Linux USBIP overflow (CVE-2016-3955)

Recently I was forwarded a link to a patch within the Linux kernel which mitigates an overflow vulnerability within the USBIP functionality. For those that have never encountered USBIP, this is a protocol offered to allow remote clients to access USB devices plugged into a host machine. Reviewing the patch, the issue was immediately visible as being a heap overflow vulnerability, exploitable due to a user controlled size value being trusted without validation. So first let's look at the patch... Read More »

GitHub Desktop - RCE

Recently GitHub disclosed a vulnerability which I reported within the GitHub for Windows client. This report can be found here. The aim of this post is to give a quick rundown of how the issue was discovered, and to introduce this type of vulnerability for those that may not have seen it before. The GitHub for Windows client provides users with an easy way to manage their GitHub repo’s, from pushing to GitHub for the first time, to creating pull... Read More »

Bettercap - Capturing NTLM Hashes

As many of you who follow me on twitter will know, I'm a big fan of the Bettercap project. Created by @EvilSocket, this tool is a reimagining of the historic Ettercap project, bringing it up to date, it's an invaluable tool for the penetration testing arsenal. One of the many modules offered by the project is the HTTP Proxy module, which allows a man-in-the-middle to transparently proxy and modify HTTP traffic being returned to a user. While the possibilities ar... Read More »

Xbox One Controller Hacking

Posted on Tagged in xbox, usb

So today I had a bit of free time, and decided to experiment with the LibUSB framework on a Raspberry Pi I had lying around. After a bit of reading, and reviewing the excellent documentation provided by the Xbox hacking community, I managed to get a simple C program running which demoed interrupt transfers for both activating the controller rumble feature, and receiving button presses. For those interested, the code for the demo application can be found here... Read More »

SQL Server Authentication With Metasploit and MITM

While exploring the depths of Metasploit capture modules, I came across auxiliary/server/capture/mssql which can be found here. The module can be used to capture Microsoft SQL Server logon credentials if a user or client authenticates with the module. What caught my attention is just how effective this module can be in retrieving plain text credentials. First a bit of background on SQL server authentication. Usually authenticat... Read More »

Prev Page | Next Page