Sunday, March 23, 2014

Quick fix on ROPeme's ImportError: No module named distorm

Sup' all,

I'm currently working on my ROP skills and trying out ROPeme[1]. So what ROPeme does is that it helps exploit developers / researchers to generate ROP gadgets easily. For those who wants to find out more about ROP or return-oriented programming, try this tutorial:  It's a step-by-step guide to perform your first ROP on Linux.

Anyway, I went to the site and git cloned the ropeme folder onto my '/opt/' directory. When I tried to run './', I get the following error message:
File "", line 24, in <module>
import gadgets
File "/opt/ropeme/ropeme/", line 21, in <module>
import distorm
ImportError: No module named distorm
I tried googling but it was a futile exercise. Then I did an apt-cache search distorm and found 'distorm3' in the distro. And of course, I went ahead to 'apt-get install distorm3' and found out that I actually had that in already. Drats! Now what?!

So basing on a hunch while thinking it was a long-shot, I went ahead and opened up and changed every occurence of 'distorm' to 'distorm3'. Unexpectedly, it worked!

Solution to make ROPeme work with distorm3 (I'm using Kali Backtrack[2])
1. Open up ''
2. Do a 'replace' for every 'distorm' to 'distorm3'*
3. Save and exit
4. Issue the following command: # python
5. Celebrate a little and move on to actually do ROP.
*Needless to say, you'll need to have 'distorm3' installed on your linux.

Happy kittehz, happy ROPping ;)

- JS

[1] ROPeme -
[2] Kali Backtrack -

Monday, March 10, 2014

Apologies to readers

Sup all,

If somehow you've subscribed to my RSS feed and get bombarded by several "code injection" posts, I want to sincerely apologize to you. :(

But good news, I've found and confirmed a security vulnerability that allows JavaScript execution on a Android Mobile App. I've sent an email to the developer and ethical disclosure is in progress.

To make all for all the mucks, I promise to upload some screenshots after the issue's been fixed. =D

Till then folks~

UPDATED: The vulnerability was confirmed and reported. For more details, see


Potential JavaScript Code Injection to App

Below are javascript code as Proof-of-code Javascript Code Injection -
1. A JavaScript button could be injected
2. The button performs location.href to target site. In this case, a fake POC site to prove that it could be used for potentially malicious phishing or extend further payload execution to malicious site.
Click the button below - it could redirect a user to a potential malicious site ;)

<button onclick="location.href=''" id="1" value="1"/>BreakToProtect's Button