staring into /dev/null

barrebas

(Semi) Weekly Roundup 2015 #3

So maybe ‘weekly’ isn’t really the right word for these posts ;]

With all the stuff going on in the weekends, I kinda missed a few of these roundups.

Don’t have anything to do and fancy winning awesome prizes? Head over to VulnHub.com and give Sokar by rasta_mouse a spin! VulnHub is two years old and this VM is run as a competition to celebrate!

This post by mwrsecurity goes into great detail about bypassing Windows 8 kernel memory protection strategies. It talks about allocating user-land memory and then corrupting paging structures, so that the kernel thinks believes that piece of memory is executable as kernel-land code… Pretty clever stuff!

I came across this exploit, which allows attackers to change the DNS settings of a specific model D-Link router remotely and unauthenticated. Scary stuff! Makes you wonder if manufacturers spend any time at all securing these appliances…

This PDF slidedeck shows how to break out of a JavaScript virtual machine by abusing JS string objects. It’s not very detailed and the explanation lacks a bit, but it’s still quite an intriguing look into how these exploits work.

And finally, a while ago I found this blog on willhackforsushi.com which actually refers to one of my old boot2root writeups! In that VM, I had difficulty getting sqlmap to upload a webshell and I finally did it manually. The problem was fixed by Josh by starting with valid data for the SQL injection! The SQL code that stores the webshell on the remote server needs at least one valid line from the database and this condition is only triggered when valid input (like an existing username) is supplied. Good job figuring out the root cause!

Comments