IO Smash the stack level 03

Level03 level3@io:~$ cd /levels/ level3@io:/levels$ ls -latr level03* -r-------- 1 level3 level3 658 Sep 22 2012 level03.c -r-sr-x--- 1 level4 level3 5238 Sep 22 2012 level03 level3@io:/levels$ cat level03.c //bla, based on work by beach #include <stdio.h> #include <string.h> void good() { puts("Win."); execl("/bin/sh", "sh", NULL); } void bad() { printf("I'm so sorry, you're at %p and you want to be at %p\n", bad, good); } int main(int argc, char **argv, char **envp) { void (*functionpointer)(void) = bad; char buffer[50]; if(argc !

IO Smash the stack level 02

Level02 level2@io:~$ cd /levels/ level2@io:/levels$ ls -latr level02* -r-------- 1 level2 level2 437 May 26 2011 level02_alt.c -r-sr-x--- 1 level3 level2 6940 May 26 2011 level02_alt -r-sr-x--- 1 level3 level2 5329 Oct 4 2011 level02 -r-------- 1 level2 level2 495 Apr 13 2015 level02.c This time we got source code so lets look at it level2@io:/levels$ cat level02.c //a little fun brought to you by bla #include <stdio.h> #include <stdlib.

IO Smash the stack level 01

A colleague of mine recommended playing wargames so I started on and will write my findings. Please notice that I do not write the passwords for levels and you should really not just try to copy but understand the challanges yourself. You will only be cheating yourself of fun :) Level01 level1@io:~$ cd /levels/ level1@io:/levels$ ls -latr level01* -r-sr-x--- 1 level2 level1 1184 Jan 13 2014 level01 No source provided so lets try to start it

Creating facters on Windows

I’ve done automation with puppet for nearly 3 years on Linux but recently I have been tasked (work) with some automation on Windows. To tell you the truth I’m not exactly a fan of windows and never will be but I like a challenge. But for this particular tasks I needed a list of logical drives and a list of network adaptors and I couldn’t find anyone who had already created these facters.

PHP callback function backdoor

I recently had an incident at a customers website where the site was compromised. The customer went through the code and found several SQL injections, XSS and newly added files with backdoors (basic evals in PHP). All vulnerabilities was fixed (According to the customer) but about a month later the site was compromised again. Unfortunately no version control was used so we had to go through all files to help the customer and the log had no indications of successful attempts.

Missing unread mail count in the dock on Mac OS X 10.9 (Mavericks)

I’ve had plenty of issues with mail in Mac OS X but most of them have been related to the poor implementation of the integration with Exchange. But I have finally found a solution for one specific problem. That is the missing unread count in the dock. This is how I fixed it. Quit mail entirely and run from a command prompt # mv ~/Library/Mail/V2/MailData/Envelope* ~/Desktop/ Not open mail once again and it will do a import of all mails (Took about 2 hours on my machine but it depends on how many mails and mail accounts you have).

The lost art of debugging for admins #part 2 – Basic knowledge of protocols

Protocols Just a little knowledge about a few protocols can get you a long way when debugging. Often, clients does not give the full feedback from the server or tries to give a user-friendly error message which just makes it worse. Here is how just a handfuld of protocols can be used using telnet/openssl HTTP/HTTPS $ telnet 80 Connected to Escape character is '^]'. GET / HTTP/1.1 HOST: www.

The lost art of debugging for admins #part 1 - Basics and ptrace

Basics Its been a while since my last update. Been quite busy but also because I didn’t have anything to add. But lately I’ve have a urge to write a series on how to debug on Linux (Works on other platforms as well). Mostly because it seems that the younger generation (And even older) no longer debugs their problems but just seek the nearest forum so see if anyone else had the same issue.

DNS amplification by example

How it works DNS amplification is very easy to make and quite effective. An attacker finds a DNS resolver that is public, creates a spoofed UDP DNS request originating from the targets address sending the DNS response to the target. The trick in this attack is to create a bigger output then input (hence the amplification). What better way than to request a list of authority records for a top level like .

Scanning for recursive DNS servers

When working for an ISP it becomes pretty clear that you don’t want your customers or your network to participate in any attack. I wrote a small perl script to find DNS servers open for recursive requests I found 19 misconfigured DNS servers. Now the real work starts by contacting the owners.