Fuzzing: FastStone Image Viewer & CVE-2021-26236
The post Fuzzing: FastStone Image Viewer & CVE-2021-26236 appeared first on VoidSec.
The post Fuzzing: FastStone Image Viewer & CVE-2021-26236 appeared first on VoidSec.
This blog post is part of a series and a re-posting of the original article βFuzzing 101β that I have written for Yarix on YLabs. Introduction In this article, I would like to introduce fuzz testing as part of a vast overview of software testing approaches used to discover bugs and vulnerabilities within applications, protocols, [β¦]
The post Software Testing Methodologies & Approaches to Fuzzing appeared first on VoidSec.
We are proud to announce that ECG got its first major update. ECG: is the first and single commercial solution (Static Source Code Scanner) able to analyze & detect real and complex security vulnerabilities inΒ TCL/ADPΒ source-code. ECGβs v2.0 New Features On-Premises Deploy: Scan your code repository on your secure and highly-scalable offline appliance with a local [β¦]
The post Announcing ECG v2.0 appeared first on VoidSec.
TL; DR: this blog post serves as an advisory for both: CVE-2020-28054: An Authorization Bypass vulnerability affecting JamoDat β TSMManager Collector v. <= 6.5.0.21 A Stack Based Buffer Overflow affecting IBM Tivoli Storage Manager β ITSM Administrator Client Command Line Administrative Interface (dsmadmc.exe) Version 5, Release 2, Level 0.1. Unfortunately, after I had one of [β¦]
The post Tivoli Madness appeared first on VoidSec.
Following a recent engagement, I had the opportunity to check and verify some possible vulnerabilities on an ASP .NET application. Despite not being the deepest technical nor innovative blog post you could find on the net, I have decided to post it anyway in order to explain the methodology I adopt to verify possible vulnerabilities. [β¦]
The post .NET Grey Box Approach: Source Code Review & Dynamic Analysis appeared first on VoidSec.
Banner Image by Sergio Kalisiak TL; DR: I will explain, in details, how to trigger PrintDemon exploit and dissect how Iβve discovered a new 0-day; Microsoft Windows EoP CVE-2020-1337, a bypass of PrintDemonβs recent patch via a Junction Directory (TOCTOU). Contents PrintDemon primer, how the exploit works? PrinterPort WritePrinter Shadow Job File Binary Diffing CVE-2020-1048 [β¦]
The post CVE-2020-1337 β PrintDemon is dead, long live PrintDemon! appeared first on VoidSec.
TL;DR: Shenzhen Sricctv Technology Sricam CMS (SricamPC.exe) <= v.1.0.0.53(4) and DeviceViewer (DeviceViewer.exe) <= v.3.10.12.0 (CVE-2019-11563) are affected by a local Stack Buffer Overflow. By creating a specially crafted βUsernameβ and copying its value in the βUser/mailβ login field, an attacker will be able to gain arbitrary code execution in the context of the currently logged-in [β¦]
The post A tale of a kiosk escape: βSricam CMSβ Stack Buffer Overflow appeared first on VoidSec.
During this period of social isolation, a friend of mine proposed to play some online βboard gamesβ. He proposed βTabletopiaβ: a cool sandbox virtual table with more than 800 board games. Tabletopia is both accessible from its own website and from the Steamβs platform. While my friends decided to play from their browser, Iβve opted [β¦]
The post Tabletopia: from XSS to RCE appeared first on VoidSec.
Assignment #7: Custom Shellcode Crypter Seventh and last SLAEβs assignment requires to create a custom shellcode crypter. Since I had to implement an entire encryption schema both in python as an helper and in assembly as the main decryption routine, Iβve opted for something simple. Iβve chosen the Tiny Encryption Algorithm (TEA) as it does [β¦]
The post SLAE β Assignment #7: Custom Shellcode Crypter appeared first on VoidSec.
Assignment #6: Polymorphic Shellcode Sixth SLAEβs assignment requires to create three different (polymorphic) shellcodes version starting from published Shell Stormβs examples. Iβve decided to take this three in exam: http://shell-storm.org/shellcode/files/shellcode-752.php β linux/x86 execve (β/bin/shβ) β 21 bytes http://shell-storm.org/shellcode/files/shellcode-624.php β linux/x86 setuid(0) + chmod(β/etc/shadowβ,0666) β 37 bytes http://shell-storm.org/shellcode/files/shellcode-231.php β linux/x86 open cd-rom loop (follows β/dev/cdromβ symlink) [β¦]
The post SLAE β Assignment #6: Polymorphic Shellcode appeared first on VoidSec.
Assignment #5: Metasploit Shellcode Analysis Fifth SLAEβs assignment requires to dissect and analyse three different Linux x86 Metasploit Payload. Metasploit currently has 35 different payloads but almost half of it are Meterpreter version, thus meaning staged payloads. Iβve then decided to skip meterpreter payloads as they involve multiple stages and higher complexity that will break [β¦]
The post SLAE β Assignment #5: Metasploit Shellcode Analysis appeared first on VoidSec.
Assignment #4: Custom Shellcode Encoder As the 4th SLAEβs assignment I was required to build a custom shellcode encoder for the execve payload, which I did, here how. Encoder Implementations Iβve decided to not relay on XORing functionalities as most antivirus solutions are now well aware of this encoding schema, the same reason for which [β¦]
The post SLAE β Assignment #4: Custom shellcode encoder appeared first on VoidSec.
This post will be a bit different from the usual technical stuff, mostly because I was not able to find any reliable solution on Internet and I would like to help other people having the same doubt/question, itβs nothing advanced, itβs just something useful that I didnβt see posted before. During a recent engagement I [β¦]
The post Perform a Nessus scan via port forwarding rules only appeared first on VoidSec.
Assignment #3: Egghunter This time the assignment was very interesting, here the requirements: study an egg hunting shellcode and create a working demo, it should be configurable for different payloads. As many before me, Iβve started my research journey with Skapeβs papers: βSearching Process Virtual Address Spaceβ. I was honestly amazed by the paper content, [β¦]
The post SLAE β Assignment #3: Egghunter appeared first on VoidSec.