Skip to content

Tag: hacking

NcN 2013 CTF canada write up

In this post I will cover the second binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 stripped elf file which prompts for a flag:

$ file ./howtobasic
./howtobasic: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=4f288f1a66ad673dc50b51c7e85635358bb11da0, stripped
$ ./howtobasic
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
$ 

NcN 2013 CTF australia bin write up

In this post I will cover the first binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 elf file which prompts for a flag:

$ file ./derp 
./derp: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=b77361bfdab4b30a5ed258ee173fe306184a4438, not stripped
$ ./derp 
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
$ 

Hacking the AR-DRONE Parrot

In this post I will talk about the AR-Drone Parrot.
These user-controlled helicopters are getting very popular, and a lot of people are using them in city parks and gardens.

Time ago, a friend told me he had bought one of this helicopters, so I meet him and his toy to perform some investigations. I now these is nothing new, and very good presentations does exist regarding UAVs (check rootedCon 2012 presentation by Hugo Teso), but is the first time I see this kind of drone in the Real-World 😀

First to be said, this drones can be controlled with an iPhone app via open wireless connection, so evil things can happend meanwhile the drone is operated by an legitime user ]:-)

bypassing devmem_is_allowed with kernel probes

In this article I’m going to illustrate how to read the full content of /dev/mem on linux 3.x machines. I will bypass the function devmem_is_allowed with a kernel return probe.

The kernel probes is a kernel component designed for kernel developers to debug the system internals.It can dynamically break into any kernel routine and modify the function’s behavour. This proves had been heavily since yeah by kernel developers. RedHat has build an user interface to kprobes called SystemTap
You can find kprobes’ documentation in Documentation/kprobes.txt. You should also download the article example files kprobe.tgz

NetBSD i386 shellcoding

This article shows basic shellcoding on NetBSD/i386. I hope this won’t be the last on exploitation BSD archs.
The playground is prepared with a fresh NetBSD 5.1.2 installation, virtualized with kvm.

net# uname -a
NetBSD net 5.1.2 NetBSD 5.1.2 (GENERIC) #0: Thu Feb  2 17:22:10 UTC 2012  
builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-2-RELEASE/i386/201202021012Z-obj/home/builds/ab/netbsd-5-1-2-RELEASE/src/sys/arch/i386/compile/GENERIC i386

Cyanogenmod.com malware spreading

The website Cyanogenmod.com has been compromised, and was spreading a piece of malware loaded from warlikedisobey.org/coehegzxw8xgahtrb, hosted on Indo Network Solutions, Scranton, Pennsylvania (USA) (66.197.158.102)

Whois info for 66.197.158.102

[text]
IP Information – 66.197.158.102

IP address: 66.197.158.102
Reverse DNS: static-ip-102-158-197-66.host.cybernet.co.id.
ASN: 21788
ASN Name: NOC
IP range connectivity: 7
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 66.197.0.0 to 66.197.255.255
Country fraud profile: Normal
City (per outside source): Reno, Nevada
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
[/text]

If we query on urlquery.net for the URL, we can see that this server has been used since 2011-09-27 to spread malware on multiple domains hosted.