24 Jun

WordPress Fancy Product Designer exploit

Today in my web server logs I noticed repeated scans for "fancy-product-designer" - a WordPress plugin which I most definitely don't have installed.

Few Google searches later, I found an article by Wordfence titled "Critical 0-day in Fancy Product Designer Under Active Attack". As usual, all the important details were missing from their article, so I decided to fill-in the gaps. smile

Read More

22 Apr

Kaswara exploit or how much Wordfence cares about user security

Yesterday, an alert describing vulnerability in Kaswara Modern VC Addons was published on WPScan.

The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Alert explicitly warns that the bug is actively being exploited. Alert also provided a very limited indicators of compromise - incomplete but at least something..

Later that day, "WordPress security vendor" Wordfence published their article Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately.

They repeated what was already said in the alert mentioned above and gave 2 extremely "useful" suggestions. First suggestion is in the post title - remove the plugin. Second suggestion is to pay for Wordfence services. Because Wordfence free version will start protecting users only in end of May 2021:

May 21, 2021 – Wordfence Free users receive the firewall rules.

Think about it for a moment..

Wordfence knows the issue is actively being exploited. They know exactly what the issue is. But they don't care about you or your security! All they care about is their profit. So, unless you pay a hefty sum for their "services", you're screwed.

I think it's wrong, so let's fix that! smile

Read More

29 Jan

Solving RTN CTF challenges

Earlier this month, my friend Washi invited me to take a part in a small CTF competition. It was a first time his team was making something like that, so I did not know what to expect. I must say that RTN CTF was a great success and I really really enjoyed it.

Challenges and official solutions have already been published on RTN Github and few people have already made great and detailed writeups:
https://github.com/CodeOfDark/CTF-Writeups/tree/master/RTN/2021
https://holly-hacker.github.io/ctf-writeups/2021-01_RTNCTF/Index.html
https://zsr2531.github.io/writeups/RTN_2021/

I have no intention of repeating what's already been said and done, so I'll just add a few personal notes about how I solved the most interesting challenges. smile

Read More

04 Sep 2020

Hacking resources for fun and no profit, part 1

In this article I'll show how I made VMWare Workstation 15 awesome again using a little-known Resource Hacker feature called "scripting".

But first, a bit of background..

Upgrade of VMWare

People who know me know that I prefer stable, tried-and-true solutions. Be it my primary operating system, the tools I'm using or things I eat for breakfast. Once I know that something is good, I don't want to change it.

So, for a long time I was using VMWare Workstation 10. It just worked. But as the new versions of Windows came out, they started requiring hypervisor to support some specific features. Otherwise it just won't work. For example, to be able to install Windows 10 1803, you will need VMWare 14.x. To install Windows 10 1903, you will need VMWare 15.x.

And so, after a long time of holding out, I decided to upgrade.
Read More

15 Aug 2020

Deobfuscating AutoIt scripts, part 2

Almost 4 years ago, I wrote a blogpost about deobfuscating a simple AutoIt obfuscator. Today I have a new target which is using a custom obfuscator. smile

Update: This obfuscator is called ObfuscatorSG and can be downloaded from Github. Thanks Bartosz Wójcik!

Author had a very specific request about the methods used to solve the crackme:

If I'm allowed to be picky, I'm primarily interested in scripted efforts to RegEx analyze strings/integers. Very little effort (as in none) went into hiding the correct string. The script was merely passed-through a self-made obfuscator.

In this article I'll show the things I tried, where and how I failed miserably and my final solution for this crackme. I really suggest that you download the crackme from tuts4you and try replicating each step along the way, that way it will be much easier to follow the article.

So, let's get started!
Read More

10 May 2020

Update of unpackers

I'm trying to get back into reversing. Slowly.

So, here's a long-promised update to Molebox unpacker. It fixes unpacking of very, VERY, VERY old Molebox versions. The only file I have ever seen packed with it, is SCWU role playing game.

Enigma Virtual Box unpacker

This was done long time ago but I never posted it publicly. Support for Enigma Virtual Box 9.30/9.40. Should support 9.50 but it's not tested.

13 Apr 2019

Unity3D protection in “AU2” dance games, part 2

Last December I wrote a blog post explaining how some of the AU2 dance games were protected. Apparently, the protection author read the blog post and updated his protection. smile This blog post will explain how the protection was changed and suggest several ways of dealing with the new features.

This analysis covers:

Read More