Archive for November, 2010

51 Byte x86_64 OS X Null Free Shellcode

It doesn’t seem like there’s a lot of x86_64 bit shellcode out there for the Intel Mac platforms so I figured I’d write my own and share it. I’m using Mac OS X 10.6.5 at the time of this post.


Instead of starting with the source and ending with the shellcode, we’re going to throw this one in reverse and get right to the shellcode. So here you have it, a 51 byte Mac OS X 64 bit setuid/shell-spawning shellcode


Phrack 67 Today!

Phrack 67 comes out today! Phrack is THE online magazine for anyone interested in security. Phrack was the original magazine to debut the infamous “Smashing The Stack For Fun And Profit” article. Its been some time since they last released an issue (2009). “Is your blood boiling?” – heck ya! (more…)

Mac OS X 64 bit Assembly System Calls

After reading about shellcode in Chapter 5 of Hacking: The Art of Exploitation, I wanted to go back through some of the examples and try them out. The first example was a simple Hello World program in Intel assembly. I followed along in the book and had no problems reproducing results on a 32 bit Linux VM using nasm with elf file format and ld for linking.

Then I decided I wanted to try something similar but with a little bit of a challenge: write a Mac OS X 64 bit “hello world” program using the new fast ‘syscall’ instruction instead of the software interrupt based (int 0×80) system call, this is where things got interesting.

Conficker’s P2P Update Process

There’s a great article on Conficker variant C’s peer-to-peer update process. It allows for distributed updating abilities by scanning for Conficker peers and implements a simple update protocol

  • What’s your version? Here’s my version. If your running version is higher than mine, send me yours, if not I’ll send you mine.

It’s a pretty in-depth read but very interesting. Check it out

How strong are my passwords?

I think the passwords I use are pretty strong. They’re long, random, alphanumeric, and special characters. I know it’s possible to crack passwords, given enough time, so I thought I’d give it a try. I’m curious how long it’s going to take to crack. (more…)

Ophcrack or Oph-crap?

I did some simple tests tonight using the “free” rainbow tables that come with Ophcrack. I was expecting at least one of my passwords to be cracked but neither were. I think there were a couple reasons for this

  1. The password on my XP machine is 15 characters – Ophcrack only goes up to 14 with the free tables for XP
  2. The password on my Windows 7 machine is not in the dictionary – Ophcrack only uses a “based on dictionary” hybrid table with the free tables for Vista+

The good thing here is that for the “trivial” user, they won’t be able to get my passwords since the non-free tables go for $99 a piece or they’ll need to obtain other tables online.

So is it Ophcrack crap? No, probably not, that would be a little harsh since I bet the free tables would crack a huge majority of the general public’s passwords.

Sniffing Traffic on Your Home Router or Hub

I’ve always knew it was possible to sniff traffic on your home network but every time I tried, I always ended up sniffing ‘management type packets’ (e.g. arp requests, syns, acks, etc). I’d never really seen any useful information come across the wire so I pretty much wrote off the idea of sniffing.

Recently I had done a little deeper dive related to some work I’m doing in class and discovered some of the things I’d done wrong in the past. So here’s a short post on sniffing traffic on your home network. Take a minute to understand the concepts and be responsible with your sniffing activities. (more…)

Online WPA Crackers

Almost everything, in some sense or another, is vulnerable to brute force. It’s just a matter of how long it takes for something to be brute forced that tends to it’s security. I found it pretty interesting that there are now online WPA crackers that will mount dictionary attacks against captured WPA authentication handshakes: (more…)

Go to Top