Pages

Sunday, March 23, 2014

Quick fix on ROPeme's ImportError: No module named distorm

Sup' all,

I'm currently working on my ROP skills and trying out ROPeme[1]. So what ROPeme does is that it helps exploit developers / researchers to generate ROP gadgets easily. For those who wants to find out more about ROP or return-oriented programming, try this tutorial: http://www.exploit-db.com/wp-content/themes/exploit/docs/28479.pdf  It's a step-by-step guide to perform your first ROP on Linux.

Anyway, I went to the site and git cloned the ropeme folder onto my '/opt/' directory. When I tried to run './ropshell.py', I get the following error message:
File "ropshell.py", line 24, in <module>
import gadgets
File "/opt/ropeme/ropeme/gadgets.py", line 21, in <module>
import distorm
ImportError: No module named distorm
I tried googling but it was a futile exercise. Then I did an apt-cache search distorm and found 'distorm3' in the distro. And of course, I went ahead to 'apt-get install distorm3' and found out that I actually had that in already. Drats! Now what?!

So basing on a hunch while thinking it was a long-shot, I went ahead and opened up gadgets.py and changed every occurence of 'distorm' to 'distorm3'. Unexpectedly, it worked!

Solution to make ROPeme work with distorm3 (I'm using Kali Backtrack[2])
1. Open up 'gadgets.py'
2. Do a 'replace' for every 'distorm' to 'distorm3'*
3. Save and exit
4. Issue the following command: # python ropshell.py
5. Celebrate a little and move on to actually do ROP.
*Needless to say, you'll need to have 'distorm3' installed on your linux.

Happy kittehz, happy ROPping ;)

- JS

References:
[1] ROPeme - http://www.vnsecurity.net/2010/08/ropeme-rop-exploit-made-easy/
[2] Kali Backtrack - http://www.kali.org/




Monday, March 10, 2014

Apologies to readers

Sup all,

If somehow you've subscribed to my RSS feed and get bombarded by several "code injection" posts, I want to sincerely apologize to you. :(

But good news, I've found and confirmed a security vulnerability that allows JavaScript execution on a Android Mobile App. I've sent an email to the developer and ethical disclosure is in progress.

To make all for all the mucks, I promise to upload some screenshots after the issue's been fixed. =D

Till then folks~

UPDATED: The vulnerability was confirmed and reported. For more details, see http://breaktoprotect.blogspot.sg/2014/04/feedly-android-application-zero-day.html

J.S.

Potential JavaScript Code Injection to App

Below are javascript code as Proof-of-code Javascript Code Injection -
1. A JavaScript button could be injected
2. The button performs location.href to target site. In this case, a fake POC site to prove that it could be used for potentially malicious phishing or extend further payload execution to malicious site.
Click the button below - it could redirect a user to a potential malicious site ;)
-BreakToProtect

</script>
<button onclick="location.href='http://www.potentially-malicious.site'" id="1" value="1"/>BreakToProtect's Button
<butt