Life In Hex | Breaking the world, one application at a time

22 Apr 2021

Kaswara exploit or how much Wordfence cares about user security

Yesterday, an alert describing vulnerability in Kaswara Modern VC Addons was published on WPScan.

The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Alert explicitly warns that the bug is actively being exploited. Alert also provided a very limited indicators of compromise - incomplete but at least something..

Later that day, "WordPress security vendor" Wordfence published their article Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately.

They repeated what was already said in the alert mentioned above and gave 2 extremely "useful" suggestions. First suggestion is in the post title - remove the plugin. Second suggestion is to pay for Wordfence services. Because Wordfence free version will start protecting users only in end of May 2021:

May 21, 2021 – Wordfence Free users receive the firewall rules.

Think about it for a moment..

Wordfence knows the issue is actively being exploited. They know exactly what the issue is. But they don't care about you or your security! All they care about is their profit. So, unless you pay a hefty sum for their "services", you're screwed.

I think it's wrong, so let's fix that! smile

Solving RTN CTF challenges

Earlier this month, my friend Washi invited me to take a part in a small CTF competition. It was a first time his team was making something like that, so I did not know what to expect. I must say that RTN CTF was a great success and I really really enjoyed it.

Challenges and official solutions have already been published on RTN Github and few people have already made great and detailed writeups:
https://github.com/CodeOfDark/CTF-Writeups/tree/master/RTN/2021
https://holly-hacker.github.io/ctf-writeups/2021-01_RTNCTF/Index.html
https://zsr2531.github.io/writeups/RTN_2021/

I have no intention of repeating what's already been said and done, so I'll just add a few personal notes about how I solved the most interesting challenges. smile

Hacking resources for fun and no profit, part 1

In this article I'll show how I made VMWare Workstation 15 awesome again using a little-known Resource Hacker feature called "scripting".

But first, a bit of background..

Upgrade of VMWare

People who know me know that I prefer stable, tried-and-true solutions. Be it my primary operating system, the tools I'm using or things I eat for breakfast. Once I know that something is good, I don't want to change it.

So, for a long time I was using VMWare Workstation 10. It just worked. But as the new versions of Windows came out, they started requiring hypervisor to support some specific features. Otherwise it just won't work. For example, to be able to install Windows 10 1803, you will need VMWare 14.x. To install Windows 10 1903, you will need VMWare 15.x.

And so, after a long time of holding out, I decided to upgrade.
Read More →

15 Aug 2020

Deobfuscating AutoIt scripts, part 2

Almost 4 years ago, I wrote a blogpost about deobfuscating a simple AutoIt obfuscator. Today I have a new target which is using a ~~custom~~ obfuscator. smile

Update: This obfuscator is called ObfuscatorSG and can be downloaded from Github. Thanks Bartosz Wójcik!

Author had a very specific request about the methods used to solve the crackme:

If I'm allowed to be picky, I'm primarily interested in scripted efforts to RegEx analyze strings/integers. Very little effort (as in none) went into hiding the correct string. The script was merely passed-through a self-made obfuscator.

In this article I'll show the things I tried, where and how I failed miserably and my final solution for this crackme. I really suggest that you download the crackme from tuts4you and try replicating each step along the way, that way it will be much easier to follow the article.

So, let's get started!
Read More →

21 Jul 2020

July update for Molebox unpacker

Thanks to szx, unpacker can now extract huge (2GB+) embedded files. smile

Also, some of the unpacker messages were removed and/or changed. If you're using de-mole-ition with automated scripts, you might want to double-check those.

19 Jun 2020

Another update of Molebox unpacker

Thanks to Cristiano, I was finally able to add support for another old version of Molebox 2.x. While working on that, I found and fixed few other bugs in the unpacking, so really - thanks a lot! smile
Read More →

04 Jun 2020

Stealing WordPress credentials

Yesterday WordFence published a scary article titled "Large Scale Attack Campaign Targets Database Credentials". Article describes a recent mass-scanning attack of WordPress sites. The purpose of the attack was stealing WordPress configuration files - and therefore usernames/passwords of WordPress admins.

As with the XSS campaigns, almost all of the attacks are targeted at older vulnerabilities in outdated plugins or themes that allow files to be downloaded or exported. In this case the attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts.

Since WordFence is in the business of selling "the best WordPress security", they have little intention to explain how these attacks really work.

Instead, they blatantly advertise their product as a remedy for everything:

All Wordfence users, including sites running the free version of Wordfence, and Wordfence Premium, are protected against these attacks.

That's really not helpful, so let me fix that. smile
Read More →

10 May 2020

Update of unpackers

I'm trying to get back into reversing. Slowly.

So, here's a long-promised update to Molebox unpacker. It fixes unpacking of very, VERY, VERY old Molebox versions. The only file I have ever seen packed with it, is SCWU role playing game.

Enigma Virtual Box unpacker

This was done long time ago but I never posted it publicly. Support for Enigma Virtual Box 9.30/9.40. Should support 9.50 but it's not tested.

08 Apr 2020

About the long silence

Hello all!

It's been almost a year since my last post. I guess some explanation is in order. And it's actually very simple.

I got burned out.

I took on too much at once. My daily job. Personal life. This blog. Paid side projects. It was all fun until it wasn't. One night I finished my side project at 3AM, sent the finished code to the guy and went to sleep. Next day I just couldn't wake up and get to work. So, I said to myself, "It's alright, weekend is coming, I'll get some more sleep and everything will be fine again!"

It wasn't.

My brain still refused to work and I could barely function. I stopped answering my emails. Stopped managing the blog. Stopped pretty much everything. Whatever I did, it wasn't fun. And that's how I spent last year or so.

It's slowly getting better. Reversing stuff feels fun again. I might even write a proper blogpost or two in the near future. Who knows..

Now you know it. Take care and try not to end up like me!

Some articles that seemed useful to me:
https://piechowski.io/post/how-to-get-over-burnout/
https://www.mindtools.com/pages/article/recovering-from-burnout.htm
https://kierantie.com/a/burnout

19 Jun 2019

June update of unpackers

Molebox VS unpacker

This update fixes unpacking very large embedded files. Before the fix, unpacker would crash with "out of memory" exception when embedded file was larger than ~800MB. Thanks to MMM for reporting the bug.