voidsec2020-11-20T08:42:40+00:00TL; DR: this blog post serves as an advisory for both:CVE-2020-28054: An Authorization Bypass vulnerability affecting JamoDat – TSMManager Collector v. <= 188.8.131.52
A Stack Based Buffer Overflow affecting IBM Tivoli Storage Manager - ITSM Administrator Client Command Line Administrative Interface (dsmadmc.exe) Version 5, Release 2, Level 0.1.Unfortunately, after I had one of the rudest encounters with an Hackerone’s triager, these are the takeaways:IBM Tivoli Storage Manager has reached its end of life support and will not...
voidsec2020-10-07T13:19:39+00:00Following a recent engagement, I had the opportunity to check and verify some possible vulnerabilities on an ASP .NET application. Despite not being the deepest technical nor innovative blog post you could find on the net, I have decided to post it anyway in order to explain the methodology I adopt to verify possible vulnerabilities.If you are into grey-box approach (Source Code Review and Dynamic Analysis, SAST/DAST), new to ASP .NET applications or you are planning to take AWAE,...
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
voidsec2020-08-12T12:32:14+00:00Banner Image by Sergio KalisiakTL; DR: I will explain, in details, how to trigger PrintDemon exploit and dissect how I’ve discovered a new 0-day; Microsoft Windows EoP CVE-2020-1337, a bypass of PrintDemon’s recent patch via a Junction Directory (TOCTOU).ContentsPrintDemon primer, how the exploit works?PrinterPort
Shadow Job FileBinary Diffing CVE-2020-1048 Patch
CVE-2020-1337 – A bypass of CVE-2020-1048’s patch
Disclosure TimelineAfter Yarden Shafir’s & Alex Ionescu’s posts (PrintDemon, FaxHell) and their call to action,...
A tale of a kiosk escape: ‘Sricam CMS’ Stack Buffer Overflow
voidsec2020-05-14T09:36:19+00:00TL;DR: Shenzhen Sricctv Technology Sricam CMS (SricamPC.exe) <= v.184.108.40.206(4) and DeviceViewer (DeviceViewer.exe) <= v.220.127.116.11 (CVE-2019-11563) are affected by a local Stack Buffer Overflow. By creating a specially crafted "Username" and copying its value in the "User/mail" login field, an attacker will be able to gain arbitrary code execution in the context of the currently logged-in user.Please Note: by default, Sricam CMS requires elevation and runs in High Integrity mode; exploitation of the above software will result in a compromise...
voidsec2020-05-09T10:15:58+00:00During this period of social isolation, a friend of mine proposed to play some online "board games". He proposed “Tabletopia”: a cool sandbox virtual table with more than 800 board games.Tabletopia is both accessible from its own website and from the Steam’s platform.While my friends decided to play from their browser, I’ve opted for the Steam version. We joined a room and started a game; at one point we were messing around with some in-game cards when , for...
voidsec2020-04-04T15:38:34+00:00Assignment #7: Custom Shellcode Crypter
Seventh and last SLAE’s assignment requires to create a custom shellcode crypter.Since I had to implement an entire encryption schema both in python as an helper and in assembly as the main decryption routine, I've opted for something simple. I've chosen the Tiny Encryption Algorithm (TEA) as it does not require large IV or SBOX initialization vectors (adding a huge overhead to my shellcode's decoding routine), because it's tiny and not too complex to re-implement.As...
voidsec2020-04-02T14:39:56+00:00Assignment #6: Polymorphic Shellcode
Sixth SLAE’s assignment requires to create three different (polymorphic) shellcodes version starting from published Shell Storm's examples.I've decided to take this three in exam:http://shell-storm.org/shellcode/files/shellcode-752.php - linux/x86 execve ("/bin/sh") - 21 bytes
http://shell-storm.org/shellcode/files/shellcode-624.php - linux/x86 setuid(0) + chmod("/etc/shadow",0666) - 37 bytes
http://shell-storm.org/shellcode/files/shellcode-231.php - linux/x86 open cd-rom loop (follows "/dev/cdrom" symlink) - 39 bytesAs always, all the code is also available on GitHub.Stay updated, join VoidSec's Telegram Channel: https://t.me/voidsec_updates
; http://shell-storm.org/shellcode/files/shellcode-752.phpxor ecx, ecx
push 0x68732f2f ...
voidsec2020-04-02T14:24:28+00:00Assignment #5: Metasploit Shellcode Analysis
Fifth SLAE’s assignment requires to dissect and analyse three different Linux x86 Metasploit Payload.Metasploit currently has 35 different payloads but almost half of it are Meterpreter version, thus meaning staged payloads. I’ve then decided to skip meterpreter payloads as they involve multiple stages and higher complexity that will break libemu graph generation (which I find very useful to better explain shellcode’s operations).In this blog we are going to analyse the following shellcodes:linux/x86/shell_find_tag
voidsec2020-03-17T11:14:59+00:00Assignment #4: Custom Shellcode Encoder
As the 4th SLAE’s assignment I was required to build a custom shellcode encoder for the execve payload, which I did, here how.Stay updated, join VoidSec's Telegram Channel: https://t.me/voidsec_updates
I’ve decided to not relay on XORing functionalities as most antivirus solutions are now well aware of this encoding schema, the same reason for which I’ve skipped ROT13 and other “rotating” encoding. I thought of using some multiple weird shifting schema but that would have had...
Perform a Nessus scan via port forwarding rules only
voidsec2020-03-13T09:46:43+00:00This post will be a bit different from the usual technical stuff, mostly because I was not able to find any reliable solution on Internet and I would like to help other people having the same doubt/question, it's nothing advanced, it's just something useful that I didn't see posted before.During a recent engagement I found myself in a strange network position. I had to perform a Nessus credentialed and patch checks on some Windows server, I was in a...