Posts

Write-up of the monkey_.exe_1 crackme

Image
This is a write-up of monkey_.exe_1, a crackme written by monkey and published on crackmes.de, now available at crackmes.one.
To get an idea of what the program does, we first run it normally. We see two message boxes:

Now that we know what we need to do, let's start running it in x64dbg. Once we get to the entry point, we see:
00401000movedi,monkey-exe1.401014edi:EntryPoint00401005movecx,47ecx:EntryPoint, 47:'G'0040100Amoval,byte ptrds:[edi]edi:EntryPoint0040100Cxoral,11
0040100Estosb
0040100Fsubecx,1ecx:EntryPoint00401012jnemonkey-exe1.40100A

This is a loop where the bytes following 0x00401014 are decrypted into the instructions that will actually be executed by XOR-ing them with 0x11. To see what this code is, we can place a breakpoint at 0x00401014 and then let the loop finish by allowing execution to continue.

We see another decryption routine, and some code which creates a message box:
00401016movedi,monkey-exe1.40103F
0040101Bmovecx,1C
00401020moval,byte ptrds:[edi]
00401…

Local File Inclusion and reading password-protected forums in MyBB

Image
Recently, I've been looking at the MyBB forum software to try to find security issues with it. Here are the results that I have so far. These have been reported privately to the maintainers of the software. The first two are fixed in version 1.8.15, and the third will be fixed in 1.8.16.
1. Local File Inclusion in admin panel. From the admin panel, select:
Tools and Maintenance -> Task Manager -> Add New Task

Then, when submitting the request, modify the "file" POST parameter as shown below, and the file "../../../file.php" will be executed when the task is run (if the file exists).



2. Read posts in password-protected forums A feature of MyBB is the ability to create password-protected forums. If a forum is password-protected, then only users who know the password will be able to view the posts in that forum.

However, MyBB does not require a password for users to subscribe to a password-protected forum (or the threads inside it). Furthermore, when users s…

Security implications of ANSI escape codes in Git sever responses

Image
Summary The Git client does not validate messages received from a Git server, and will print anything received, including ANSI escape codes, to the terminal. The security implications of allowing ANSI escape codes to be written to the terminal depend on terminal, shell, resources and configuration options, but can vary from messing up a user's terminal configuration to execution of arbitrary commands.

This lack of client-side validation can be exploited by running a malicious Git server, or though a MITM attack.

For an overview of the types of attacks which are possible with ANSI escape codes, here are some useful links: 1, 2, 3.
Example The remainder of this article will be devoted to demonstrating this discovery in action.
Setting up git server To start the git server, I used the command:

git daemon --enable=receive-pack --verbose --base-path=/home/user/git --export-all


"--enable=receive-pack" allows anyone - unauthenticated - to push to your git server. It's a g…

Experimenting with the Audiocodes MP264

Image
The Audiocodes MP264 is a gateway device which was issued to customers of some ISPs in Australia (such as iPrimus, Dodo and Commander), New Zealand (WXC) and Israel (012). It has four Gigabit Ethernet ports, on-board WiFi, one xDSL port, two FXS ports, two USB 2.0 ports and lots of LEDs. It also appears that there is a place on the board to solder on a third USB port.

There appear to be multiple devices with the name "MP264". For that reason, it may help you to know that the sticker on the box mine came in says "Model: MP264DB" and "REV.: P06"

As the NBN is being rolled out across Australia, it seems that many people are deciding to dispose of their old gateways, so if you're lucky, you should be able to find one of these quite cheaply.

This article is quite long, so is divided into three main sections.

In the first section, we learn how to upload and run arbitrary code through the stock firmware's web interface, and demonstrate this by construct…