comments
Up until now, none of the OverTheWire Natas challenges really gave me that much of an issue. This one however, took me a couple hours to complete. Level 15 is a fun blind sql-injection vulnerability. It starts out with a username check dialog, which pretty much only gives you a binary value as to if a username exists or not. I looked at the source code, and couldn’t see any way to inject some SQL to get it to retrieve the password for me.

OverTheWire Natas Level 14

2 minute read Nov 13, 2012 Comments
The next level of the OverTheWire Natas wargame is Level 14, which introduces SQL Injection, a very popular subject as of late. The level starts out with a login dialog. The source code is fairly straight forward. It’s doing a basic authentication query. It however, does have a handy “debug” flag, that if set, will print the query used to the screen. <html> <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head> <body> <h1>natas14</h1> <div id="content"> <?

OverTheWire Natas Level 13

3 minute read Nov 12, 2012 Comments
Level 13 of OverTheWire’s Natas wargame is extremely similar to Level 12. The only difference now, is that it’s validating that the file is in fact an image. This however is flawed, as exif data can be faked. It starts out with a similar upload prompt as last time. The source code is super similar to last time. <html> <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head> <body> <h1>natas13</h1> <div id="content"> For security reasons, we now only accept image files!
Page 2 of 8 1 2 3 4 5 6 7 8