Ian De Villiers
BlackHat Challenge – 2013
One of the things we try and get across in our training – is that pen-testing requires out of the box thinking. It’s also about solving puzzles and making things work the way you want them to. It’s about identifying the small vulnerabilities (which are often easy to spot), and trying to leverage them into something useful. A key process we strive to do at SensePost, when performing these penetration tests, is about having fun.
Privilege Escalation in SQL Server (Depending on some dodgy requirements)
I was playing with a few SQL server idiosyncrasies more than a year ago before becoming so completely distracted with the whole SAP protocol-decoding business. Having some time on my hands for once, I thought I would blog it.
Early last year, I found it possible to create jobs owned by other users on MS SQL Server (2000, 2005 and 2008) by an unprivileged user – providing the user had the capability of creating or altering stored procedures in the [master].[dbo] schema. The reason for this, comes as a result of cross-database permissions being chained, by default, across the system databases [master], [msdb] and [tempdb]. According to Microsoft, this is by design.
Systems Applications Proxy Pwnage
[2011/9/6 Edited to add Slideshare embed]
I am currently in London at the first ever 44con conference. It’s been a fantastic experience so far – excellent talks & friendly people.
Yesterday, I presented a paper titled “Systems Applications Proxy Pwnage” . The talk precis sums it up nicely:
It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default, and numerous papers have been published by security professionals and researchers dealing with decompressing this traffic.
Hacking By Numbers: W^3 Edition
Well, we’re ramping up with the new Hacking By Numbers W^3 edition course we will be presenting at BlackHat Vegas this year. This course is a replacement for the Web2.0 course we successfully presented over the past three years and sports a whole bunch of new and improved practicals. We’ve also upped the technology being used and the presentation is chock-full of ASCII sheep… :)
The new course is an intermediate web application hacking course, and will deal with the following topics
SensePost J-Baah
I’m pleased to announce the release of J-Baah – the port of CrowBar (our generic HTTP Fuzzing tool) to Java.
If you’ve used CrowBar before, using J-Baah should be a breeze. If you haven’t, it actually has a help section. :P
You can grab a copy of J-Baah from here.
MS Threat Modeller
Just arbitrary coolness regarding Microsoft’s Threat Modeller. It’s XSS-ible…
Since this all works in file:///, not overly sure what the benefits of these things will be, but I suppose since different folks may have different privilege levels for different protocol handlers (ie: file:// http:// etc), one might be able to instantiate previously unusable OCX’es, or even redirect to site for exploiting browser vulnerabilities.
Never happened unless there are pictures, so refer below…
MonSoen.py
I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness.
So, WinGate proxy includes a remote management agent which is accessed via a client utility called GateKeeper. This allows one to configure the WinGate server across the network. However, its not enabled to listen on the network by default, and only listens on 127.0.0.1:808. From my perusal of the documentation, the remote administrative facility should only be available to enterprise and professional license holders, and those firms using standard edition licenses will have to configure their proxy software locally.
reDuh reVisited…
We’ve had a number of issues with reDuh and the various server versions published. Some clients worked with some versions of the server, and didn’t play nicely with others.
I am happy to say that these have all been resolved now. The single reDuhClient now works with JSP, ASPX and PHP versions of reDuh. Its been tested on a number of different platforms.
Additionally, the new reDuh client supports some enhancements. These are:
reDuh.ASPX
An additional issue has been discovered in the ASPX version of reDuh. Although the script did work as expected, it did not set the ScriptTimeout value. This resulted in reDuh terminating active connections once the page timeout had expired.
This has been fixed in the ASPX version. A copy can be grabbed from here. More information regarding reDuh can be found here.
ASPX and reDuh
We’ve received a number of queries regarding folkses unable to get the ASPX version of reDuh to work.
In truth, the client had a faulty HTTP implementation meaning that HTTP requests were malformed. Apache and Tomcat cope admirably with the malformed requests, IIS does not.
So, we’ve built a new client version for reDuh which will play nicely with IIS. Apart from the bugfix, the new version also supports SSL. A direct link to the updated client is here. More information regarding reDuh is here.
Page 1 of 2
Next