Posts

Showing posts from March, 2019

Armouring reverse_tcp to evade antivirus detection

Image
This was the presentation I held on 23rd March 2019 at the BSides Dublin 2019.

Signature verification bypass vulnerability in some Huawei routers

Image
This blog will describe the discovery of the digital signature bypass on some Huawei routers.  The idea of digital signature check is simple - you have a piece of code and you calculated the checksum/hash of that file. The hash or checksum can be thought of as a "signature", a mathematical value that is uniquely assigned to the code (in our case the code was a firmware file). As soon as you change anything in the file and recalculate the hash, it should be significantly different from the original value - that is the feature of the hashing algorithm. Even the small change in the code will change the hash significantly. Vendors in most cases provide the such a pre-calculated hash so that the customer or the system may check if the hash of the image is indeed the same as vendor required. What was found in this investigation was that the system command on the Huawei AR1220E router does not perform this check properly. As a consequence, the attacker might be abl...

Proxying non-http protocols via BURP

Image
This article will shortly describe the mechanisms and tools that allow the interception of any UDP or TCP traffic via Burp proxy. The main driver behind this endeavour was the ability to inject and modify the packets for various protocols via intuitive Burp interface. Burp is a powerful proxy for web application pentests, but only speaks http and https. So , in order to redirect traffic which is not http/https via Burp we need to configure another intermediate component that will listen for a desired traffic , direct this traffic to Burp so we can tamper with it, and Burp will forward it further to the destination server. This intermediate component is mitm_relay.py, a python script available at  Github. https://github.com/jrmdev/mitm_relay Implementation The first step is to run mitm_relay.py.  -l =IP address on which the local server will listen. I set it to listen on all available interfaces (0.0.0.0) -p=where is Burp proxy running (127.0.0.1, port 8080) -...